Hi All,

I’m having a bit of an issue with some object level security within Business Objects…

I have a number of classes in the universe, say:
Sales
Quotes
Offers
Estimates

There are also user groups by the same name. The idea is that sales people can only see the objects within the sales class, offers people can only see objects in the offers class etc.
I can set that up via “manage access restrictions”
The problem is if eg I want somebody to view sales and quotes, if I add them to the sales and quotes groups they see nothing because by being in quotes they are blocked from seeing sales, and by being in sales they are blocked from seeing quotes.

So, I could create a second group… sales-quotes and assign the appropriate rights to them. The problem is I have 26 classes/groups and any combination is potentially possible, which means I’d need groups to satisfy all possible combinations, which obviously isn’t a practical solution.

Just wondered if anybody knew of any good ways around this?

Cheers!

Smoggie (BOB member since 2008-05-28)

I guess you have mixed up object level security with row level access restrictions.
Decide which one you want and a suggestion can be given

.

haider (BOB member since 2005-07-18)

I don’t think I have, though perhaps I haven’t explained myself well?

I want to restrict objects (universe classes) based on user groups. The problem is I want to restrict a user group to be able to see only one universe class. That’s not an issue until a user is a member of two groups - I want that to result in them seeing two classes, but they actually get the more restrictive outcome of seeing no classes, i.e. an empty universe

Does that make sense?

Cheers!

Smoggie (BOB member since 2008-05-28)

My apologies. Misread it.
Would need simulated tests but cannot say it may work.
Your requirement doesnt have a one-one relationship and that makes it difficult.
Have you looked into the restriction options (and & or) and also the priority when same user is member of two groups with conflicting restrictions .

.

haider (BOB member since 2005-07-18)

Smoggie, you didn’t say what version you are using, but what you are saying has been true for legacy version - as covered in this Supervisor FAQ.

Anita Craig (BOB member since 2002-06-17)

Sorry - yeah, a crucial piece of info missing there! We’re using XI R2 SP3.
The most restrictive rights seem to apply there too for object level security, I was just wondering if there was a solution to overcome this.

Haider, thanks for the suggestions - I’ve tried those and it doesn’t seem to make any difference in my scenario.

Smoggie (BOB member since 2008-05-28)

The only solution I can think of is to put the classes (and everything related to it) in seperate universes. This way you can control access through access settings on the universes. There you can specify it in such a way that a user has access to none of the universes, except those to which you have explicitly granted access.
This would make sense to me as the classes represent different functional areas, targeting at different audiences.
Object level restrictions are easier used to distinguish the level of detail. So e.g. all users can access the gender attribute of an employee to slice data by gender, but only some can access the last name attribute of an employee to list detailed information per employee.

mschagen (BOB member since 2007-06-08)