SAP Business Objects Delegated Administration

I actually kind of dig the security model with XI. Call me crazy. I do believe it is more than a few steps up from the days of 6.5 and older. I know it has its shortcomings but it is getting better.

One challenge I’ve dealt with a few times is delegated administration. The goal is in putting user administration in a corporate information security group’s hands rather than a Business Objects Admin’s hands. This makes perfect sense in a deployment that didn’t necessarily start on a Windows AD or LDAP deployment or relies heavily Enterprise groups for access control.

Things changed a little from XI R2 to XI 3.x. This post will focus largly on XI 3.x but we’ll talk about XI R2 towards the end. In order to jump start this post, an Enterprise group is created. Visit the CMC as an administrator group user (or just plain old administrator) to construct the group. Click the Users and Groups link to continue.


Click the “Manage” button on the toolbar, select “New” and choose “New Group”.


Let’s make this group easily identifable. Call it “Helpdesk Administrators” and give it a description so it is easy to recall it’s intended purpose.


With a group in place, return to the Users and Groups section of the CMC and head back to the “Manage” menu option but this time start in the “Top-Level Security” menu item. We’ll begin but looking at the rights for all groups.


Danger! OK not too dangerous. A quick warning dialog reminds you that you are modifying rights for the entire group structure for your CMS. Granted, you could delegate way down here and do it at an individual group level. This is relevant because in a decentralized development world you may wish to give indvidual groups their own rights to control access to their reporting application. However, this exercise focuses on the whole enchilada.


Click OK to continue, you now want to Add Principles. There, search for the Helpdesk Administrators group (or whatever it was called) and add to the selection and click Add and Assign Security button to give this group full control of your groups. Do you have to go full control? Not necessarily. You can get granular using advanced rights. That is the administrators call (or the information security overlord’s mandate).


That’s really it. When completed your new group can modify groups. Wash, rinse, and repeat on the Top-Level Security for Users and you’ve got it. There are other applications for this, for example, in Server Administration. If you ponder it I’m betting there are more applicaitons.

Now in the XI R2 world it was a little more tricky. I actually did not want all the CMC stuff to show up for someone in the CMC. The key difference here was to go into each section of the CMC and set the rights for that section to No Access for the Helpdesk Administrators group. A little tidious but not an unbearable task.

UPDATE: I would be a bad friend if I didn’t mention that you should REALLY be cautions in giving helpdesk admins full control to control groups. You espeically don’t want to give someone access to add someone to the administrators group, for example. Just a thought…

5 thoughts on “SAP Business Objects Delegated Administration

  1. Hi Eric, this issue published by you, had been useful to me, because I implemented your recomendations to create a delegated administration into SAP BO XI 3.1 (very old !!! I know).
    However, when I try to customize the administration options of CMC home page, I not have good results. For example, I can’t hide the authentication’s option or session’s option into CMC home page. ¿Do you know how restrict the adminsitrations options into CMC home page?
    I appreciate your time to read my comments and questions
    Best regards

  2. Hi Susana,

    Great question. This would imply to me that if you check under Applications/CMC/User Security, that user group has more rights than they should. For example, if you start with the most basic right “Log on to the CMC and view this object in the CMC”, and only that right (no pred-defined access level), you’ll see the user can log on but “Applications” is the only option available on the “Manage” portion of the CMC, which should be by design.

    1. Hi Eric, thank you for your quick answer. I can test your suggestion about customize access to CMC console. But when you indicate “by design” ¿Do you make a reference to use Design Application for change the “Manage” portion of the CMC?
      I appreciate your support
      Best regards


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.