I am a new user grappling with how to set up security for BO implementation. The implementation is a reporting platform for another project management system.
I would appreciate if some one can read the below case study and suggest a good way to model the security.
Org1, Org2, Org3 in the below note refers to organization units\ business units. Also the number of org units are dynamic and keeps varying - currently at 80. The user groups’ access too vary - but can be broadly classified into 5.
User A is associated with Org Units Org1, Org2, Org3
User B is associated with Org Units Org1 & he is added as a Participant in a Project created for Org2
User C is associated with Org Units Org4, Org5 & has Read-only access to all Projects (as he is a member of Read-only Group)
When these users would run a report (the same report), they should be able to see:
User A - Projects created for Org1, Org2, Org3
User B - Projects created for Org1 & a Project created for Org2 (where the user is added as a Participant)
User C - All Projects in the system
At present we are looking at using @variable(‘BOUSER’) and set up the security. If there is a better method\approach please let know.
Thanks for that very quick response. Just curious (I promise I will go through the link) - but are there any other methods by which dynamic run time security can be applied to the logged in user ?
Like thinking out aloud - A library code that applies business logic to the user’s access or some such derived security.
Please ignore the above comment if that is nowhere in the realm of BO.
I will take your suggestion and stick with the model. But the project management tool has couple of more layers of security (there is a license concept and there is a record level security) - which eventually I might need to implement into BO. So if there is a link (similar to the one you attached in the previous post) - please direct me there - on how to set up this kind of derived security.
I was trying to excuse myself from typing in the gory details - but I guess it will be difficult to help without all of the information.
I will user my earlier case study and expand a bit further:-
User A and User D are associated with Org Units Org1, Org2, Org3
User B is associated with Org Units Org1 & he is added as a Participant in a Project created for Org2
User C is associated with Org Units Org4, Org5 & has Read-only access to all Projects (as he is a member of Read-only Group)
Project M is executed by Org 1.
User A has project management license and is a project manager of only Project M.
User D has project management license and is NOT a project manager of Project M, but is a project manger for some other projects.
When these users would run a report (the same report), they should be able to see:
Additional\Revised requirement:-
User A should be able to see only Project A.
User D should NOT be able to see Project A even though he belongs in the same org unit(Org1) as the project and has necessary license.
It looks to me that you may have to have row security consisting of Org unit and Project.
Read access can be given by using scheduled instances and limited application rights.
To be frank, you need to understand how it all fits together. This is a big area, especially if you introduce SSO too.
Maybe you should also consider taking training?
Its very difficult / impossible to “fix” a lousy BO security model, my 10 cents.
Thank you very much. I will go through the documents first. I also anticipating “a BO expert” join the team in the next week or so. If that person cannot help me - then training seems the next logical way out.
Well, I hope they are actually an expert, I have met plenty that pertain to be so .
It depends what they are expert in as Business Objects is quite a big area.
Have they done universe and report building, security build, data warehousing, server set up, config and admin, migrations, training…e.t.c.
I have, so, I’m generally considered an architect these days.
Thank you and will revert back with where we stand in a couple of weeks. The person seems to have knowledge predominantly in building reports. So I am still reading up the documents.
In the meantime I have another query - its related to hyperlinks. I will raise it in the appropriate forum. Maybe you can help me there.
I have a similar requirement can some one can guide me.
I have below requirement to implement security.
Req 1. Users have to see their own data
Req 2. Approvers has to see their own data as well as the other users data who has raised the requests for his/her applications.
Req 3. Supporting teams have to see the entire data with out any restrictions.
Req1 and Req2 are implemented by using @VARIABLE(‘bouser’) function in the join clause between the employees table and Security table.But the problem arises for the Req3 i,e for the supporting teams, since they do not have any records in the tables. Is there any posiibility to ignore the security for supporting team members so that they can see the data for all users/approvers with out any limitations.