We have Total 20 Groups to implement security in BO, i.e what folders each group of users can see, whether they can create adhoc reports or not, and finally to implement the Row Level Security.
Currently, we are migrating reports using a BIAR file and then we are applying the security i.e Groups --> Folders in the respective environment.
Is it good practice to do it this way ?
OR Migrate the Groups and Folders from QA to Production?, if we do it this way, what will happen to Users who are belongs to destination environment.
This is the scenario:
We have User1, user2, user3, user4, user5.
We have Report1, Report, Report3
Report1, Report2 belongs to Folder1
Report3 belongs to Folder2
User1, User2 belongs to Group1
User3, User4 and User5 belongs to Group2
Group1 can only see Folder1 and also Row Level Security
Group2 can see Folder1, Folder2 and Adhoc report.
In this type of scenario, is it a best practice to migrate folders, groups from one environment to another or migrate folders to destination environment and assign groups to folders using CMC.
I don’t know if it is a best practice or not but we do not migrate users and groups between environments. We set up any new security in the target environment. Any existing security is inherited by any new report that is migrated up. This allows us to add new reports to a folder and the security structure already exists.
Also, we do not use BIAR files for our migration. We just do a straight migration from one environment to another. The only problem with this is when the report CUIDs get out of sync. Otherwise, we have never had any problems migrating reports in this manner.
We are using the same method to implement security, if we add a new report to existing folder, then it will inherit the security from the folder.
If we add a new folder, then we are applying the security in destination environment. As it is a manual step to apply the security, there is a chance to miss some step in applying the security. So we have a concern about applying the security in this way.
If the Groups are existing in both Dev and Prod. environments, and when we create a folder in Development, if we apply the security (i.e what groups can see this folder) in DEV and migrate this new folder along with groups, is it going to mess up production environment in any way?
I mean:
What will happen to those users (in production) belongs to these groups which we migrate from development along with new folder. Is it going to migrate just a relation between groups and folders, or it is going to work in different way.
In our environment, all the groups are LDAP groups.
I don’t know for sure but I would suspect that you could mess up your security settings in the target environment since it is dependant on LDAP. We use LDAP also. We usually have different security in the different environments and we don’t want the security migrated anyway.
If it is a new folder and you want to apply the security in Development and then migrate it up to Production, it wouldn’t over-write anything. I’ve never done it that way but I know that when Business Objects was first rolled out here that the security was all set up in Development and then migrated up through the environments to Production. We just don’t do it any more.
The down side to this is you could end up with a lot of people who have access to your development environment that never log in. We have been working to clean some of our users out that have never logged in.
(BOB member since 2005-04-20)