cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Terminated employee's personal reports are gone. Forever?

Go to solution
nscheaffer
Active Contributor

on ‎09-20-2013 10:17 PM

0 Kudos

Let me start off with some background.  We are on BI 4.0 SP06 and use Windows Active Directory for authentication.  When a user is added to a specific mapped AD group there BusinessObjects account gets created.

We had a user that had a lot of reports in her Personal Folder that recently left our company. When her domain account got deleted it was obviously also removed from that specific mapped AD group and consequently her BusinessObjects account got deleted as well.  Along with that her Personal Folder and BI Inbox were deleted.  I believe it also deleted the schedule for any reports she had scheduled.  The system still attempted to run the report, but it resulted in this error...

     Object failed to run due to insufficient security privileges.

Are those reports that were in her Personal Folder anywhere to be found within the system?  Or are they truly gone?  If they are gone, so be it.  We can deal with that if we have to.

How do I prevent this from happening again?  Do I need to alias each Windows AD user to their own Enterprise user?

Thanks,

Noel

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member188911
Active Contributor
‎09-23-2013 1:59 PM
0 Kudos

Hi Noel,

this is normal behavior, when a user is deleted his/hers Personal Folders and Inbox are wiped out.

All documents that were owned by them in other folders become owned by the administrator.

The best approach is to disable the user account rather than delete it.

If by any reason the account is inadvertidetly deleted, the only way to recover Inbox and Personal folders is to perform a restore in a non production and prevent AD/LDAP synchronization to take place.

If you need to know how to prevent AD/LDAP synchronization please let me know.

Thanks

SImone

Show replies
Show replies
nscheaffer
Active Contributor
‎09-23-2013 3:27 PM
0 Kudos

We are not going to pursue doing a restore.  However, I do want to make sure this doesn't happen again.  So it seems that I need to make an enterprise alias and assign it to each new user.  Is there a way to automatically do this?  Can I assign the same enterprise alias to every AD user?

Also, is there a way to have the AD user automatically created, but not automatically deleted?

I am reading with the Admin guide on this topic ("Configuring AD Authentication in the CMC").

Noel

Former Member
‎09-24-2013 1:39 PM
0 Kudos

Hi Noel,

To answer your questions please see below:

---------------------------------------------------------------------------------------------------

In the "AD Alias Options" area specify how new aliases are added and updated to BusinessObjects Enterprise.

a. In "New Alias Options", select how new aliases are mapped to Enterprise accounts.

Select one of the following choices:

1. Assign each new AD alias to an existing User Account with the same name

Use this option when you know users have an existing Enterprise account with the same name; that is, AD aliases will be assigned to existing users (auto alias creation is turned on). Users who do not have an existing Enterprise account, or who do not have the same name in their Enterprise and AD account, are added as new users.


2. Create a new user account for each new AD alias

Use this option when you want to create a new account for each user.

b. In "Alias Update Options", select how to manage alias updates for the Enterprise accounts.

Select one of the following choices:

1. Create new aliases when the Alias Update occurs

Use this option to automatically create a new alias for every AD user mapped to BusinessObjects Enterprise. New AD accounts are added for users without BusinessObjects Enterprise accounts,

or for all users if you selected the "Create a new account for each new AD alias" option and clicked Update


2. Create new aliases only when the user logs on

Use this option when the AD directory you are mapping contains many users, but only a few of them will use BusinessObjects Enterprise. BusinessObjects Enterprise does not automatically

create aliases and Enterprise accounts for all users. Instead, it creates aliases (and accounts, if required) only for users who log on to BusinessObjects Enterprise.

---------------------------------------------------------------------------------------------------

To answer your last question:

Q) Also, is there a way to have the AD user automatically created, but not automatically deleted?

- There are ways you can control how these updates will happen on BO Application level using the Graph Update options but in the back-end it will be entirely depend on what activities/ changes you have done on AD Level.

- As suggested by Simone above, it is a always a good practice that instead of deleting the user account directly - [you disable it -> Retrieve the reports/ documents -> Copy to New Folder -> Delete the User]

I hope it will help.

Thank you,

NK

nscheaffer
Active Contributor
‎09-24-2013 3:43 PM
0 Kudos

Thanks for the response Nikhil.  I had found this section in the admin guide too.  I have more questions though.

  1. What does "auto alias" mean?
  2. How do I prevent the account from getting deleted?  Here what happened.  We have our system set up so that when users are added to a particular active directory group they get added to BusinessObjects.

    An employee was terminated and last Monday and I was not made aware of it until Friday.  Here is where things went bad.  I had a request to set up a few new employees on Thursday.  So I went into the Windows AD Authentication screen in the CMC and clicked update with the "Update AD Groups and Aliases now" selected in the On-Demand AD Update section.  My new people got added and the terminated employee got removed.

    I have requested to be notified whenever an employee with BusinessObjects access is terminated, but I am still concerned about this happening again if I don't get notified at all or in time.

    So do I need to create an Enterprise Alias for each users?  Is there a way to do that automatically or do I have to do it manually?

Thanks,

Noel

nscheaffer
Active Contributor
‎05-16-2014 8:59 PM
0 Kudos

I ended up following the instructions in this note to create enterprise aliases for all users.

http://service.sap.com/sap/support/notes/1804839

Noel

Answers (2)

Answers (2)

Former Member
‎04-04-2016 3:58 PM
0 Kudos

All:

We ran the enterprise alias script too to create enterprise alias on all LDAP/AD IDs in CMC. However, if a user is terminated that ID still shows in CMC because of the enterprise ID enabled. How do we get rid of the termd users?

Any ideas?

Show replies
Show replies
TammyPowlas
Active Contributor
‎04-04-2016 4:15 PM
0 Kudos

This is a closed thread; please search for your question and if you cannot locate a solution, please create a new thread.  Thanks

Former Member
‎09-22-2013 7:36 AM
0 Kudos

Hi Noel,

Yes, you are right that you would have to create an Enterprise Alias for Windows AD account. Kindly refer:

http://service.sap.com/sap/support/notes/1315192

and then:

http://service.sap.com/sap/support/notes/1804839

I hope this helps.

Regards,

Nakul Mehta

Show replies
Show replies
Ask a Question