"Send to BI Inbox" - is it possible to exclude group "Everyone"

Dave_Hays · July 17, 2023, 2:35pm

Is it possible to limit “Send to BI Inbox” Recipients to just those users with whom the sending user shares group membership? By default, it appears that all users have the ability to share content with all users, and it is not clear to me how to even remove “Everyone” from the list of recipients.

-Dave Hays

joepeters · July 18, 2023, 5:01pm

Yes, this is how I set it up:

In Users & Groups, Top Level Security → All Users, edit advanced rights for the Everyone group. By default it will have “View objects” permissions. Change this to objects only (no subobjects). Make sure there aren’t any other groups here that have that permission (other than Administrators, of course).
Do the same for “All groups”.
The above two steps will prevent users from seeing any user or group in Send To.
Create a Custom Access Level (I call it “Group self-visibility”). The only grant it has is System → User → View objects (objects & subobjects)
Go to the User Security settings of a group. Add the group itself as a principal, and assign the CAL.
Now, users in the group will see other group members in Send To. They won’t see the group itself has an available destination, however. If you want to enable this (which will allow users to send documents to everyone in the group in one shot), then edit the CAL to add System → User Groups → View objects.

Dave_Hays · July 20, 2023, 7:47pm

Joe, thanks for the quick response. This is a really interesting idea. At face value it doesn’t quite work for me, and the reason is likely to be that we do not have a standard top level security config. There are a lot of additional groups added to our top level - it’s a cluster that has existed for many years, and subject to years of security choices that in retrospect might not be ideal

I am going to copy this cluster into a sandbox and see if I can work up a derivative of your solution that works for us.

I will update in the next couple of days.

Thanks again!
-Dave

bdouglas · July 21, 2023, 7:58pm

Joe said what was my first instinct, the view objects without sub objects.
It took me a long time to clean up security here and if I can share one lesson it’s try to never disable a permission at a high level, if you can help it - always better to not give in the first place, grant more specifically for group objects. In this case, let group members see sub objects in their group.

Good luck!
B

Dave_Hays · August 3, 2023, 7:00pm

Hi,
Yes, I am learning as I go along here, that it is far better to exclude by omission than by direct denial wherever possible especially higher up. In fact, I am wondering if there are only specific circumstances where explicit denial is necessary.

I do find myself granting “No Access” to Everyone group but that is about the only exception to what seems to me to be a pretty consistent rule of thumb.

-dave