Does anyone know of a way to stop users from seeing all the Universes that exist on a machine’s hard drive, and allow them to see only what they actually have access to as granted from supervisor?
This problem came to my attention in one of our training classes. Whoever had been sitting at the machine prior, pulled in different universes than the new group had access to. The new group has access to their own universes, plus whatever had been previously imported from the repository.
I opened a ticket with support on this over a week ago, and have heard nothing after leaving 2 messages.
If anyone has dealt with this, I appreciate your solution/work around.
Move the universes you don’t want them to see to another directory. I have a sub directory I call “other universes” where I move universes back and forth. Hope this helps.
Does anyone know of a way to stop users from seeing all the Universes that exist on a machine’s hard drive, and allow them to see only what they actually have access to as granted from supervisor?
Nancy
It sounds like you may have some local copies of universes you don’t want to see in the list when you create a new report. To best answer your question on how to get rid of the ones you don’t want it helps to know what gets displayed.
There is a document on the Integra Solutions website www.islink.com that is called “Mysteries of the Universes” that explains quite nicely what is displayed in the universe window when building a report. Check it out it should tell you what you want to know.
I appreciate all the feedback on this question, but I cannot believe that there are not more concerns on this issue.
I got a lot of feedback that said the users can see the universes, but not query them. This is NOT TRUE! (At least on my machine, and the machines in my training room - I can sign on as a user who does not have authority to a Universe, pull it up, and execute a query that will pull results back.) We are using 5.0 if that makes a difference.
What this means to me is that if there is a payroll universe created, someone can go sit at a payroll employee’s machine, (say they come in on a Saturday when no body is around), and sign on as themselves (not really violating security…) and they can query the payroll universe.
This is a huge gap in security to me! For those of you that said they can see the Universes, but not get results when querying them, what version of BO are you running?
Thanks,
Nancy
From: Bloome, Nancy
Does anyone know of a way to stop users from seeing all the Universes that exist on a machine’s hard drive, and allow them to see only what they actually have access to as granted from supervisor?
This problem came to my attention in one of our training classes. Whoever had been sitting at the machine prior, pulled in different universes than the new group had access to. The new group has access to their own universes, plus whatever had been previously imported from the repository.
I opened a ticket with support on this over a week ago, and have heard nothing after leaving 2 messages.
If anyone has dealt with this, I appreciate your solution/work around.
That actually is not the case. If the universes are attached to secure connections and exported to the repository, then users cannot use them unless their id allows it. In fact, they can’t even see them. EVEN IF THEY ARE STORED LOCALLY.
Now, if you have not put your universes in the repository, then they are considered local and can be seen by anyone with a valid id. This is how the Beach and efashion universes are distributed.
I just tested this in a V5.0.1 environment and it acted correctly for me.
I got a lot of feedback that said the users can see the universes, but not query them. This is NOT TRUE! (At least on my machine, and the machines in my training room - I can sign on as a user who does not have authority to a
Universe, pull it up, and execute a query that will pull results back.) This is a huge gap in security to me! For those of you that said they can
see the Universes, but not get results when querying them, what version of BO are you running?
I’m not sure what type of security you have Nancy but for us access to the universe only means you can look at the names of the fields in a table. To access the data you must have security to those tables. I doesn’t make any difference what version of Business Objects you have because the security is on the data, not Business Objects. Mike Kott
Peoples Energy
Nancy said:
I’m not sure what type of security you have Nancy but for us access to the universe only means you can look at the names of the fields in a table. To access the data you must have security to those tables. I doesn’t make any difference what version of Business Objects you have because the security is on the data, not Business Objects. Mike Kott
Peoples Energy
Mike
This indicates that you have not implemented universe level security at your site. You can restrict users access to universes so that they cannot even see the name of the universe in the report creation wizard. This is what Nancy is trying to implement/verify.
You have implemented table level security which can be used separately or in conjunction with universe level security. Although if you restrict a user from accessing a universe it won’t matter what row restrictions you put on the tables of that universe.
Remember, with flexibility you mostly get confusion!!!
Nancy said:
I’m not sure what type of security you have Nancy but for us
access
to the universe only means you can look at the names of the fields in a table. To access the data you must have security to those tables. I
doesn’t
make any difference what version of Business Objects you have because the security is on the data, not Business Objects. Mike Kott
Peoples Energy
Mike
This indicates that you have not implemented universe level security at your
site. You can restrict users access to universes so that they cannot even see
the name of the universe in the report creation wizard. This is what Nancy is
trying to implement/verify.
You have implemented table level security which can be used separately or in conjunction with universe level security. Although if you restrict a user from
accessing a universe it won’t matter what row restrictions you put on the tables
of that universe.
Remember, with flexibility you mostly get confusion!!!
Mike
Mike: Actually we run against DB2 on the mainframe and simply use the security we already had in place on DB2 to control access. Very effective and no confusion!
Mike Kott
I have to second the earlier post on this, local copies of universes should NOT be visible to users if they have ever seen the repository…
If a universe is created locally and not exported, yes, any user with designer / bo access will be able to see that universe. If you have exported (and /or set permissions thru supervisor), the repository’s access will apply to that universe.
Unless you open the universe and a general supervisor account - I say that because I have had to use that to open universe w/out proper access. In our case, we had universes that the designer could no longer access…