So in XI would it make sense to have a folder for the Company ABC and sub folders(Clarify,Oracle Apps, Siebel). Also subfolders inside each of these apps for row and emea.
Finally, create groups Clarify-row,Clarify_emea, Oracle-Apps-row,Oracle-Apps-emea,Siebel-Row, Siebel-Emea.
Each of these groups would then be assigned to the corresponding folder.
The answer, like in most cases, is “it depends.” If you essentially have six different groups with access to six different sets of reports, then yes your proposal sounds reasonable. Keep it simple wherever possible.
The XI security model is quite flexible, and you can put together very sophisticated schemes. That flexibility makes it very easy to get overly complicated though, and unintentionally create a maintenance nightmare. I base that statement not on actual experience yet, since we are just beginning to scope a security schema, but I can clearly see how you can get into trouble.
This is my understanding so far. Rights can be defined for the following:[list]Groups (hierarchical) and users within groups
Folders (hierarchical) and objects within folders
Categories (hierarchical) that can be attached to objects[/list]Conflicting rights are “settled” in favor of denied. Rights by default are “inherited” within each hierarchy, but if never defined explicitly are assumed denied. However, “inheritance” can be turned off. See … extremely flexible, but can get complicated in a hurry.
Just to clarify this - conflicting Acces rights will be denied.
but if 1 user is a member of 2 groups they will inherit the maximum of all rights granted. (i.e. not if they have access or not but what types of things they can do once access is granted - important distinction)
in others words, user A is a member of group 1 with view rights, and group 2 with schedule rights (for a particular folder). They will inherit schedule rights for that folder.
(BOB member since 2002-09-19)