I have read several of the postings, and even downloaded one presentation about XI 3.0 Security for mere mortals. I still haven’t really found the answer I am looking for. I am working with XI 3.0 in the example below.
I want to create custom access levels, so I keep the default access levels in their default condition. I want three levels:
- View Only
Truly just double-click on report or only be able to select View as an option from the right-click menu. Users would get the default WebI report with absolutely no ability to change it (adding reports/charts…changing ranking/sorting/breaks/etc).
- Interactive
This level would be able to Modify the WebI document and “interact” with the report changing it in any way possible up to the point of doing an “Edit Query”. When looking at Advanced, I think this is accomplished by selecting just about all of the WebI rights that have “Interactive” in their description.
- Full Control
Typical full control, no changes to default required. Can add/delete objects, which implies being able to Edit Query, etc.
My biggest issue seems to be in finding the right combination of rights to only allow “View” access. Truthfully, I would like the access level to permit view/view on demand/schedule…just NOT MAKE ANY CHANGES to the WebI document.
The ability to “author” reports (create, change, etc.) is controlled by WebI application rights. The ability to view, refresh, schedule is controlled by the folder holding the documents. Get that separation clear in your mind, and the solution becomes (almost embarrassingly) simple.
Go to the application privileges, WebI, and under General rights (not specific rights), override / grant ONLY the right to Log on to Web Intelligence and view this object in the CMC. ALL other rights should remain Not specified. By the way, if you look in the spreadsheet attached to the Mere Mortals presentation, you will see this on the App rights - Refresh custom access level.
Now go to the folder rights, and you can choose view, refresh, schedule as needed.
Thanks for the reply. Yes, I had already tinkered with both sets of rights for the Infoview and WebI “applications” as I tried to restrict. Basically, I can get to the point where denying rights to all of the scheduling options removes the Schedule link from the right-click menu.
I can also get the rights (default “View” rights will do it), so that the New/Web Intelligence menu option does not appear.
My issue is getting that “Modify” menu to no longer appear in the right-click menu. If you remove the Java and HTML report panels, then you can get to the point where selecting “Modify” will give you a message like “user must have rights to at least one report panel”, and it doesn’t proceed. However, nobody likes the user to end with an “error”. It would be best to get that “Modify” link to conditionally disappear like the “Schedule” and “New/WebI document” menu options.
You are quite welcome! The security model is capable of things that are quite complex. After spending hours with the manuals and even more hours doing trial and error testing for our own implementation, I know it is possible to create quite a robust security model and STILL keep it simple (relatively speaking, of course).
(BOB member since 2006-06-13)