Hi,
I have put a user in several groups.
But now, when he connects to universe, he have the restriction of the new groups.
I don’t want that my user have these restrictions (on rows).
I tried to delete this rows but I cannot, the option remove is disabled.
How can I do ?
Thanks in advance.
Maitre B (BOB member since 2004-09-02)
Hi,
remember that everything is based on “most restrictive” except for universe and reports.
So when a user is in more than one group, he will get the all restrictions from both groups. If a user has “create” rights in one, and it’s disabled in the other then this user has NO “create” rights.
Same goes for object or row restrictions in universes: when you have access to a universe via two groups you will get all restrictions from both universes.
So the user is in two groups and both groups have universA but the second group has a row restriction, then the user will get the row restriction.
Only thing which is not most restrictive is access rights to a universe or document. When you’re in two groups, and just one of these groups has access to a universe or document, then the user has access to it.
In your case: the row retsrictions are inherited from somewhere, so they can’t be deleted because they’re inherited.
It depends why you want this user in more then one group, it’s best to use a structure in which you have three main groups with sub-groups. First main group would give application rights, second would give universe rights and third would give document rights. (lot of documentation on Bob)
Hope this helps,
Regards,
Gerard
highandstoned 
(BOB member since 2005-08-01)
My user is an US manager that want to see all subsidiaries.
He is in manager group (no restriction)
And he see only “US subsidiary” because
he is in several sub-groups (US restrictions) cause he wanted to publish document for people who are in sub groups. 
The probvlem is that with BO you can publish document to your group only. 
So the only solution is to delete restriction US on the group and
Create restriction for each people What a pity!!!
Maitre B (BOB member since 2004-09-02)
Hi,
yes you can only publish to groups that you’re member of. Problem you have is that you’re supervisor structure isn’t what it should have been…(sorry… 
)
Two possibilities:
-user can send the document to users in groups that’s he’s not member of (if he has this right…)
-set up you’re structure so application rights, universe rights and document rights are assigned via different groups.
It’s easier for maintenance and you avoid these kind of problems…
Hope this helps…
BTW: we don’t let any user save documents to the corporate structure, to avoid getting a mess.
Gerard
highandstoned (BOB member since 2005-08-01)
Gerard,
but this solution means that i must duplicate my users
And if my user want to publish documents, it’s more complicate for him
to coose the good group to publish.
No ?
Regards
Chris
Maitre B (BOB member since 2004-09-02)
Hi,
yes, it means placing users in more then one group (see this topic https://bobj-board.org/t/29472.
Making it more difficult for a user to publish…hmm, well for that reason users are not allowed to publish reports. They can ask to get them published, or they can send it to different user/usergroups. We don’t want a messy corporate structure with lots of garbage in it, but it depends on your organisation.
When using a good naming convention, you can avoid many problems. Our groups which are used for document security, all start with RPT_ (=report), which makes it easy for the publishing user to see to which groups the document should be assigned.
Well…it’s BusinessObjects so it’s far from perfect… 
…I personally think that security is a nightmare…it’s garbage and makes for a lot of stress…but we’ll have to work with it
Gerard
highandstoned (BOB member since 2005-08-01)