BusinessObjects Enterprise Administrator's Guide

Authentication and program objects

Be aware of the potential security risks associated with the publication of program objects. As the administrator, you must protect the system against abuse. The level of file permissions for the account under which a program object runs will determine what modifications, if any, the program can make to files.

You can control the types of program objects users can run, and you can configure the credentials required to run program objects.

Enabling or disabling a type of program object

As a first level of security, you can configure the types of program objects available for use.

To enable or disable a type of program object

1. In the Objects management area of the CMC, click Object Settings.
2. Click the Program Objects tab.
3. Select the type or types of program objects you want users to run.
4. Click Update.

Authentication on all platforms

In the Objects management area of the CMC, you must specify credentials for the account under which the program runs. This feature allows you, the administrator, to set up a specific user account for the program, and assign it appropriate rights, to have the program object run as that account. For details, see "Controlling users' access to objects" on page 312.

Alternatively, users who publish program objects to BusinessObjects Enterprise can assign their own credentials to a program object, to give the program access to the system. Thus, the program will run under that user account, and the rights of the program will be limited to those of the user. If you choose not to specify a user account for a program object, it runs under the default system account, which generally has rights locally but not across the network.

Note:    By default, when you schedule a program object, the job fails if credentials are not specified. To provide default credentials, click Object Settings in the Objects management area, then click the Program Objects tab. Click "Schedule with the following operating system credentials" and provide a default user name and password.

To specify a user account for a program object

1. In the Objects management area of the CMC, click the link for the program object.
2. Click the Process tab, then click the Logon link.

The Logon page appears.

3. In the User Name and Password fields, type the credentials for the user account under which the program should run.
4. Click Update.

Authentication for Java programs

BusinessObjects Enterprise allows you to set security for all program objects. For Java programs, BusinessObjects Enterprise forces the use of a Java Policy File, which has a default setting that is consistent with the Java default for unsecure code. Use the Java Policy Tool (available with the Java Development Kit) to modify the Java Policy File, to suit your specific needs.

The Java Policy Tool has two code base entries. The first entry points to the BusinessObjects Enterprise Java SDK and allows program objects full rights to all BusinessObjects Enterprise JAR files. The second code base entry applies to all local files. It uses the same security settings for unsecure code as the Java default for unsecure code.

Note:    

• The settings for the Java Policy are universal for all Program Job Servers running on the same machine.
• By default, the Java Policy File is installed to the Java SDK directory in the BusinessObjects Enterprise install root directory. For example, a typical location on Windows is:
  C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\conf\crystal-program.policy

  On UNIX, a typical location is
  .../solaris_install/bobje/enterprise11/JavaSDK/crystal-program.policy