BPM Admin Guide

USync

This section describes the steps you need to follow to work with USync.

You can use the USync tool to create users, user groups and user aliases in BusinessObjects (BO). USync creates BO users and groups that correspond to the users in the Maconomy system. You can configure USync to create only users for which certain criteria are met.

USync can also remove BO users or groups. This is convenient if users and groups have been removed from Maconomy.

Use the USync tool to complete the following tasks:

  • Create users and groups in BO that correspond to the ones that are defined in Maconomy. This allows users to access Maconomy data when running reports.
  • Create aliases for each user so that, when logged in using another name by means of Single Sign-On (SSO), users can still access data.
  • Synchronize users and groups for a tenant in a multitenant environment.

It is assumed that both Maconomy and BO are set up for SSO.

The following instructions outline how to install and configure USync:

Install USync

To install and prepare the USync tool, follow these steps:

  1. Log into the Maconomy server system.
  2. Start MConfig and select the appropriate Maconomy application.
  3. Click Web products and select the web server.
  4. Click OK and apply the change with MConfig.
  5. On the Web Products screen, enable Web Services.
  6. Download the file USync.zip from the Deltek download server, for example:

    \\dl\applications\Released\BPM\Tools\USync

    Note: Select the latest BO version folder, for example, BO 4.X folder.
  7. Extract the zip file to a folder on the server where the BO is installed.

    Make sure that both the USync.jar file and the "external" folder are within the same folder.

Create Users and Groups

To transfer users and groups from Maconomy with USync, follow these steps:

  1. Log into the server on which BO is installed.
  2. Open a command prompt.
  3. Run the USync java tool and enter the following parameters in the exact sequence as listed:
    • <Maconomy administrator username>: Enter the username of the Maconomy administrator to access the Web Service.
    • <Maconomy administrator password>: Enter the password of the Maconomy administrator to access the Web Service.
    • <URL to MaconomyWS executable on web server>: Enter the Maconomy web service URL from which USync derives the list of users to create in BO.
    • <BO username>: Enter the username of the BO user that has access to view, create, modify and delete users in the CMS.
    • <BO password>: Enter the password of the BO user that have the rights to view, create, modify and delete users in the CMS.
    • <BO Server name>: Enter the BO server where users are created.
    • <BO Authentication Type>: Enter the authentication type that USync uses to log in to the provided BO user above. It is recommended to use secEnterprise.
    • <Log level>: Set the value to 100 to show the minimum amount of information in the logs or to 500 to show a detailed trace of information.
    • <Path and file name of log file>: If there is no log file, the tool creates a new log file. If a log file already exists, the tool appends the logs to it. Note that USync does not create folders.
    • <Delete-user-data (true/false)>: This determines whether to allow USync to automatically delete a user in BO that no longer matches with a user in Maconomy.
    • <Create named BO users (true/false)>: This determines the license type used to create the users. Set this to true to create named users (one license required per user) or false to create concurrent users (number of license pertains to the number of users that can login at the same time, no limit on the number of users that can exist in the CMS).
    • <Create AD aliases in BO (true/false)>: This determines whether BO requires the configuration of the Windows AD plugin. Set this to true to automatically assign an alias to users that exists in Windows Active Directory.
    • <Domain name used for AD alias creation>: Enter the combined prefix and extension of the domain name used for AD alias creation (for example, trifolium.com). This is only necessary if the Create AD aliases in BO parameter is set to true.
    • <Default password for new BO users>: Enter a default password that all new created BO users can use. This is only used for Enterprise authentication.
    • <Passwords never expire (true/false)>: To determine the expiration of passwords, enter true to ensure the user's password will never expire. If you enter false, the user's password expires according to the configured user restriction in CMC » Authentication » Enterprise. By default, this parameter's value is set to false.
    • <Must change password (true/false)>: To determine whether the user must change the default password when first logging in, enter true to force users to change password on first log in. Note that you cannot set this parameter to true if the Can't change password parameter is also set to true.
    • <Can't change password (true/false)>: To determine whether who can set passwords, enter true to allow only the system administrators to set passwords. Note that you cannot set this parameter to true if the Must change password parameter is also set to true.
    • <Whitelisted group>: Use this parameter to determine which users should not be deleted by USync when the delete-user-data parameter is set to true. Leave this blank if no group needs to be whitelisted.
    • <Allow update of existing BO users>: This parameter controls whether the properties of an existing user in BO is updated by USync. By default, this parameter's value is set to false.

      For example, if you enter the following:

      java -jar USync.jar "Administrator" "123456" "http://BPMServer:20001/cgi-bin/Maconomy/MaconomyWS.w15p2mc.US_MCS.exe/" "Administrator" "ppu" "macsrv.trifolium.com" "secEnterprise" "100" "C:\temp\usync.log" "false" "false" "true" "trifolium.com" "1234-Pass" "true" "false" "false" "" "true"

      This does the following actions:

      • Creates users and groups that correspond to users and groups that are set up in Maconomy. If only certain users are wanted, you can define criteria for them.
        Note: Refer to Configuring a Tenant in a Multitenant Environment (Optional Installation) section.
      • Creates aliases for these users to handle access control.
      • Does not remove existing users that are defined in BO. The users that are created are in addition to the users that are already there.
      • Sets the default password of the new users to 1234-Pass.
      • Uses the web server executable (a 15.0 sp 2 MCS system in the preceding example) to determine the Maconomy system that is used.
      • Stores the log output from USync in the file C:\temp\usync.log.
  4. Open the Central Management Console and click Groups or Users to confirm that the synchronization succeeded.

    For each user, you can see the group memberships on the Member of tab. For each group, you can see the members of the group on the Users tab. If you chose to create AD aliases, you can see them under each user in the lower part of the window.

Configuring a Tenant in a Multitenant Environment (Optional Installation)

Multitenancy enables you to host multiple clients on one server where each client has their own access sites and properties. These additional steps are optional and not part of the USync default installation.

The setup of multitenancy includes the following steps:

  • Tenant configuration in the Maconomy Web client.
  • Set up corresponding tenant in BO server.
  • Synchronize users using USync.

Set up a Tenant Name in Maconomy

To set up a tenant name in Maconomy:

  1. Log into the Maconomy Web Client with the necessary rights to access system setup, preferably as Administrator.
  2. Go to Reference Workspaces » Set-Up » Set-up » System Information.
  3. Scroll down to the Tenant Name card and enter a unique name in the Tenant Name field.
    Note: To check if a tenant name is already in use, go to BusinessObjects CMC » Multitenancy via the BO console.
  4. Click Save.

Validate the Tenant Name in Maconomy

To validate the tenant name in Maconomy:

  1. Log into the Maconomy Web Client with the necessary rights to access system setup, preferably as Administrator.
  2. Go to Reference Workspaces » Set-Up » Access Control » User Roles.
  3. Add the Tenant Name column to the Roles tab.
    1. Click the Settings icon to customize the columns.
    2. In the Available columns section, select Tenant Login Name.
    3. Click the Move icon to add the selection to the Visible columns section.
    4. Click Apply.
  4. In the Tenant Login Name column, verify that the tenant name is prefixed in the login name with the format tenantName#LoginName.

Register Tenant with BusinessObjects Multitenancy Management Tool (Windows)

The BO (from version 4.2) Business Intelligence (BI) Platform comes pre-installed with the Multitenancy Management Tool (MTM). This tool handles the registration of a tenant and other configurations controlled through a template definition file.

Tip: Refer to the SAP website for materials on Multitenancy for more information.

To define MTM properties, follow these steps:

  1. Open the tenant_template_def.properties file in a text editing application.

    The file is located in the same directory as the BO 4.X MTM Tool.

    Note: The default location and file name is as follows:

    <InstallDir>\SAP BusinessObjects Enterprise XI 4.0\java\apps\multitenancyManager\jars\multitenancymanager.jar

  2. In the tenant_template_def.properties file:
    1. Add the desired tenant name to the tenantName parameter.

      For example, tenantName=XXX.

    2. Add the following mandatory login information:
      • cms
      • auth
      • user
      • pwd (Optional. If left blank, user is prompted for password to proceed.)
  3. Save the file.

Run the MTM tool

To run the MTM tool, follow these steps:

  1. Open a command prompt.

    It is recommended that you run this as Administrator to avoid permission conflicts.

  2. Change the directory to the location of the multitenancymanager.jar file, for example:

    <InstallDir>\SAP BusinessObjects Enterprise XI 4.0\java\apps\multitenancyManager\jars

  3. Run the following command:

    java -jar multitenancymanager.jar -configFile

Verify the Tenant is Created Successfully

To verify the tenant is created successfully, follow these steps:

  1. Log into the Central Management Console.
  2. On the Multitenancy tab, verify the tenant name is listed in the Name column.

Synchronize Users with USync

To synchronize users with USync:

  1. Download the USync.zip from the Deltek server. For example:

    \\dl\applications\Released\BPM\Tools\USync

  2. Extract the zip files.
  3. Open a command prompt (run as Administrator).
  4. Change the directory to the location of the extracted zip file, USync.jar.
  5. Run the command: java -jar USync.jar with the following parameters:
    PARAMETER VALUE
    Maconomy Username Maconomy Admin username
    Maconomy Password Maconomy Admin password
    Web Service URL MaconomyWS URL found in ..\maconomy\index.html
    BO Username BO Admin username
    BO Password BO Admin password
    CMS BO Server
    BO Authentication secEnterprise, secWinAD, etc.
    Log Level 0 = no message, 500 = debug mode
    Log File Name File for the log file including directory
    Delete User Data delete users that does not exist in Maconomy
    Named Users Boolean, true=named user or false=concurrent user
    Create AD Aliases Boolean, create AD Alias for SSO
    AD Domain used for AD Alias Creation
    Default Password Password assigned to created BO users
    Passwords Never Expire Boolean, user attribute
    Must Change Password Boolean, user attribute
    Can't Change Password Boolean, user attribute
    White List Groups Groups ignored by delete user data parameter
    Allow Update Allows USync to update existing users
  6. When completed, verify that the users and groups are created in BO CMC.
    1. Log into the Central Management Console.
    2. On the Users and Groups tab, verify both users and groups are prefixed with the tenant name.
Control which Users to Create

To create only specific users, or users that satisfy certain conditions, configure USync.

To configure USync, follow these steps:

  1. In the Maconomy web server folder, \MaconomyWS\Services\Standard, locate the file USyncSQL.txt.
  2. Edit the file so that it contains an SQL-like expression that selects the users.

Examples

Example 1: Select Users by Means of Popup 1

You want to control which user to import by using Popup 1 on the employee who is associated with the user. If you set up this pop-up with one value, BusinessObjects, so that it either has this value or is blank on each employee, you can insert the following additional condition in the WHERE clause for the import of user data and role membership data.

0 = (select EmployeePopup1 from Employee
    where EmployeeNumber = UserInformation.EmployeeNumber)

If there is no employee on the user, the selected value is null. If Popup 1 is blank on the employee, the selected value is -1.

Example 2: Select Users Based on Roles

You want to import only those users who have certain roles. In this case, use the following additional condition:

EXISTS (SELECT 'OK' FROM EXUserDialogGroup
   WHERE NameOfUser = UserInformation.NameOfUser
      AND GroupName IN ('FinancialManagement', 'LineManagement'))

In the MAS solution, this imports 19 users, including Andy Polansky, Lisa Welsh, and Sue French. In the MCS solution you could change the restriction on the group name to GroupName IN (FinancialManagement, DepartmentManagement, AccountManagement), and then you would get 17 users, including Edward Powers and Micho Spring.

Error Handling

The output message may contain errors.

  • If the output message contains any of the following text, it has the corresponding meaning:
    • “This user does not exist": You did not enter a valid Maconomy user name.
    • "Password is not correct": You did not enter a correct password for the Maconomy user.
    • "Enterprise authentication could not log you on": There is a problem with the BO username or password.
    • If you cannot open the http://localhost/index.html page, there may be an error in the global parameters in MConfig. Open MConfig, click the Global settings button and make sure that the Export HTML index file to field has the correct value (for example, C:\Apache\Apache2\htdocs).

(404) Not Found

If the output message contains "(404) Not Found," there is a problem with the URL in the Web service URL field. This is also the case if the output message refers to SAXParseException, ConnectException, UnknownHostException or "unknown protocol."

One possible reason for the 404 error could be that the Webserver URL in MConfig is incorrect.

To fix the 404 error, follow these steps:

  1. Open MConfig.
  2. Select the relevant application.
  3. Click Web products.
  4. Select the appropriate web server.
  5. Click Web server parameters and make sure that the Webserver URL (host and port) field has the correct value.

For example, if the installation uses a virtual web server, the field should be http:// followed by the name of the server, followed by the virtual web server port number (separated by a colon), with a / (slash) at the end. If you make a change in MConfig, you may need to restart the web daemon before the changes take effect.

Assign Report and Universe Rights

Before you perform this procedure, you must consider which users or groups should be given access to which reports and universes.

To manually set up access rights in BO, follow these steps:

  1. Open the Central Management Console.
  2. Click Folders and then locate the reports in the Maconomy folder.
  3. For each report, set up the access rights by clicking on the report and opening the Rights tab.
  4. Make sure that the rights for the group Everyone are set to No Access.

    Click Add/Remove to insert a line (for example, a new group), and then click OK.

  5. Change the rights to a different setting, for example, View On Demand.
Note: You must grant each universe and connection to the specific groups of users. This may take some time if there are many groups and many reports.

It is recommended that you assign rights to groups (containing users), rather than directly to users.