WebI Launchpad My favorites access

I’m researching on how to best implement the PII report within BO. Users currently have access BI/BW report freely refresh from BO. They want to bring PII data in to BO now. Our BO security sits on top of BW security, which means users will always be validated within BO and BW. So far so good, I was planning to create a separate PII folder within BO where I’d assign a separate PII user group only to have access and run the report from BO. Everything was going fine until I realized that users have full blown access to “My favorites” folder. On this folder, any user can schedule report and share it in PDF/Excel. I don’t want to remove their full access from “My favorites” folder. What I’m interested in is:

  1. Can you completely disable users full control access to PII reports (only the report that came from PII folder) regardless where it exist within BO?
  2. I want to disable users access to only PII folder reports so they can’t schedule and share it even from their personal folder.

Please suggest if there is a way or any other suggestion?

zulu1900 (BOB member since 2005-07-27)

I think your best bet is to create a Custom Access Level and apply it to the PII folder (you could set security explicitly but a CAL is more flexible).

I assume you want to enable them to refresh reports. You could start with a copy of the View access level and add Refresh the report’s data to it. This will prevent them from scheduling the report, and also from copying it to their personal folder.

To answer your question, you can’t force security to follow a copy of a report. If a user has permission to copy a report, the copied version of the report will inherit the target folder’s permissions and will not carry the original report’s security with it. In your case, if a user had permission to copy a report but schedule it, but then copied the report to their personal folder, they would then have Full Control over the copied report.

joepeters :us: (BOB member since 2002-08-29)

My answer is:
yes, yes, and yes.
That’s exactly what I’m experiencing and I thought there was a way around it :slight_smile:
So the answer is it CAN’T be done once a user has copy access to the report as it inherits the Target folder permission.
Because the report contains the PII I should rather remove the copy, save, and schedule user access; and only allow to refresh, print, and export (excel, pdf).
Our users has to go through 5 hours of PII training and test before they are allowed to view/refresh PII data or report. So PII is pretty big deal in our org. Any good suggestion on handling PII report? How should I make it safe, secure, and minimize the chances of internal data breach.

zulu1900 (BOB member since 2005-07-27)