I am testing a couple of things and got into a strange situation. I created two different groups names group1 and group2. Also created a folder named folder1. To define the group rights over the folder, I added both the groups to rights area of the folder and defined the access level for group1 to view on demand and for group2 to No access. I have a common user in both the groups. So to my understanding denial should take precedence over any other rights and the user should not be having access to the folder. But the user can see the folder and the reports inside it. There is no folder/sub-folder or group/sub-group concepts used here. Just 2 independent groups and 1 folder. We are using BOXI r2 SP4. Appreciate any help.
It’s my understanding that when a user has two different access levels by virtue of two different groups, “most lenient” wins. For example, all users are in the “Everyone” group but most administrators will set that group to No Access, then grant specific rights to other groups. Any member of these “other” groups will have the specific permissions.
With all due respect to jwaterbury, the rule is very clearly “most restrictive” wins. The key here though is to understand what “No Access” really means. Don’t worry, this is a common misconception … maybe the term No Access is mislabeled.
No Access simply means that no SPECIFIC access has been assigned. If you look at No Access, you will see that all rights are “not specified.” From my presentation XI 3.0 Security for Mere Mortals …[list]Every right has three possibilities
Explicitly denied: Always takes precedence
Explicitly granted: Applies when otherwise not explicitly denied
Unspecified: Not explicitly granted or denied … considered denied
Therefore, conflicting rights are resolved as follows
Unspecified + Explicitly denied = Denied
Unspecified + Explicitly granted = Granted
Explicitly granted + Explicitly denied = Denied
Seems explicitly denied and unspecified are the same, right?
Would seem so, but unspecified is MUCH more flexible[/list]
Thank you for the clarification. As usual, when the truth is revealed, “it all makes sense now”. I look forward to reviewing your presentation. Guess I’d better be a little more thorugh cheking my facts before responding!
Thank you Dwayne for your quick explanation. It works. Appreciate it. But I think we can go inside to change/modify the rights whether explicitly Granted, Denied or not specified, if and only if we have selected the access level as ADVANCE. If we have selected any other type of access rights then we can not go inside to manipulate the net access rights. Please let me know if we have any other way to define the explicit access rights. We are using BOXI r2 SP4 and Crystal Designer XI.
For XIr2, you are correct. In XI 3.x, you can create custom access levels and avoid “Advanced” (aka, granular rights in XI 3.x). In either version though, the previous guidance on conflict resolution still applies.
Your explaination is great. However, I still have problem getting the right solution.
Here is the scenario for us. We have three users who can create ad hoc reports, they are in Ad Hoc group, so they have full control to the folder "Ad Hoc" and the universe. However, they are in the group ALR, having View On Demand rights to ALR reports. Now, they can only View, instead of creating reports, saving reports in InfoView, as the most restricted rights will be View On Demand.
Ad Hoc group is member of Report Designer group; ALR group is member of Report Users group.
What is the best way to solve this problem? This is a common scenario. Could you shed more light on it?
You’ve gone through great pains to point out the rights that users have to certain folders, but unfortunately that’s irrelevant. The key here is what rights the user have to the application (WebI, DeskI, etc.). The same “conflicting rights” rules apply though.
Indeed it is common, and the only option is to have two different ID’s. The security model does not allow application privileges to be applied to content objects (folders, universes, etc.). Well, with XI 3.x there is one exception … you can prevent create / edit of data providers on a universe-specific basis, but not against overall documents … but even that doesn’t apply to XIr2.
(BOB member since 2007-09-02)