Hi to all!
I have a little question about comand restrictions (application’s [Designer, Supervisor etc.] properties) - by default all comands are inherit, But when I checked Root group I saw that also for root group comand rstrictions are inherit. INHERIT FROM WHAT/WHO? THAT IS ROOT GROUP!
P.S. How I checked practically all comand restrictions to root group are “enabled” (practicaly) although are written inherit. IS THAT RIGHT?
Listserv Archives (BOB member since 2002-06-25)
I just read inherit to mean ‘granted at what level’… If your root group says its rights are inherited from the root group, that just means that something was set at that level - in my repository (I just checked), I am in the same boat… I just read that as my starting point is this - whatever I see at a lower level started out looking like this level…
Once you make a change, the inheritance will carry on down from that point…
Make sense?
Brent
I have a little question about comand restrictions (application’s [Designer,
Supervisor etc.] properties) - by default all comands are inherit, But when
I checked Root group I saw that also for root group comand rstrictions are
inherit. INHERIT FROM WHAT/WHO? THAT IS ROOT GROUP!
P.S. How I checked practically all comand restrictions to root group are
“enabled” (practicaly) although are written inherit. IS THAT RIGHT?
Listserv Archives (BOB member since 2002-06-25)
I have a question on the restrictions within Supervisor. I have made it at the highest level that people can’t publish documents and then given permission to certain people to publish documents. This stays in place until sometimes when I do a scan and repair. Then the restriction on the publish goes away and I have to put it back into place. This doesn’t happen all the time. Is there something I am missing as to why it will disappear?
I just read inherit to mean ‘granted at what level’… If your root group says its rights are inherited from the root group, that just means that something was set at that level - in my repository (I just checked), I am in
the same boat… I just read that as my starting point is this - whatever
I see at a lower level started out looking like this level…
Once you make a change, the inheritance will carry on down from that point…
Make sense?
Listserv Archives (BOB member since 2002-06-25)
I haven’t seen that problem, but have you run a compact and a scan / repair?
Command restrictions are supposed to be the most restrictive of ____ … If you have a user in 3 groups, and in one of those groups you turn something off (publish), that user should not be able to publish…
You can reverse things in straight inheritance with Force to Enabled, but you may want to look into reversing how you are set up - turn things off at the lower levels, not try and turn things back on…
Brent
Listserv Archives (BOB member since 2002-06-25)
When I did the scan/repair/compact is when the restrictions would disappear. Your idea of reversing may work, but I will have to do a lot of thinking on it. I control 6 different universes in this one domain. In 1 of the 6 universes, person A maybe a publisher but in the other groups person A can’t publish. We have six people who are allowed to publish (2 can publish in all universe, the others are only allowed to publish in certain universe but do have access in these other universes). I really don’t want to have two groups for each universe (1 group that can publish and the other can’t). Since I have over 100 in each of the universes this is a lot of userids I have to check each morning to see if someone got locked out. We are on the up swing of deployment and these numbers are going to climb.
From: Douglas, Brent [SMTP:bd150002@EXCHANGE.DAYTONOH.NCR.COM] Sent: Friday, February 11, 2000 8:54 AM
I haven’t seen that problem, but have you run a compact and a scan / repair?
Command restrictions are supposed to be the most restrictive of ____ … If
you have a user in 3 groups, and in one of those groups you turn something off (publish), that user should not be able to publish…
You can reverse things in straight inheritance with Force to Enabled, but you may want to look into reversing how you are set up - turn things off at
the lower levels, not try and turn things back on…
Brent
From: Howard Ruth A CNIN [SMTP:howard_r@CRANE.NAVY.MIL] Sent: Friday, February 11, 2000 8:46 AM
I have a question on the restrictions within Supervisor. I have made it at
the highest level that people can’t publish documents and then given
permission to certain people to publish documents. This stays in place
until sometimes when I do a scan and repair. Then the restriction on the
publish goes away and I have to put it back into place. This doesn’t happen
all the time. Is there something I am missing as to why it will disappear?
Pls report bounces in response to postings to BUSOB-L-Request@listserv.aol.com
Web archives (24 hrs. a day now!): listserv.aol.com/archives/busob-l.html
OR search: Mail to listserv@listserv.aol.com, ‘search a_phrase in BUSOB-L’
Unsubscribe: Mail to listserv@listserv.aol.com, ‘unsubscribe BUSOB-L’
Listserv Archives (BOB member since 2002-06-25)
I was running into the same problem with restrictions being removed after a scan and repair of the security domain when using version 4.1.1. This problem went away after I upgraded Supervisor to version 4.1.6.
Kerry
Howard Ruth A CNIN wrote:
I have a question on the restrictions within Supervisor. I have made it at the highest level that people can’t publish documents and then given permission to certain people to publish documents. This stays in place until sometimes when I do a scan and repair. Then the restriction on the publish goes away and I have to put it back into place. This doesn’t happen all the time. Is there something I am missing as to why it will disappear?
Listserv Archives (BOB member since 2002-06-25)
that makes me feel better - we are testing our 5.0.1 version right now so I guess this problem will go away when we go production.
I was running into the same problem with restrictions being removed after a scan
and repair of the security domain when using version 4.1.1. This problem went
away after I upgraded Supervisor to version 4.1.6.
Kerry
Listserv Archives (BOB member since 2002-06-25)
I think we may be saying different things… You can not turn off the ability for a user to use a command for just one group… You can allow a user do to something, publish lets say, and you can control access to universes, but you can not say this user is a publisher in this group, but not in this group.
If you mean publish universes, you can set that by user profile - eg a User vs a Designer… but functions like Edit FreeHand Sql, Publish Corporate Documents, etc - those are set for that user only - once a non-publisher, always a non-publisher… you could set your groups up so that you have 10 people with access to the universe, 2 of them can publish updates - does that sound like what you want?
Make sense? I know it’s confusing, but …
Brent
When I did the scan/repair/compact is when the restrictions would disappear.
Your idea of reversing may work, but I will have to do a lot of thinking on
it. I control 6 different universes in this one domain. In 1 of the 6
universes, person A maybe a publisher but in the other groups person A can’t
publish.
Listserv Archives (BOB member since 2002-06-25)
I am talking about publishing documents. I have certain people who have access to all universe but they are the expert in one of the universes and so they are the ones that publish/change/delete documents for that one universe.
So if I understand you right - Person A has permissions to universes 1 & 2, person A has permissions to publish in Universe 1 but not in universe 2 - this is not right and that they should be only allowed to either be a publisher or not publish in all universes?
From: Douglas, Brent [SMTP:bd150002@EXCHANGE.DAYTONOH.NCR.COM] Sent: Friday, February 11, 2000 9:46 AM
I think we may be saying different things… You can not turn off the ability for a user to use a command for just one group… You can allow a user do to something, publish lets say, and you can control access to universes, but you can not say this user is a publisher in this group, but not in this group.
If you mean publish universes, you can set that by user profile - eg a User
vs a Designer… but functions like Edit FreeHand Sql, Publish Corporate Documents, etc - those are set for that user only - once a non-publisher, always a non-publisher… you could set your groups up so that you have 10
people with access to the universe, 2 of them can publish updates - does that sound like what you want?
Make sense? I know it’s confusing, but …
Brent
When I did the scan/repair/compact is when the restrictions would disappear.
Your idea of reversing may work, but I will have to do a lot of thinking on
it. I control 6 different universes in this one domain. In 1 of the 6
universes, person A maybe a publisher but in the other groups person
A can’t
publish.
Pls report bounces in response to postings to BUSOB-L-Request@listserv.aol.com
Web archives (24 hrs. a day now!): listserv.aol.com/archives/busob-l.html
OR search: Mail to listserv@listserv.aol.com, ‘search a_phrase in BUSOB-L’
Unsubscribe: Mail to listserv@listserv.aol.com, ‘unsubscribe BUSOB-L’
Listserv Archives (BOB member since 2002-06-25)
What I am saying is that if your user A can publish and has access to domains, you can can’t stop him from publishing to that domain without either taking away that domain OR shutting off publishing completely. If there is a way around this, it MAY be in the user profile that you choose for a group - back to Supervisor, Supervisor-Designer, User, etc… but I don’t think that will help here. I know you have to be a designer to export a universe, be a supervisor to add users, etc, but I don’t think that applies to publishing…
I stopped using the word universe, I was misusing it - you really publish to a document domain.
If you find something else out, please let me / us know - I do a lot of security work in this place, and I could use some workarounds…
Brent
I am talking about publishing documents. I have certain people who have
access to all universe but they are the expert in one of the universes and
so they are the ones that publish/change/delete documents for that one
universe.
So if I understand you right - Person A has permissions to universes 1 & 2,
person A has permissions to publish in Universe 1 but not in universe 2 -
this is not right and that they should be only allowed to either be a
publisher or not publish in all universes?
Listserv Archives (BOB member since 2002-06-25)
In a message dated 00-02-11 09:56:07 EST, you write:
So if I understand you right - Person A has permissions to universes 1 & 2,
person A has permissions to publish in Universe 1 but not in universe 2 - this is not right and that they should be only allowed to either be a publisher or not publish in all universes?
At issue is the fact that permissions are granted by User and Group and not by Universe. This is a common question…
For example, if you want to allow User A to create new documents with Universe 1, but only be able to refresh documents with Universe 2, then your only option is to create two user logins. User A-1 can access only Universe 1, and can create / refresh / whatever they want. But they cannot see Universe 2 at all. For that they must log in as User A-2, where they cannot create new documents, cannot see Universe 1, but can see Universe 2.
Again, commands are restricted by User and Group, not by Universe or other resource.
Regards,
Dave Rathbun
Integra Solutions
www.islink.com
Listserv Archives (BOB member since 2002-06-25)
Maybe I am too stupid or I don’t know english language good enough but I don’t understand what you said.
Please tell simpler - If in the root user’s group comand restrictions are inherit what that mean? Enabled? Disabled? Root group CAN"T inherit anything because IT IS ROOT GROUP, IT’S HIGHEST LEVEL!
Listserv Archives (BOB member since 2002-06-25)
Think about it from the other side - groups below the Root level will inherit these functions…
I think that makes it easier to understand. If you change a command in a subgroup, it will say that subgroup’s name in the Inherited box - groups below that will inherit that change…
It IS a little confusing, it’s not you.
BUT, I think the benefit in this is that you can see where a command was changed - if you are 5 or 6 levels deep, you don’t have to look at each group to see where a change was set. If the Inherited box says the Root, it was not changed in any of the groups between you and the root.
Good luck,
Brent
Maybe I am too stupid or I don’t know english language good enough but I
don’t understand what you said.
Please tell simpler - If in the root user’s group comand restrictions are
inherit what that mean?
Listserv Archives (BOB member since 2002-06-25)
We are running BO 5.1. How do you view the command restrictions category that is applied to the user i.e… expert, novice using supervisor?
Listserv Archives (BOB member since 2002-06-25)
Select the user, then right click on the module you wish to restrict and select properties from the drop down menu. Or select the user, select the module, and then click the button on the ‘standard’ toolbar with the blue circled ‘i’. ‘Apply Predefined Settings’ is the button you want to click in the window that appears. Another window appears containing a drop down list box holding expert, novice etc.
We are running BO 5.1. How do you view the command restrictions category that is applied to the user i.e… expert, novice using supervisor?
Pls report bounces in response to postings to BUSOB-L-Request@listserv.aol.com
Web archives: listserv.aol.com/archives/busob-l.html To change service: Mail to listserv@listserv.aol.com with text in body of note
- To Unsubscribe: ‘unsubscribe BUSOB-L’ - Vacation Options: ‘set BUSOB-L nomail’ ‘set BUSOB-L mail’
Listserv Archives (BOB member since 2002-06-25)
I am trying to build a universe using the objects in our repository to create reports for our security settings. We would like to see the command restrictions we set for our groups and users. I am unable to find an object in the repository that contains the command restrictions.
Does anyone know where to find this? Has anyone successfully created a universe for security reporting? Any pointers to documentation would be appreciated as well.
Thank You for any help or suggestions,
Martina
Listserv Archives (BOB member since 2002-06-25)
Does anyone have the SQL to query the repository tables to get a list of all the command restrictions and whether they are enabled or disabled for a user?
The documentation on the CD is not much help. Thanks,
Joanne
Listserv Archives (BOB member since 2002-06-25)
The following SQL will get you the user or predefined profile name, status (enabled, disabled or hidden)and BO’s internal number that represents the command restriction.
SELECT
OBJ_M_ACTOR.M_ACTOR_C_NAME,
OBJ_M_RESLINK.M_RES_N_STATUS,
OBJ_M_RESLINK.M_RES_N_RESID
FROM
OBJ_M_ACTOR,
OBJ_M_RESLINK,
OBJ_M_ACTORLINK
WHERE
( OBJ_M_ACTORLINK.M_ACTL_N_ACTORID= OBJ_M_ACTOR.M_ACTOR_N_ID ) AND ( OBJ_M_RESLINK.M_RES_N_ACTLINKID= OBJ_M_ACTORLINK.M_ACTL_N_ID ) AND ( OBJ_M_ACTOR.M_ACTOR_N_LAT <> 1 )
AND ( OBJ_M_RESLINK.M_RES_N_LAT <> 1 )
AND (
( OBJ_M_RESLINK.M_RES_N_RESTYPE = 7 )
)The problem is matching the resid number to the name of the command it represents. Business Objects does not provide any documentation so you have to figure it out yourself. Also, you can not directly see what is inherited or the commands that take the BO defaults.
Barbara Rosen
Lead Business Objects Administrator
Salomon Smith Barney
Listserv Archives (BOB member since 2002-06-25)
Barbara,
there are most of the Codes documented in the freeware directory of the CD (see table OBJ_M_RESLINK and folow the link to the RESID column…)
But I think, the list is not complete. And, what was already mentioned: the inherited rights cannot be seen directly.
Walter
Listserv Archives (BOB member since 2002-06-25)
Here’s a partial listing from freeware/repository.htm: “M_RES_N_RESID”,“SECURITY_LABEL”,“SECURITY_APPLICATION”,“SECURITY_VERSION”," SECURITY_FAMILY"
36,“New Universe”,“Designer”,“Universe” 37,“Export Universe”,“Designer”,“Universe” 38,“Import Universe”,“Designer”,“Universe” 39,“Link Universe”,“Designer”,“Universe” 40,“New List of Values”,“Designer”,“Universe” 41,“Export List of Values”,“Designer”,“Universe” 42,“Create, modify and remove connection”,“Designer”,“Connection” 93,“Show table or object values”,“Designer”,“Universe” 97,“View all secured connections”,“Designer”,“Connection” 131,“Prevent from Overwriting Universe”,“Designer”,“4.1”,“Universe” 3,“Create Documents”,“BusinessObjects”,“Documents” 5,“Refresh Documents”,“BusinessObjects”,“Documents” 6,“Save Documents”,“BusinessObjects”,“Documents” 7,“Print Documents”,“BusinessObjects”,“Documents” 9,“Use Templates”,“BusinessObjects”,“Documents” 10,“Create Templates”,“BusinessObjects”,“Documents” 13,“Send Documents to Repository”,“BusinessObjects”,“Documents” 14,“Send Documents for Scheduled Processing”,“BusinessObjects”,“Documents” 15,“Send Documents to MAPI”,“BusinessObjects”,“Documents” 16,“Use Queries”,“BusinessObjects”,“Query Technique” 17,“View Query Results”,“BusinessObjects”,“Query Technique” 18,“View Query SQL”,“BusinessObjects”,“Query Technique” 19,“Edit Query”,“BusinessObjects”,“Query Technique” 20,“Edit Query SQL”,“BusinessObjects”,“Query Technique” 21,“Edit Lists of Values”,“BusinessObjects”,“Query Technique” 22,“Refresh Lists of Values”,“BusinessObjects”,“Query Technique” 23,“Use User Objects”,“BusinessObjects”,“Query Technique” 24,“Use Stored Procedures”,“BusinessObjects”,“Stored Procedure” 25,“Edit Stored Procedures”,“BusinessObjects”,“Stored Procedure” 26,“Use Free-hand SQL”,“BusinessObjects”,“Free-hand SQL” 27,“Edit Free-hand SQL Scripts”,“BusinessObjects”,“Free-hand SQL” 28,“Use Personal Data Files”,“BusinessObjects”,“Personal Data Files” 29,“Edit Personal Data Files”,“BusinessObjects”,“Personal Data Files” 30,“Create Scripts”,“BusinessObjects”,“Scripting” 32,“Create and Edit Connections”,“BusinessObjects”,“Connection” 33,“Work in Drill Mode”,“BusinessObjects”,“Analysis” 34,“Work in Slice-and-Dice Mode”,“BusinessObjects”,“Analysis” 35,“Use Lists of Values”,“BusinessObjects”,“Query Technique” 77,“Import Scripts”,“BusinessObjects”,“Scripting” 80,“Retrieve Documents from Other Users”,“BusinessObjects”,“Documents” 81,“Retrieve Documents from Scheduled
Processing”,“BusinessObjects”,“Documents” 82,“Retrieve Documents from Repository”,“BusinessObjects”,“Documents” 83,“Send Documents to Other Users”,“BusinessObjects”,“Documents” 84,“Use Document Agent Console”,“BusinessObjects”,“Documents” 94,“Work with Web Server”,“BusinessObjects”,“Documents” 95,“Export Scripts”,“BusinessObjects”,“Scripting” 117,“Work with BusinessMiner”,“BusinessObjects”,“Analysis” 118,“Copy to Clipboard”,“BusinessObjects”,“Documents” 119,“Export to External Format”,“BusinessObjects”,“Documents” 120,“Execute Scripts”,“BusinessObjects”,“Scripting” 123,“Use Essbase data”,“BusinessObjects”,“Multidimensional Data” 124,“Use Express data”,“BusinessObjects”,“Multidimensional Data” 129,“Report Interactions”,“BusinessObjects”,“4.1”,“Documents” 130,“Attach Scripts to Scheduled
Processing”,“BusinessObjects”,“4.1”,“Documents” 142,“Do not always regenerate SQL”,“BusinessObjects”,“4.1”,“Query Technique” 143,“SAP Data Provider”,“BusinessObjects”,“4.1”," " 147,“Edit Essbase Query”,“BusinessObjects”,“4.1”,“Query Technique” 148,“Edit Express query”,“BusinessObjects”,“4.1”,“Query Technique” 149,“Edit MetaCube query”,“BusinessObjects”,“4.1”,“Query Technique” 150,“Work with SAP”,“BusinessObjects”,“4.1”,“Analysis” 151,“Document Interactions”,“BusinessObjects”,“4.1”,“Documents” 152,“Data Provider Manipulation”,“BusinessObjects”,“4.1”,“Documents” 44,“Change Profile”,“Supervisor”,“Configuration” 45,“Create User”,“Supervisor”,“User and Group” 46,“Delete User”,“Supervisor”,“User and Group” 47,“Disable/Enable User”,“Supervisor”,“User and Group” 48,“Create Group”,“Supervisor”,“User and Group” 49,“Delete Group”,“Supervisor”,“User and Group” 51,“Change Command Attributes”,“Supervisor”,“Configuration” 52,“Link Universe”,“Supervisor”,“Universes” 53,“Disable/Enable Universe”,“Supervisor”,“Universes” 54,“Unlink Universe”,“Supervisor”,“Universes” 55,“Delete Universe”,“Supervisor”,“Universes” 56,“Edit Universe Attributes”,“Supervisor”,“Universes” 57,“Link Stored Procedure”,“Supervisor”,“Stored Procedure” 58,“Unlink Stored Procedure”,“Supervisor”,“Stored Procedure” 59,“Link Document”,“Supervisor”,“Document” 60,“Disable/Enable Document”,“Supervisor”,“Document” 62,“Unlink Document”,“Supervisor”,“Document” 63,“Delete Document”,“Supervisor”,“Document” 64,“Link Domain”,“Supervisor”,“Repository” 65,“Unlink Domain”,“Supervisor”,“Repository” 66,“Create/Edit Connection”,“Supervisor”,“Connection” 67,“Disable/Enable Stored Procedure”,“Supervisor”,“Stored Procedure” 68,“Disable/Enable Domain”,“Supervisor”,“Repository” 96,“View all secured connections”,“Supervisor”,“Connection” 98,“Delete Script”,“Supervisor”,“Document” 99,“Delete List of Values”,“Supervisor”,“Document” 100,“Edit User/Group Properties”,“Supervisor”,“User and Group” 101,“Rename User/Group”,“Supervisor”,“User and Group” 102,“Remove User from Group”,“Supervisor”,“User and Group” 154,“Add Timestamps”,“Supervisor”,“4.1”,“User and Group” 155,“Add to Group”,“Supervisor”,“4.1”,“User and Group” 132,“Save Document”,“WebIntelligence”,“4.1”,“Document” 134,“Send Document to Repository”,“WebIntelligence”,“4.1”,“Document” 135,“Send Document to Users”,“WebIntelligence”,“4.1”,“Document” 136,“Read Favorite Documents”,“WebIntelligence”,“4.1”,“Document” 137,“Read Documents sent by Users”,“WebIntelligence”,“4.1”,“Document” 138,“Read Corporate Documents”,“WebIntelligence”,“4.1”,“Document” 139,“New Query”,“WebIntelligence”,“4.1”,“Query” 140,“Edit Query”,“WebIntelligence”,“4.1”,“Query” 141,“Refresh Query”,“WebIntelligence”,“4.1”,“Query” 145,“Refresh Lists of Values”,“WebIntelligence”,“4.1”,“Query” 146,“Remove Document from Repository”,“WebIntelligence”,“4.1”,“Document” 103,“New Query”,“BusinessQuery”,“Queries” 104,“Insert Query”,“BusinessQuery”,“Queries” 105,“Edit Query”,“BusinessQuery”,“Queries” 106,“Refresh Query”,“BusinessQuery”,“Queries” 107,“Rename Query File”,“BusinessQuery”,“Queries” 108,“Retrieve From”,“BusinessQuery”,“Queries” 109,“Send To”,“BusinessQuery”,“Queries” 110,“Delete Query File”,“BusinessQuery”,“Queries” 112,“Remove Query from Workbook”,“BusinessQuery”,“Queries in Workbook” 113,“Modify Query in Workbook”,“BusinessQuery”,“Queries in Workbook” 115,“Universes”,“BusinessQuery”,“Miscellaneous” 121,“Autologin”,“BusinessQuery”,“Miscellaneous” 122,“Autoload”,“BusinessQuery”,“Miscellaneous” 125,“Refresh Lists of Values”,“BusinessQuery”,“Queries” 126,“Edit Lists of Values”,“BusinessQuery”,“Queries”
Listserv Archives (BOB member since 2002-06-25)