BusinessObjects Board

Security Layout

security CMC
#1

Hi,

We are still extremely new to Business Objects and are using XI R3. We have been struggling with setting up security for our users.

Currently, we have all our users through LDAP in a single group called bousers. I would like to setup users within Business Objects such that:

Power Users (Non-HR)

  • can see all universes but the HR universe and IT only universes
  • can see all public folders except a private HR folder
  • can create \ view all reports, can only edit reports they create, but can copy others
  • can only adjust schedules or instances the create

Power User (HR)

  • all the same as above, except they can see the HR universe and the private HR folder and create\edit reports within it

Regular User (Non-HR)

  • can see all universes except HR and IT only universes
  • can see all public folders except a private HR folder
  • can only view reports
  • can only adjust schedules or instances they create

Regular User (HR)

  • all the same as above, except they can see the HR universe and the private HR folder

From this, would anyone have any suggestions on the best way to accomplish this? We are going live very shortly and are really worried about setting this up.

Thanks,
Dave

davecorbino :us: (BOB member since 2008-07-22)

#2

Oh my. Too late now, but the security model should have been the FIRST thing you built, not the LAST thing. That aside, the XI security model can be extremely complex (you’ve probably figured that out!). However, since you are on XI 3.x, you have an advantage. There are some thoughts here … XI 3.0 Security for Mere Mortals … to get you started. I think it gives suggestions that will cover all of your requirements.

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

#3

Hi,

I appreciate that link. I had gone through this, I’m still having some issues. I will however try again and see how far I can get.

I thank you for reading my post. I would appreciate any info or tips I should keep in mind while doing this.

Thanks,
Dave

davecorbino :us: (BOB member since 2008-07-22)

#4

Hi,

I guess I can of understand what I need to do:

put users in groups

apply access levels to these groups based on the access they should
share

apply access levels to groups that correspond with who should see them

does this make sense?

Thanks,
Dave

davecorbino :us: (BOB member since 2008-07-22)

#5

In simple, best practice terms:
Principal: Group, a collection of users
Rights: Access level (custom where needed), a set of rights applied as a unit
Object: Obvious objects are document folders, universe folders, connections; but also include applications like WebI, Designer, DeskI

With that foundation, Principals are given Rights to Objects. In your description, I see you mention groups (principals) and access levels (rights), but you never mention objects, but it is key. In CMC, you start with the Object (folder / application / etc.), select the Principal (group), then assign rights (access level) at the intersection.

Dwayne Hoffpauir :us: (BOB member since 2002-09-19)