BusinessObjects Board

XI 3.0 Security for Mere Mortals

downloads
#7

You should be able to create 53 groups (50+3). Then make any given user a member of two groups … one client group, and one “kind” group.

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

#8

Is this only true when a user is always a “kind” of user? For instance, in a scenario with three kinds of users: Advanced, Medium, General and Two Groups: HR and Sales.

In your scenario there would be 5 groups. Let’s say User: Bob is an Advanced User for the HR Group.

He would be placed in the “Advanced” group and the “HR” group. Later on, Bob also needs view only access to the “Sales” group. Due to security requirements, he is not allowed to be an advanced user of the Sales group.

Adding BOB to the “Sales” group while he is already in the “Advanced” group and the “HR” group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?

edit: without using overrides or individual user level security for Bob.

sovichet (BOB member since 2007-07-10)

#9

Hi everybody !

I just don’t understand something :
In the 3.1 matrix I understood that, we should better “play” with the different customised access level, and then apply those levels for a group in order them to have rights on folder or applications.

so a user belongs to a group

instead of :
creating groups with their rights on folders
creating groups with their rights on application

so a user belongs to 2 groups.

And following the questions upper, the solution proposed by Dwayne is the second one : a user belongs to 2 groups

So what is the best solution if ever ?
thanks for your answer

liloo :fr: (BOB member since 2007-06-06)

#10

Still wouldn’t help. Application rights are NOT applied to content folders. The only solution is two different user ID’s.

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

#11

Are there any additional rights in XI 3.1? If so, is there a new download for XI 3.1?

Franko418 (BOB member since 2004-07-07)

#12

That is correct for content folders. However, what about Universe folders? Setting “Not Specified” for the edit/delete permissions seem to effectively limit what these “mixed” users could do with the universes contained in the folders. I will try to post a real example tomorrow.

sovichet (BOB member since 2007-07-10)

360view XIR3 Security
#13

Let’s see. I took your requirement against “give him too much access” rather literally I guess. I should ask, which application rights are the concern? Report authoring rights (DeskI, WebI), Designer rights, other? There is an individual right that can be applied to universes to allow data provider create / edit against that universe. It is the ONLY exception that I know of where what is essentially an application right is applied to content (documents, universes, etc.).

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

#14

Hi ! must we always create rights for application AND rights for content.
Or is it possible to imagine that the ones who will refresh have all the same rights and can only access their folder and then refresh a webi document and so, we create a right “refresh”, then
we create “accounting group” and apply the “refresh” right on the universe, connection, folder in relation with accounting, and the apply the same right “refresh” on application WebIntelligence

Then if there is the same behaviour on “sales group”, we apply the same “refresh” right for the sales group, on sales folder, etc.

liloo :fr: (BOB member since 2007-06-06)

#15

Dwayne,
To get to the list of all the rights, did you use something like VBA to go over the collections and print out the rights in Excel?

If so, it it possible for you to share the code?

Thanks
Maloy

itsmaloy :us: (BOB member since 2007-01-25)

#16

I tried, but never found a reliable way to do so. It took a few hours of copy / paste from CMC. Tedious and possibly error prone, but in the end quicker than fiddling with code. The SDK just isn’t very good at this “master data” kind of thing.

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

#17

Dwayne,

I’m playing around with Xi3 security for the first time, having not done any security modelling since the days of v5 / v6. I’m trying to reproduce the blocks in your presentation, but am confused by what I see as duplicate permissions.

What is the difference between ‘View SQL’ within the Content\Desk Intelligence Report group, and ‘View SQL’ within the Application\Desktop Intelligence group? What happens if one is granted and the other isn’t?

There are other similar duplicates for both Deski and Webi.

Thanks…

anorak :uk: (BOB member since 2002-09-13)

#18

Let’s start with the easy part. The application one will drive what you do … well, within the application. Same for content … it would apply to individual DeskI documents.

Now as to the interaction between them, I haven’t tested it, but this would be my “hypothesis.” You’d have to have the application right, or you wouldn’t even be able to choose that option in the DeskI client. That would enable you to create new documents, see the SQL, etc. The content right would then be a matter of granularity. You could prevent viewing of SQL for some documents, and not others. Again, my hypothesis, but should be easily verified.

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

#19

One quick question…

I understand how the new XIR3 security model works, but am awaiting a password before I can get into my CMC to fiddle with it… I’ve been spending the past week preparing scope documents and such…

On Column “D” of the spreadsheet above, it is labeled “Applicability”, is this something new in XIR3? I don’t quite understand what that column is used for when planning your security model…

At first I thought “General” and “Override General” were indications that this model is overriding the default settings… but then I see “Specific” and it kind of throws that idea away…

What is that column telling me to consider that I’m missing?

JPetlev (BOB member since 2006-11-01)

#20

I missed this post originally, so my apologies there. You are on the right track. This is something new in XI 3.x. The “General / General” rights are still there … basic add, edit, delete, view, etc. In XI 3.x, you can get more granular, based on the content type … hence the “override general” terminology used by XI 3.x. As an example, it is possible to allow someone to “add” Excel documents to a folder, but not a WebI document, using this “override general” granularity.

My advice is to NOT use the “General / General” rights in custom access levels at all. Unless of course that is exactly what you intend … that the rights apply universally, regardless of content type. Otherwise, it’s just too easy to grant unintended access.

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

#21

I almost forgot to ask, is the spreadsheet posted in the original post above still applicable to XI 3.1 SP2? Or has rather has there been any changes which might make some of these access levels obsolete or broken in any way?

EDIT: Ok it seems I was able to answer my own question… the spreadsheet above is NOT all inclusive of all 3.1 SP2 rights. I have’t been able to spend the time to go through them all, but so far I’ve noticed the auto-save rights are not in the sheet. This leads me to believe it was not updated beyond XI3.0.

If anyone’s already done the work of updating one for 3.1 SP2, if you could provide a link that would be great. Right now I’m just updating my own sheet as I find missing items.

JPetlev (BOB member since 2006-11-01)

#22

I have added an additional attachment to the original post here. Items that are new in XI 3.1 are highlighted in a different color. Here is a summary:[list]- New WebI application right: Enable Autosave for this user

  • New content types: Analytic, Dashboard, Xcelsius DM
  • The only other change I found was basically a re-labeling (or add / delete if you prefer). For WebI application right, it is now Edit SQL instead of Java Report Panel: Edit SQL.[/list]To be clear, this is the result of a screen by screen manual comparison, nothing programmatic. Therefore it may still have flaws, but I think it’s close.

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

#23

Thanks!

JPetlev (BOB member since 2006-11-01)

#24

Can someone please clarify something for me with regards to the Security For Mere Mortals Powerpoint slide ?

I created a group of users, with :

Application Access Level - Refresh (Assigned to Infoview, and WebI application)
Content Access Level - Standard (Assigned to a universe, its connection, and the folder containing the WebI reports)

Ideally, I want these users to login, see the reports folder (and any sub folders contained within), and to be able to open a report, and only be able to refresh/save it (but not modify, edit query/sql etc).

However, this is not happening, when a user from that group logs in, they are only able to see the folder itself with no reports inside nor any of the sub folders contained within.

Also, if I change the Content Access Level on the folder to “Developer” then users would see the sub folders and any WebI reports there. However, if I try to refresh any report it would say universe not found, and when I click on Edit Query there are thus no objects on the left hand pane. I just want to know what kind of Content/Application access should I grant a group for them to be able to see a folder and all its sub folders, and to be able to refresh the reports in there but not modify nor view SQL really. I believe page 18 in the Powerpoint presentation details this, but I must be doing something wrong as I’m not getting the desired results :crazy_face:

Oh, and the Everyone group has “View Folder Only” Content Level Access on the root folder in case anyone’s wondering. …so where do I need to look to fix this ? any ideas ? our implementation is BO XI R3.1 by the way. Thanks in advance for any ideas/help.[/b]

Veronica (BOB member since 2002-11-22)

#25

You probably check the option apply to folder only for the right View objects

You should also setup the rights on universe folders and on connection …

I recommend no to mix acess level. I mean one access level for folder security, another one for universes … Thus you won’t miss to setup the security on all the objects. And you are obliged to do so objects per objects!

#26

Sorry Sebastien, I may need more clarification,

…but in the XI 3.0 Security Matrix Excel sheet (in the “Content - Standard” tab), it only has “View documents instances that the user owns” and it is granted for both objects and sub-objects, so I guess if an admin makes a report for a user in this group they wouldn’t be able to see it which is why this is happening ?.

I don’t see any reference to “View Document Instances” or “View Objects” in the “Standard” Content Access Level tab of the Excel sheet. (only to the ones a user owns)

I believe I have done, as I have given Content Access Level - Standard (Assigned to a universe, its connection, and the folder containing the WebI reports), is there some place else I missed ?.

So basically I should give “Standard” Content Access Level to the Universe folder, and the Reports folder correct ?

What would be the best Application Access Level and Content Access Level settings to give users who can log in and find reports made for them that they can only refresh and save ? (I thought it would be Application - Refresh, and Content - Standard, but I’m thinking I may need to change some of the default values specified in the Excel sheet to allow more control such as to see objects not just made by the user themselves)

Thanks for your help.

Veronica (BOB member since 2002-11-22)