XI 3.0 Security for Mere Mortals

Dwayne Hoffpauir’s 2008 GBN User Conference presentation.

A look at the XI security model, focusing on new features in XI 3.0:

  • Custom access levels
  • Ability to assign more than one access level
  • Ability to selectively choose whether a given right “cascades” or not
  • More granularity by specific document types

The new features enable a robust “building blocks” approach to security that makes security managable by “mere mortals.” The download includes an Excel spreadsheet that lists every possible individual right (nearly 1,300 of them), categorized by the object to which they apply. Very useful in drafting / maintaining your own security matrix.

[edit 14-Dec-2009 … additional attachment added listing all rights in XI 3.1 environment … Dwayne]
XI 3.0 Security for Mere Mortals.zip (743.0 KB)
XI 3.1 security matrix.zip (111.0 KB)


Bob Junior :uk: (BOB member since 2005-04-23)

How to setup rights to group?
Security Layout
No Access equal to Denied
Custom Access Levels - WebI "View Only" and "
Best Practice for Security Approach?
Retrieve information about security
Difference between User Roles in CMC/BOE
BI Platform Security for Mere Mortals
Bo 4.0 Security
Security Deployment for Users
Error when Refreshing a Report - ERR_WIS_30270
BOXI 3.1 Rights Issue
Trouble with user access levels to folders
Edit mode not showing in Webi
Business objects security data model setup
Applying custom ACL to universe user security
How to assign User Security in CMC..?
Row level Security Dcoumnet
BO4 - security dual approach - thoughts possible?
Need to disable editing for one Universe and enable for anot
BO XI 3.1 security model is a mess
Business Objects - Derived security
Setting up groups, users and permissions from scratch
Rights on Universe...
How do I restrict access to folders to specific users
You are not Authorized to use Desktop Intelligence
Universe security access
Security concept in Universe & Webi
New user account BO XI
Granting Permission to the Universe.
Cloning of Existing User
SQL-Viewer within WEBI-Reports doesn't work
Book on Security set up in 3.1?
Root Folder Security Setup
Security in XI3.1
[REQ] BO XI R3.1 User creation rights to a non administrator
How to design BO Security Architecture?
R2 --> R3 Security Changes
Security model case study :)
Hierarchies
Only access reports in the public folder
How to block unwanted API call from end users?
Confused about Scheduling Rights
Disabling the delete folder button
How to migrate security from BOBJ XIR2 to XI3.1
List of Folders, assigned Group and the access rights.
User permissions for folders
Recommended Reading?
Security setup in XI 3.0
USER RESTRICTION(NEW TO XI-R3 ADMIN)
Security in BOE XI 3.0
migration from 5.1.6 to xi r 3.1
yes
Help - How to set up a user to view reports
two user many content areas
Desktop Intelligence User Access
Security on Objects
User and Group
Conflict of user/group access rights to folders
differences in security between XI2.0 and XI3.1
From 5.1.6 to XI R3: which rights can be migrated?

For those attending my presentation, I left out one “cool” use of the cascading / non-cascading feature that can now be applied to individual rights. In previous releases, when a developer was given broad rights over a folder, the could not only add / change / delete objects within the folder, but they could also DELETE THE FOLDER ITSELF!

With XI 3.0, you can set the delete right to apply ONLY to sub-objects. That way they can delete objects, sub-folders, etc., but NOT the object (folder) itself!


Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

this is fantastic - thanks Dwayne!


malc001 :new_zealand: (BOB member since 2005-09-26)

This is great. And just the right timing as we are planning to upgrade to XI 3.1 soon.

Thanks Dwayne.
Rachid


rachidb :morocco: (BOB member since 2006-07-06)

I attended and I really wanted to have a chat with you concerning some of your recommendations that I personnaly don’t make :wink: next time!


Sebastien Goiffon :fr: (BOB member since 2004-09-29)

Hi Dwayne, I have a requirement like

50 folders for 50 different clients
for each client 3 different kind of users: Advanced, medium, general

As per security matrix in your presentation , do i need to create 50*3 =150 groups to acheive the security?

i am totally confused about how i should create groups.

can you please help me in designing group structure for theses folders…

Thanks a bunch,
Manda


Maddy_S :us: (BOB member since 2009-04-07)

You should be able to create 53 groups (50+3). Then make any given user a member of two groups … one client group, and one “kind” group.


Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

Is this only true when a user is always a “kind” of user? For instance, in a scenario with three kinds of users: Advanced, Medium, General and Two Groups: HR and Sales.

In your scenario there would be 5 groups. Let’s say User: Bob is an Advanced User for the HR Group.

He would be placed in the “Advanced” group and the “HR” group. Later on, Bob also needs view only access to the “Sales” group. Due to security requirements, he is not allowed to be an advanced user of the Sales group.

Adding BOB to the “Sales” group while he is already in the “Advanced” group and the “HR” group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?

edit: without using overrides or individual user level security for Bob.


sovichet (BOB member since 2007-07-10)

Hi everybody !

I just don’t understand something :
In the 3.1 matrix I understood that, we should better “play” with the different customised access level, and then apply those levels for a group in order them to have rights on folder or applications.

so a user belongs to a group

instead of :
creating groups with their rights on folders
creating groups with their rights on application

so a user belongs to 2 groups.

And following the questions upper, the solution proposed by Dwayne is the second one : a user belongs to 2 groups

So what is the best solution if ever ?
thanks for your answer


liloo :fr: (BOB member since 2007-06-06)

Still wouldn’t help. Application rights are NOT applied to content folders. The only solution is two different user ID’s.


Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

Are there any additional rights in XI 3.1? If so, is there a new download for XI 3.1?


Franko418 (BOB member since 2004-07-07)

That is correct for content folders. However, what about Universe folders? Setting “Not Specified” for the edit/delete permissions seem to effectively limit what these “mixed” users could do with the universes contained in the folders. I will try to post a real example tomorrow.


sovichet (BOB member since 2007-07-10)

Let’s see. I took your requirement against “give him too much access” rather literally I guess. I should ask, which application rights are the concern? Report authoring rights (DeskI, WebI), Designer rights, other? There is an individual right that can be applied to universes to allow data provider create / edit against that universe. It is the ONLY exception that I know of where what is essentially an application right is applied to content (documents, universes, etc.).


Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

Hi ! must we always create rights for application AND rights for content.
Or is it possible to imagine that the ones who will refresh have all the same rights and can only access their folder and then refresh a webi document and so, we create a right “refresh”, then
we create “accounting group” and apply the “refresh” right on the universe, connection, folder in relation with accounting, and the apply the same right “refresh” on application WebIntelligence

Then if there is the same behaviour on “sales group”, we apply the same “refresh” right for the sales group, on sales folder, etc.


liloo :fr: (BOB member since 2007-06-06)

Dwayne,
To get to the list of all the rights, did you use something like VBA to go over the collections and print out the rights in Excel?

If so, it it possible for you to share the code?

Thanks
Maloy


itsmaloy :us: (BOB member since 2007-01-25)

I tried, but never found a reliable way to do so. It took a few hours of copy / paste from CMC. Tedious and possibly error prone, but in the end quicker than fiddling with code. The SDK just isn’t very good at this “master data” kind of thing.


Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

Dwayne,

I’m playing around with Xi3 security for the first time, having not done any security modelling since the days of v5 / v6. I’m trying to reproduce the blocks in your presentation, but am confused by what I see as duplicate permissions.

What is the difference between ‘View SQL’ within the Content\Desk Intelligence Report group, and ‘View SQL’ within the Application\Desktop Intelligence group? What happens if one is granted and the other isn’t?

There are other similar duplicates for both Deski and Webi.

Thanks…


anorak :uk: (BOB member since 2002-09-13)

Let’s start with the easy part. The application one will drive what you do … well, within the application. Same for content … it would apply to individual DeskI documents.

Now as to the interaction between them, I haven’t tested it, but this would be my “hypothesis.” You’d have to have the application right, or you wouldn’t even be able to choose that option in the DeskI client. That would enable you to create new documents, see the SQL, etc. The content right would then be a matter of granularity. You could prevent viewing of SQL for some documents, and not others. Again, my hypothesis, but should be easily verified.


Dwayne Hoffpauir :us: (BOB member since 2002-09-19)

One quick question…

I understand how the new XIR3 security model works, but am awaiting a password before I can get into my CMC to fiddle with it… I’ve been spending the past week preparing scope documents and such…

On Column “D” of the spreadsheet above, it is labeled “Applicability”, is this something new in XIR3? I don’t quite understand what that column is used for when planning your security model…

At first I thought “General” and “Override General” were indications that this model is overriding the default settings… but then I see “Specific” and it kind of throws that idea away…

What is that column telling me to consider that I’m missing?


JPetlev (BOB member since 2006-11-01)

I missed this post originally, so my apologies there. You are on the right track. This is something new in XI 3.x. The “General / General” rights are still there … basic add, edit, delete, view, etc. In XI 3.x, you can get more granular, based on the content type … hence the “override general” terminology used by XI 3.x. As an example, it is possible to allow someone to “add” Excel documents to a folder, but not a WebI document, using this “override general” granularity.

My advice is to NOT use the “General / General” rights in custom access levels at all. Unless of course that is exactly what you intend … that the rights apply universally, regardless of content type. Otherwise, it’s just too easy to grant unintended access.


Dwayne Hoffpauir :us: (BOB member since 2002-09-19)