When you have restrictions (object/row/table) set on a universe, Deski will ignore all those restriction when you get your account disabled in a 2nd Deski session.

Account can get disabled when e.g. “Disable account after N failed attempts” is set in CMC.

Example:

• open a 1st DeskI session and create a report on a restricted universe. Security and restriction are applied correctly (e.g. cannot see object “salary”). Do not close this session.

• open a 2nd DeskI session. Now login several times with a wrong password, unitll your account gets disabled

• when your account is disabled, go back to the 1st Deski session and edit the dataprovider … all restrictions are ignored! So e.g. the object “salary” is suddenly visible and can be queried!

Problem is still there in FP2.4. Reported the problem at support, so earliest in the next FixPack this will be solved.

Meanwhile, I do not use “Disable account after N failed attempts”. This way users cannot disable an account themselves.

Foad

fta (BOB member since 2006-11-16)

Hi,

Thanks for that feedback. But easy to understand. Restrictions are stored within the CMS. Thus as soon as you lock the user account there is no longer communication between the CMS and deski.

If for example you go within the CMC and lock the report to that user or disable him the right to use deski it will be probably the same behaviour.

Regards
Sebastien

We (I mean I and Substring) always told on that Board not to manage row level restictions within the Designer but directly within the dwh itself.

Your problem is a concrete example explaining why it’s better to do this at dwh level.

thanks for that

Regards

In BO6 however, you don’t have this behaviour.

While you can still continue refreshing your report when you disable your account, you don’t see restricted objects/rows/tables.

In DeskI this is the case.

Foad

fta (BOB member since 2006-11-16)

Correct but in BO6 you don’t really communicate with the repo. I mean just when you log on. Architecture is really different now. You found a very good security leak

Regards

A couple of months ago I had another issue

Just try a Deski version before MHF1 in 2-tier mode, and make a report on a restricted universe … you will see everything!

Even when the XI server got e.g. SP2

Foad

fta (BOB member since 2006-11-16)

Sebastien,

Do you have any good references about setting up row/object/table mapping security on dwh level?

For row security I guess you need to create tables to join with where you specify what data a user can see.

Regards,

Foad

fta (BOB member since 2006-11-16)

Foad,

Have a look to this post it probably could help you. Especially the presentation made by Steve.

Regards
Sebastien

The same problem exists if you stop the CMS service.

Suddenly all the restrictions are ignored and all active Deski users can suddenly see all the data when they refresh their reports.

BO is working on it.

Foad

fta (BOB member since 2006-11-16)