BusinessObjects Board

Business Objects - Derived security

I am a new user grappling with how to set up security for BO implementation. The implementation is a reporting platform for another project management system.

I would appreciate if some one can read the below case study and suggest a good way to model the security.

Org1, Org2, Org3 in the below note refers to organization units\ business units. Also the number of org units are dynamic and keeps varying - currently at 80. The user groups’ access too vary - but can be broadly classified into 5.

User A is associated with Org Units – Org1, Org2, Org3
User B is associated with Org Units – Org1 & he is added as a Participant in a Project created for Org2
User C is associated with Org Units – Org4, Org5 & has Read-only access to all Projects (as he is a member of Read-only Group)

When these users would run a report (the same report), they should be able to see:

User A - Projects created for Org1, Org2, Org3
User B - Projects created for Org1 & a Project created for Org2 (where the user is added as a Participant)
User C - All Projects in the system

At present we are looking at using “@variable(‘BOUSER’)” and set up the security. If there is a better method\approach please let know.

thanks
J


jameshardly (BOB member since 2011-11-08)

James,

Welcome to B :mrgreen: B!

Sounds good for run time security. you shoudl use a mandatory universe filter in conjunction with this.

You need to look at universe / folder / report security too.
Please have a look at this post to get started and post any questions:-

https://bobj-board.org/t/119849

Cheers,

Mark.


Mak 1 :uk: (BOB member since 2005-01-06)

Thanks for that very quick response. Just curious (I promise I will go through the link) - but are there any other methods by which dynamic run time security can be applied to the logged in user ?

Like thinking out aloud - A library code that applies business logic to the user’s access or some such derived security.

Please ignore the above comment if that is nowhere in the realm of BO.

thanks
J :stupid:


jameshardly (BOB member since 2011-11-08)

Yes, row level security can be purely managed, using access restrictions, in the universe. However, I would stick with the method you are planning.


Mak 1 :uk: (BOB member since 2005-01-06)

I will take your suggestion and stick with the model. But the project management tool has couple of more layers of security (there is a license concept and there is a record level security) - which eventually I might need to implement into BO. So if there is a link (similar to the one you attached in the previous post) - please direct me there - on how to set up this kind of derived security.

thanks and appreciate your responses.

thanks
J


jameshardly (BOB member since 2011-11-08)

You’ll have to clarify what these actually are and how they work?


Mak 1 :uk: (BOB member since 2005-01-06)

I was trying to excuse myself from typing in the gory details - but I guess it will be difficult to help without all of the information.

I will user my earlier case study and expand a bit further:-

User A and User D are associated with Org Units – Org1, Org2, Org3
User B is associated with Org Units – Org1 & he is added as a Participant in a Project created for Org2
User C is associated with Org Units – Org4, Org5 & has Read-only access to all Projects (as he is a member of Read-only Group)

Project M is executed by Org 1.
User A has project management license and is a project manager of only Project M.
User D has project management license and is NOT a project manager of Project M, but is a project manger for some other projects.

When these users would run a report (the same report), they should be able to see:

Additional\Revised requirement:-

User A should be able to see only Project A.
User D should NOT be able to see Project A even though he belongs in the same org unit(Org1) as the project and has necessary license.

thanks
J


jameshardly (BOB member since 2011-11-08)

It looks to me that you may have to have row security consisting of Org unit and Project.
Read access can be given by using scheduled instances and limited application rights.

To be frank, you need to understand how it all fits together. This is a big area, especially if you introduce SSO too.
Maybe you should also consider taking training?

Its very difficult / impossible to “fix” a lousy BO security model, my 10 cents.

This may help:-

Method using universe, although I would steer clear of applying SQL row level security here:-
http://www.dallasmarks.org/presentations/SBOUC2007_Dallas_Marks_Secure_Universes_Using_Restriction_Sets.pdf


Mak 1 :uk: (BOB member since 2005-01-06)

Mark,

Thank you very much. I will go through the documents first. I also anticipating “a BO expert” join the team in the next week or so. If that person cannot help me - then training seems the next logical way out.

thanks for the effort and appreciate your help.

thanks
J


jameshardly (BOB member since 2011-11-08)

James,

No problem.

Well, I hope they are actually an expert, I have met plenty that pertain to be so :wink: .

It depends what they are expert in as Business Objects is quite a big area.
Have they done universe and report building, security build, data warehousing, server set up, config and admin, migrations, training…e.t.c.

I have, so, I’m generally considered an architect these days.

Good Luck,

Mark.


Mak 1 :uk: (BOB member since 2005-01-06)

Thank you and will revert back with where we stand in a couple of weeks. The person seems to have knowledge predominantly in building reports. So I am still reading up the documents.

In the meantime I have another query - its related to hyperlinks. I will raise it in the appropriate forum. Maybe you can help me there.

thanks
J


jameshardly (BOB member since 2011-11-08)

Hi All,

I have a similar requirement can some one can guide me.

I have below requirement to implement security.
Req 1. Users have to see their own data
Req 2. Approvers has to see their own data as well as the other users data who has raised the requests for his/her applications.
Req 3. Supporting teams have to see the entire data with out any restrictions.

Req1 and Req2 are implemented by using @VARIABLE(‘bouser’) function in the join clause between the employees table and Security table.But the problem arises for the Req3 i,e for the supporting teams, since they do not have any records in the tables. Is there any posiibility to ignore the security for supporting team members so that they can see the data for all users/approvers with out any limitations.

Thanks in advance
Ashie


Ashie :india: (BOB member since 2008-09-17)