Authentication and authorization

BMC Decision Support – Network Automation supports the following types of authentication methods:

  • BusinessObjects Business Intelligence (BI) Enterprise 
  • Lightweight Directory Access Protocol (LDAP)

For users to use BMC Decision Support – Network Automation, they must have role assignments in BMC Network Automation. These roles control access in BMC Decision Support – Network Automation.

Note

The users with the same name across multiple BMC Network Automation instances are treated as the same. These users can view the data for multiple sites based on the permissions assigned to them.

(Applicable for 8.9.01 and earlier versions) After the product installation, the role assignment information is transferred to the BMC Decision Support – Network Automation data warehouse by using the extract, transform, and load (ETL) process. ETL runs populate the data warehouse with report data and role authorization information. A utility called User Role Group (URG) Mapper maps the role authorizations to the BMC Decision Support – Network Automation groups. URG Mapper runs hourly through a Windows scheduled task, called bds_urgmapper_tsk. This task is created on the BMC Decision Support – Network Automation application server during the product installation.

(Applicable for versions 8.9.02, 8.9.02.001, 8.9.02.003, 8.9.02.003) The user information is not transferred to the SAP BusinessObjects Business Intelligence (BI) Platform from the data warehouse by the URG Mapper. By default, the Content Deployment utility creates only the sysadmin user, who has access to reports. If you want to grant access to any other user, create the same user in BMC Network Automation, run ETL, and then create the same user in BusinessObjects BI. For more information, see Creating user accounts in BusinessObjects BI.

(Applicable for versions 8.9.02.004, 8.9.02.005) The role assignment information is transferred to the BMC Decision Support – Network Automation data warehouse by using the extract, transform, and load (ETL) process. ETL runs populate the data warehouse with report data and role authorization information. The URG Mapper utility maps the role authorizations to the BMC Decision Support – Network Automation groups. URG Mapper runs hourly through a Windows scheduled task, called bds_urgmapper_tsk. This task is created on the BusinessObjects BI server when you run the Content Deployment utility on the BI server.

The following topics describe how authentication works and how various product roles are mapped to groups in BusinessObjects BI Platform:

Authentication setup and user and group creation in versions 8.9.00, 8.9.01, 8.9.02.004, and 8.9.02.005

You can use either one or both the authentication types in your environment. Installing BMC Decision Support – Network Automation and running ETL and URG Mapper automatically sets up BusinessObjects BI Enterprise authentication. You must configure BusinessObjects BI to work with LDAP authentication.

The order in which authentication is set up impacts how users are created and the tasks performed by URG Mapper. Review the following authentication scenarios and determine the best approach for your environment:

Use these scenarios to determine how you want to set up authentication in your environment and the sequence in which you need to set up authentication if you support both types of authentication.

Product is installed and ETL and URG Mapper are run (LDAP is not configured)

In this scenario, you have installed BMC Decision Support – Network Automation and ETL and URG Mapper are run. BusinessObjects BI is not configured for LDAP authentication.

After the first ETL run, when URG Mapper runs for the first time, it does the following:

  1. Creates the BMC Decision Support – Network Automation groups in BusinessObjects BI and grants access levels to those groups.
    This step is the only time that URG Mapper creates groups when it runs and it creates all groups (see Product roles and the access control system for a list of the groups that are created).
  2. Creates the BMC Decision Support – Network Automation users in BusinessObjects BI and maps those users to the groups.

In subsequent runs, URG Mapper does the following:

  1. If there are any changes in role mapping in BMC Network Automation and those changes have been transferred to the data warehouse through an ETL run, URG Mapper updates the users to reflect those changes.
  2. If any users have been added in BMC Network Automation and the user information has been transferred to the data warehouse through an ETL run, URG Mapper creates the users and maps them to the groups it already created.

LDAP is set up before the product is installed (or before ETL and URG Mapper are run)

In this scenario, BusinessObjects BI is configured for LDAP authentication before you install BMC Decision Support – Network Automation or before ETL and URG Mapper are run.

After the first ETL run, when URG Mapper runs for the first time, it does the following:

  1. Creates the BMC Decision Support – Network Automation groups in BusinessObjects BI and grants access levels to those groups.
    This is the only time that URG Mapper creates groups when it runs and it creates all groups (see Product roles and the access control system for a list of the groups that are created).
  2. Maps the users who are already been imported from the LDAP group to the groups that it created in the first step.
    These users do not have a BusinessObjects BI Enterprise login because they were already present in BusinessObjects BI and URG Mapper does not create duplicate users.
  3. If any of the users from BMC Network Automation that were transferred to the data warehouse via an ETL run do not match users already imported from the LDAP group, URG Mapper creates those users and maps them to the groups it already created.

Product is installed, ETL and URG Mapper are run, and then LDAP is configured

In this scenario, you have installed BMC Decision Support – Network Automation and ETL and URG Mapper are run (URG Mapper has already set up the groups and mapped the BusinessObjects BI Enterprise users to those groups). Then you configure BusinessObjects BI for LDAP authentication and the users in your LDAP group. The users in your LDAP group match the BusinessObjects BI Enterprise users.

When URG Mapper runs after you set up LDAP authentication, it does the following:

  1. Maps the users from the LDAP group to the groups that it has already created. The existing BusinessObjects BI Enterprise users now have BusinessObjects BI Enterprise and LDAP log in credentials (they have the same aliases).
  2. If there are any changes in role mapping in BMC Network Automation and those changes have been transferred to the data warehouse via an ETL run, URG Mapper updates the users to reflect those changes.
  3. If any users have been added in BMC Network Automation and the user information has been transferred to the data warehouse via an ETL run, and those users do not already exist from the LDAP group, URG Mapper creates the users and maps them to the groups it already created.

Authentication setup and user creation in versions 8.9.02, 8.9.02.001, 8.9.00.002, and 8.9.00.003

Depending upon whether the BusinessObjects BI is configured for LDAP authentication or BMC Network Automation is configured for LDAP authentication, you need to follow these steps so that LDAP users can access reports:

  • BusinessObjects BI is configured for LDAP authentication:
    1. Create the same users in BMC Network Automation as present in LDAP server.
    2. Run ETL.
    3. In Central Management Console (CMC), assign the LDAP users to the Administrators group.
  • BMC Network Automation is configured for LDAP authentication (In this scenario, sysadmin user is disabled, so it cannot access reports)
    1. Create the same users in BusinessObjects BI through CMC as present in BMC Network Automation.
    2. Assign the LDAP users to the Administrators group in CMC.

Product roles and the access control system

The BMC Network Automation roles align with BMC Decision Support – Network Automation user groups. When you set up BMC Network Automation, you assign your users to roles. In 8.9.01 and earlier versions, the URG Mapper assigns those users to the corresponding BMC Decision Support – Network Automation user groups.

The user group assignments control access to objects and functionality in BMC Decision Support – Network Automation. BMC Network Automation data-level security (User-Role-Realm security) controls users access to report-related data and data in the universe. For example, if your role only has access to Realm A in BMC Network Automation, in BMC Decision Support – Network Automation you can generate reports for devices in Realm A. You cannot generate reports for devices in any other realm.

This access control system controls the data a user can see in a report, the actions that a user can perform on a report, and the BMC Decision Support – Network Automation features that a user can access.

The following table (applicable only for 8.9.02.004, 8.9.02.005, and 8.9.01 and earlier versions) shows how BMC Network Automation roles map to BMC Decision Support – Network Automation groups and the privileges associated with the BMC Decision Support – Network Automation groups. 

BMC Network Automation roles and their mappings to the BusinessObjects Business Intelligence (BI) platform user groups

BMC Network Automation role

BusinessObjects Business Intelligence (BI) platform user group

Privileges

Report Administrator

BDS-NA Administrators

All of the capabilities of the BDS-NA Designers group and administration of all content and areas of BMC Decision Support – Network Automation in BusinessObjects Business Intelligence.

Report Designer

BDS-NA Designers

All of the capabilities of the BDS-NA Authors group and editing the universe and connection details

Report Author

BDS-NA Authors

All of the capabilities in the BDS-NA Viewers group and the following privileges:

  • Modifying existing reports
  • Creating new reports
  • Scheduling reports

Report Viewer

BDS-NA Viewers

Display, run, email, save, and export out-of-the-box reports for the data to which your BMC Network Automation role has access.
By default all BMC Decision Support – Network Automation users are assigned to this group.

Global Report Administrator

BDS-NA Administrators

Can view data of all sites

Related topics

User roles 
Configuring BusinessObjects for use with LDAP
Providing credentials for Windows scheduled tasks
Accessing users and groups in the Central Management Console
Managing access in the BMC Network Automation online documentation

Was this page helpful? Yes No Submitting... Thank you

Comments