BO : XI R3.1
DB : SQL server 2005 SP3
Happy New Year Everyone ,
We’re looking at ways to implement a security model on a new XI R3 platform whereby users can see their own data while accessing the same universe (so some form of row/class/uni level security is in place), I have already read this post, this post, this post, and that post (amongst others), but I still came off undecided and would really appreciate your feedback on best practices, and if starting from scratch, which would be the most ideal approach to implementing a user/group security model on BO.
Specifically, we have 52 Counties, and each county would have a resident report developer, and a number of report readers. There would be no universe designers or BO admins in any of the Counties (we would carry out those tasks), so 52 counties, with each county having one report developer and lots of people just reading the reports, all of them accessing the same universe, but getting their own county specific data out of it.
Now, I have looked at Dwayne’s wonderful Security For Mere Mortals PowerPoint presentation, and created profiles for report developers and report readers accordingly.
My main point of confusion, is how it all ties together. To keep it basic, let’s say we have only 1 universe, and we would need each County to see its own data from it, so the row level security implementation can be considered. However, it is a transactional set up, and thus has many tables, putting in stub joins, or defining filters is quite a task (we also have a lot of users within those counties so maintenance would be an issue), I looked at Dave Rathbun’s article on Class or Universe Level restriction, but it talks about “leverage the @variable(BOUSER) restriction to apply security to the entire universe”, but we don’t have a security table. Reading the above threads it would seem a good idea to build one, so if we do go ahead with building one…
Questions :
-
What does a security table normally consist of (all the BO users, and the key used to bring in the data relative to them ?) do we just look at all our users, create an entry for them in this table ? or is there some quick export way of doing this ?. Also, when we have a new user or someone leaves, would this table need manual maintenance ?.
-
When we build this table, with all the usernames, and say County numbers next to them, does this table join up to fact tables or dimension tables ? some posts said facts others said dimensions (or does it even matter ?).
-
(say we have different databases, different systems to report from) Does this mean we need a copy of the security table in every database we report from ?.
-
When we create a pre defined condition that is a Universe wide restriction, how does it get used ? Dave’s article states “I could create a hidden class in my universe, create any number of predefined conditions as universe filters, and leverage the @variable(BOUSER) restriction to apply security to the entire universe. No matter which objects a user selects for their query, my security would get applied 100% of the time.” can someone please explain further ? so we if we create predefined conditions in a hidden class, we wouldn’t need to put them in the report for them to be activated ?, or do they somehow work without needing to put them in the report ?
Thank you in advance for any feedback/tips/ideas on how best to implement row level type of security in a BO environment.
Regards,
Veronica
Veronica (BOB member since 2002-11-22)