We are still extremely new to Business Objects and are using XI R3. We have been struggling with setting up security for our users.
Currently, we have all our users through LDAP in a single group called bousers. I would like to setup users within Business Objects such that:
Power Users (Non-HR)
can see all universes but the HR universe and IT only universes
can see all public folders except a private HR folder
can create \ view all reports, can only edit reports they create, but can copy others
can only adjust schedules or instances the create
Power User (HR)
all the same as above, except they can see the HR universe and the private HR folder and create\edit reports within it
Regular User (Non-HR)
can see all universes except HR and IT only universes
can see all public folders except a private HR folder
can only view reports
can only adjust schedules or instances they create
Regular User (HR)
all the same as above, except they can see the HR universe and the private HR folder
From this, would anyone have any suggestions on the best way to accomplish this? We are going live very shortly and are really worried about setting this up.
Oh my. Too late now, but the security model should have been the FIRST thing you built, not the LAST thing. That aside, the XI security model can be extremely complex (you’ve probably figured that out!). However, since you are on XI 3.x, you have an advantage. There are some thoughts here … XI 3.0 Security for Mere Mortals … to get you started. I think it gives suggestions that will cover all of your requirements.
In simple, best practice terms: Principal: Group, a collection of users Rights: Access level (custom where needed), a set of rights applied as a unit Object: Obvious objects are document folders, universe folders, connections; but also include applications like WebI, Designer, DeskI
With that foundation, Principals are given Rights to Objects. In your description, I see you mention groups (principals) and access levels (rights), but you never mention objects, but it is key. In CMC, you start with the Object (folder / application / etc.), select the Principal (group), then assign rights (access level) at the intersection.