Welcome to my Business Intelligence blog I have created this space to provide useful references to business intelligence technical related issues and share ideas for data visualization. You will find articles on data visualization and development tips, tricks, and reviews on different technologies.

Latest Tweets

Using Filtered rows instead of VLOOKUPS in Xcelsius @ http://davidlai101.com/blog/2010/07/02/using-filtered-rows-instead-of-vlookup/ - posted on Jul 03, 2010
New Post on the Xcelsius Push Button Object @ http://davidlai101.com/blog/2010/05/29/xcelsius-push-button/ - posted on May 29, 2010
Xcelsius dynamic color binding article and video posted @ http://davidlai101.com/blog/2010/04/06/xcelsius-dynamic-color-binding/ - posted on Apr 06, 2010
New post on Xcelsius Canvas Containers @ http://davidlai101.com/blog/2010/03/26/xcelsius-canvas-container/ - posted on Mar 26, 2010
Guide on Business Objects access levels posted http://davidlai101.com/blog/2010/02/19/understanding-business-objects-access-levels/ - posted on Feb 19, 2010

Follow me on twitter to get my latest updates

My Twitter, by Xhanch

Friday, February 19th, 2010

No Comments

Understanding Business Objects Access Levels

Understanding the Business Objects security model will enable you to map out a content management strategy for your organization. Visit my previous post at http://davidlai101.com/blog/2008/11/06/content-management-planning-in-business/ after understanding user access levels and inheritance to setup your content. In this article we’ll go through the Business Objects Enterprise Access Levels.

There are 2 ways of assigning access in Business Objects Enterprise

Predefined Access Levels

Predefined access levels are a collection of individual rights that have been set up in the Business Objects Enterprise system to provide common user access requirements.

Advanced rights

By going into the advanced rights, you may totally customize the type of access a user has on an object.

It is simplest to use predefined access levels, as we don’t have to manually configure every single right.

Below is a table of Predefined access levels

Access Level	Rights
No Access	The no access level may be misleading. The no access level does not explicitly deny access, but rather, sets all permissions to “Not Specified.” This can be overridden through inheritance.
View	When set at the folder level, the user can view the folder, the objects contained in the folder, and all generated instances of each object. At object level, the user can view the object, history of the object, and all generated instances of the object. The user cannot schedule or refresh the report, however by default; the user can edit the report and save to a personal folder to refresh there. You can deny users from copying the object by going to advanced and denying “Copy Objects to another folder”
Schedule	A user can generate instances by scheduling the object to run against a specified data source once or on a recurring basis. The user has full access to the scheduled instances that they own. They can also schedule to different formats and destinations, set parameters, pick servers to process jobs, add contents to the folder, and copy the object or folder.
View On Demand	A user can refresh a report in real time. Note that if a report is a WEBI document, the user will also need View On Demand access to the universe and universe connection to perform the refresh.
Full Control	Allows users to modify all of the object’s properties. This is the only access level that allows users to delete objects.

Security Hierarchy

The security levels flow in the following manner:

Global security
Folder-level security
Object-level security

Global Security

The default security set for the entire system. For example when a new folder is added, its default rights come from the global level.

If there are any access levels that are common for the entire system, you should set them at the global level.

Global level rights can be set at the settings management area of the Central Management Console

Folder-level security

Folder level security allows you to set access-level rights for a folder and objects contained within that folder. Subfolders will inherit the security of their parent folders.

Folder level security can be set by going to the “Folders” page of the CMC, then selecting a folder, and then clicking on the Rights tab.

Object Level security

Object level security is the access-level rights set at the object level.

Folders and Categories

It is important to understand the differences between folders and categories. Both provide a way of organizing documents and BI content. Folders provide the physical storage location of a file as well as navigation to content. Categories provide navigation only. Folders are required whereas categories are optional. Thus when using a combination of both, it is recommended that categories are used for navigation only and permissions be set at the folder level.

When you create a new folder, two sets of permissions are automatically assigned:

Administrators are given the access level Full Control
Everyone is given the access level Schedule

Since the “Everyone” group is assigned the default access level of Schedule when a folder is first created, all users are able to view, open and schedule any reports saved in the new folder. For many companies, this type of access level may not be acceptable, so the best practice is to make sure “No Access” is set for the “Everyone” group when creating a new folder. If you want to give more permission, you can tweak it later on.

Category: Best Practices / Business Objects

Tags: Access Levels, best practices, Business Objects, User Access, User Management

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Categories

Archives

Tag Cloud