If you've attended the ASUG2014 BusinessObjects User Conference or have been attending some of the latest webinars, you will have heard about the ability to restrict the Lumira Desktop functionality using rights in the CMC.
Let's dive into the details:
Prerequisites:
- Lumira Desktop 1.19
- Lumira Integration for BI4.1 version 1.2 (note that this is still officially in ramp up)
- BI4.1 SP3
Note that while the Lumira integration for BI4.1 requires Lumira Server and by extension, HANA, to use this feature you do NOT need to have either of those. Only the latest Lumira desktop and the Lumira Integration add-on Installer are needed.
Overview of the rights:
From the Applications tab in the CMC, navigate down to SAP Lumira. This new application object will only show up after you have installed the Lumira Integration for BI4
The following is a set of rights you can set, which should be fairly self explanatory.
Enabling/Forcing Desktop Governance
This feature is managed through forcing a logon to your BI system at each startup of the Lumira Desktop.
You can, and it is recommended that you do set up kerberos SSO for lumira desktop to make this step seamless.
The logon is controlled through the placement of a .properties file, placed in the Lumira Desktop application directory.
The steps are also described in section 4.6 of the BI add-on for Lumira.
The format of the LumiraGovernance.properties file should look something like this:
enable=true
adapter.type=boe
authentication.type=secEnterprise
rest.url=http://myserver:6405/biprws
useSSO=false
Where enable/disable turns this feature on or off,
"adapter.type" will need to be boe, but you can see that this could in the future open up other types like Lumira Server
"authentcation.type" will be enterprise, AD, LDAP or SAP, in the following formats:
● secEnterprise
● secLDAP
● secWinAD
● secSAPR3
The rest.url will be the same that is used to publish to the BI platform and
"useSSO" will dictate if a prompt should appear or if single signon will be used.
Place the file in the user's work directory.
C:\Users\<user>\.sapvi
Provisioning the LumiraGovernance.properties file
By now you will have noticed that this is just a plan text file. How do you get this onto the user's desktop?
To make the feature effective, you do need a centralized software distribution system, and one that will set this file to read only.
See the effect
The following shows a difference in UI between the full unrestricted mode and restricted mode for data acquisition. We have limited the user to use only certified corporate data from a universe and their local system.
The below shows limiting the publishing destinations to BI only, and includes the prevention of exporting to a file.
Pushing settings to client
Using the settings of the SAP Lumira applicaiton object, you can also control whether your end users are allowed to update the desktop.
Or even force them to use a specific server for publishing, if you have set up the full Lumira BI integration (requires Lumira Server), or specific cloud destination.
Offline Support
The desktop tool will go into last known restricted mode if launched offline.