No Access equal to Denied

system · February 4, 2009, 7:19pm

Does “No Access” equal denied in BO XI 3.1. In BO XI 3.1, if a user by belonging to two groups, has two rights
Full Control and No Access to a folder, would the user have no access to the folder or full control?

Does No Access = ‘Not specified’ like in previous versions?
If I want to deny the right, what right do I have to grant ( I do not see a deny right by default in BO XI 3.1). Since, I do not see a deny right, do I have to click advanced and explicitly deny the right or is No Access= deny?

ajq

anushajq (BOB member since 2005-02-22)

system · February 4, 2009, 8:17pm

No Access is the same as “Not Specified”. So if UserA belongs to GroupA (Which as No Access to FolderA), as well as GroupB (Which has Full Control of FolderA), he/she will have Full Control of FolderA.

MichaelWelter (BOB member since 2002-08-08)

system · February 4, 2009, 8:28pm

In short the user enjoys the greater right. Hope that helps.

zack (BOB member since 2007-08-02)

system · February 4, 2009, 9:09pm

Is this the same in BO XI 3.1 as well? If yes, how do I deny the right?

anushajq (BOB member since 2005-02-22)

SebastienGoiffon · February 4, 2009, 9:15pm

Same for all Xi platforms. You can explictly denied the right or set it to not specified in all the groups a user belongs to.

system · February 5, 2009, 12:35am

Four fantastic recommendations when building a security model:

Use “Not Specified” instead of “Explicitly Denied” whenever possible
Do not break inheritance
Assign Access Rights at the Group/Folder level (not at the indivudual report/user level); even if you have just one user, create a group for that user and assign rights to that group instead.
Build a security matrix (in MS Excel, etc.) documenting your security design

Andreas (BOB member since 2002-06-20)

SebastienGoiffon · February 5, 2009, 8:04am

It’s true for Xir2 but quite different for Xi3.x. Since you can override an explictly denied right without breaking inheritance you could now use this right…

system · February 5, 2009, 4:52pm

So, everyone equals ‘Not Specified’…so why have that right at all?

Also, if I do not override inherited rights and Everyone is set to Not Specified and since that user belongs to the group from which it is inheriting and also belongs to Everyone…which right would user have?

anushajq (BOB member since 2005-02-22)

system · February 5, 2009, 7:21pm

From my XI 3.0 Security for Mere Mortals presentation:

The idea is that if a user is never given a right (it remains unspecified), they won’t have that right. It is true that you get exactly the same effect if you Deny the right for the Everyone group. However, if you ever DO want a user to have that right, you have to break inheritance to do so. Much more difficult to maintain in the long run.

Dwayne Hoffpauir (BOB member since 2002-09-19)

system · February 6, 2009, 1:22am

Thanks Dwayne for your wonderful presentation and explanation…makes things a lot clearer.

I do wish, however that instead of ‘No Access’ they had called it unspecified.

No Access makes it feel like it gives a denied right- instead it a ‘Not Specified’ right.

anushajq (BOB member since 2005-02-22)

system · February 6, 2009, 10:14am

Well, true with XI R3.x one can trump rights (without breaking inheritance), still I recommend using “Not Specified/No Access” instead of “Explicitly Denied”.

Andreas (BOB member since 2002-06-20)