We want to implement a role base security in XI and we have the following scenerio:
market store
m0001 00001
m0001 00002
m0002 00003
m0002 00004
I would like to set up roles like MktMgr, StoreMgr, etc. But I would also like to set up variables for each role to distinguish which store the store manager belongs to.
Now correct me if I am wrong, the Users and Groups in CMC do not allow this kind of set up. So does anyone has a workaround? I hate to have to assign a role for each individual store manager because we have almost 3000 stores.
I know I can also validate each store manager’s store number by bouncing off the Org dimension table in our data marts. But I try to resolve this within CMC as much as possible.
If you have that many combinations, I would think you would want to keep it in a table. You would then let Designer or Business Views enforce it based on the user ID. I’m still new to the XI security structure, but I’m not following exactly what you mean by a CMC solution. Are you thinking something similar to the universe overrides done in Supervisor in v5 / v6?
Yeah, I am still learning all these XI security stuff and it is so different from the legacy BO.
Well, we have already set up an Organization dimension table in the Business Objects Warehouse. I am hoping that I can set up roles and then assign variables based on the values in the Org table. For example, John Smith’s role is StoreMgr, and his variable is store 00001. That means he can only access reports pertain to store 00001 only and not any other store. By using such combination, I can avoid setting up thousands of roles which is redundant to our Org table. We have more than 14,000 employees who can be potential users!
I have read the 2002 User Conference presentation from Steve (I think). His security schema idea is great. However, correct me if I am wrong, it is for universe security. But what about folder level security?
If anyone who has implement XI security for large number of users (in thousands or tens of thousands), I would like to hear how you pulled it off. By the way, I am planning to attend the XI Security breakout session in the User Conference and I will be asking a lot of questions.
Any help, suggestion or idea will be very much appreciated.
I’m not sure about folder level, but group level is supported in business views. In the business view, you create a filter and as part of the definition you associate it with a group.
I “think” i understand what you are asking, though I’ll admit i am a bit confused at your use of the words - role and variable - in this instance.
Dwayne touched upon it…if this is already in the database you should not have to do anything at a group or user level in the CMC.
Are you ultimately trying to achieve ‘row level access/security’? if so, and you have that many users, you are aksing for maintenence nightmares to set up individual groups or ‘roles’. let the db do the work in the form of a user/role table.
Xi security model is very flexible and intuitive if you just spend some time with it.
We have implemented role based access on XI for crystal with Business Views, as well as on Webi with a universe. Works like a charm and rather straight forward to set-up if you are fmailiar with those tools.
Thanks for the input. I think I have found a way to resolve this issue. Initially, I was thinking of 2 dimensional setup. Then I realized that it will be a maintenance nightmare.
Just one more question. In the past (i.e. legacy BO), I can easily manipulate the user’s attributes directly on the “Actor” table. I understand that the user information are now stored in the system database and they might be encrypted. Is that correct? Has anyone tried to manipulate the users data directly on the database tables?
The reason why I ask this question is that, since we have so many users, the initial set up will be very labor intensive by using the CMC GUI. I am hoping that I can add all the new users and set their appropriate permissions by some PL/SQL procedures. Has anyone tried something like that? How did you set up your users initially? Don’t tell me one at a time.
Apparently high volume maintenance is an issue with Crystal Enterprise / Business Objects Enterprise. APOS has worked with Business Objects to develop a series of tools to help manage those types of environments. Their products look pretty good, but the bigger question is why those capabilities aren’t in the product itself!
The other solution to consider is the SDK. I think putting the effort there instead of PL/SQL procedures (which likely isn’t possible anyway) would be better served, not to mention supported.
(BOB member since 2004-01-16)
(BOB member since 2002-09-19)