BusinessObjects Board

Security Setup

security Supervisor (4.x - 6.x)
#1

Hello all,

I hope to be able to explain the issue I am dealing with…

I know this topic isn’t something new, but I have been searching around to find a good, secure & maintainable way to set up our Business Objects security and just don’t seem to find one. :wah:

I found that many of you use a tree structure as described in the document ‘Let me speak to your supervisor’ and the document from Charles [Edit - HTML is not allowed on BOB, please use BBCode instead. - Dave]

I also created a tree structure like this:

GROUP ROOT
—Groups by location
------Group LocA
---------User A
------Group LocB
---------User B
---------User C
—Groups by profile
------Group Supervisors
---------User A
------Group Designers
---------User B
------Group Supervisor-Designers
------Group Users
---------User C
—Groups by department
------Group deptA
---------User A
---------User B
------Group deptB
---------User C

Resources are determined on Groups by location and Groups by department.
Command restrictions are defined on Groups by profile.

But in order to make this work (thinking about the rules of inheritance), I have to give full access and fully enabled command restrictions to users in groups by location and groups by department.

e.g.:
I disable access to Supervisor to groups by location and groups by department and enable access to Supervisor to group Supervisors.
User A will have access to Supervisor, but won’t be able to add users to Group LocA and Group deptA. Therefor I have to give those other groups also access to Supervisor.
But when I do that, the command restrictions are inherited too.
I wanted to give the other groups access to Supervisor and all command restrictions revoked, but then UserA has no authority at all to work in Supervisor. :nonod:

So, do I really have to give Groups by location and Groups by department full authority on Supervisor in order to control the authority by the groups by profile?

Or is it maybe best if we control access to data using row security on the groups by location and groups by department and put all other security on user level? (so, remove the groups by profile?)

Can anyone maybe send me a scheme of how security is set up and operating in his/her company?

I just don’t seem to find a closing solution to set this up.
:confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused: :confused:

Hope someone understands this explanation and can help me.

Kind regards,
Zaz

Zaz :belgium: (BOB member since 2004-06-04)

#2

First of all, welcome to BOB. :mrgreen:

Yes. Keep in mind that when a user is a member of multiple groups, they get the most restrictive permissions of all groups. So if you enable Supervisor in the Location and Department groups, you can use the Profile group to control the Command restrictions. If you don’t want someone to have Supervisor control in a specific department that are a member of, change their profile in that department to a user.

MichaelWelter :vatican_city: (BOB member since 2002-08-08)

#3

I was afraid you’d say that.
It just that I don’t like to start off with the idea that a user HAS TO BE a member of three groups.
When someone with supervisor rights creates a user and ‘forgets’ to make him a member of a group by profile, this user will have full authority. :frowning:

But thanks for the reply Michael !

many greetz,
Zaz

Zaz :belgium: (BOB member since 2004-06-04)