BusinessObjects Board

Security model case study :)

security CMC
#1

Hi folks!
I’m looking for solution/advices for following case.

Please consider following folders structure.
Public
|__Finance
| |__Poland
| | |__Poland Department 1
| | |__Poland Department 2
| |__France
| | |__France Department 1
| | |__France Department 2
| |__USA
| |__USA Department 1
| |__USA Department 2
|
|__Commercial
| |__Poland
| | |__Poland Department 1
| | |__Poland Department 2
| |__France
| | |__France Department 1
| | |__France Department 2
| |__USA
| |__USA Department 1
| |__USA Department 2
|
|HR
| |Poland
| | |Poland Department 1
| | |
| |
|

I have flat user groups structure which reflects folders structure, e.g. group Finance Poland, group Finance Poland Department 1 …
Assumption is that user which belongs to specific group should have access to the objects located in those directory + objects in all parent directories, e.g. users from group Finance Poland Department 1 have access to following directories:

  • Finance/Poland/Poland Department 1
  • Finance/Poland (but not subfolders except Poland Department 1)
  • Finance (but not subfolders except Poland)
    , i hope it is clear :slight_smile:

Sure I can produce open system of decreasing rights, e.g for group Finance Poland Department 1:

  • Finance (ACL: View)
  • Finance/Poland (ACL: View)
  • Finance/France(No Access)
  • Finance/USA (No Access)
  • Finance/Poland/Poland Department 1 (ACL: View)
  • Finance/Poland/Poland Department 2 (No Access)
    ,in order to achieve assumption but this is not my question :slight_smile:

Like you can see, folders structure for each area (Finance, Commercial, HR, …) is exactly the same. So I’m wondering if there is possiblity to create seperate collections for groups:

  • one collection for areas: Group Finance, Group Commercial, group HR, …
  • another collection for countries/depratments which will be used for each area: Poland, Poland Department 1, Poland Department 2, France, France Department 1, …
    , and use them to assign appropriate rights.

So user should belong to both groups, e.g. Finance and Poland Department 1 in order to achieve access to the folder. And the point is (ufff…) that if user belongs only to one group (Poland Department 1) he/she can still search documents via InfoView.
Any ideas? In other words, how to grant access to the specific folder only if user belongs to both group.

Thanks in advance!!!

lglinski :poland: (BOB member since 2009-11-30)

BO Search Option - Security issue
#2

Check with XI 3.0 Security for Mere Mortals

Arjun (BOB member since 2008-07-28)

#3

Hi Arjun,
thanks for the link but I already did. Problem is that I haven’t found solution for this (in my opinion specific) case.
In other words, if you can share with me solution fo following security requirements:

Folders structure:
Public
|__Europe
| |__Customer
| |__Employee
|__America
|__Customer
|__Employee

User groups:

  • 1st collection for location: Europe, Amercia
  • 2nd collection for user type: Customer, Employee

Question: How to grant access to the folder, for example Europe/Customer, olny to the user who is a member of groups: Europe and Customer.

Regards

lglinski :poland: (BOB member since 2009-11-30)

#4

I observed that you are giving the access on Public means public folder(Root Folder). Is it correct?

Arjun (BOB member since 2008-07-28)

#5

To me it seems you must create 6 different user groups:

Europe with sub-groups

  • European Customers
  • European Employees
    America with sub groups:
  • American Customers
  • American Employees

Then assign the appropriate rights, e.g.:

  1. Grant view to root folder to Everyone group, but do not apply to sub-objects
  2. Grant view to Folder “Europe” for group “Europe”, but do not apply to sub-objects
  3. Grant View/View-on Demand or Full Contral to folder “Europe | Customers” for group “European Customers”.
    Analog for the other folders.

Andreas :de: (BOB member since 2002-06-20)

#6

If you simply create a security matrix within Excel you will directly undertsand and see what you need to open/close plus inheritance …

#7

Hi, have you ever found a satisfying solution for this? We’re facing the same issue and I would like to avoid to create 100 groups per project…
The only solution I can see is to switch off search altogether but this does not seem to be a good option…
we would need an “intersection” group, e.g. user needs to be in group “Germany” AND group “Customer” to have access to folder Root/Germany/CustomerReports and reports therein. But currently of course group rights are always additive, not intersectional, right? :hb:
mmmh.

Miss Universe :de: (BOB member since 2010-02-16)

#8

I have one more idea how to solve this - not my favourite one, but… this should work:

  • Group “Europe” has RO (read only) access to folder Europe (not to its children); Group America analogous.
  • Group “Customer” has RW access to all Customer folders; Employee analogous.
  • Group “Europe” gets a new Access Level “ACCESS DENIED” assigned on America + Subfolders (and all other continents)
  • Group “America” gets ACCESS DENIED on Europe + Subfolders (and all other continents)

This requires that every user is in exactly ONE Continent group (otherwise they would not see anything as they are always denied).

As I said I would rather do it without explicit denial, but I currently don’t have a better idea…

Miss Universe :de: (BOB member since 2010-02-16)

#9

bump

this issue is still somewhat unresolved… how can we prevent search from finding objects in subfolders that a user can not browse to?
:hb: :mrsbob:

Miss Universe :de: (BOB member since 2010-02-16)

#10

Without creating a separate group for each subfolder, so that your group hierarchy mimics your folder hierarchy, there is no way to do this.

-Dell

hilfy :us: (BOB member since 2007-04-16)