Understanding Business Objects Access Levels
February 19, 2010 by: David LaiUnderstanding the Business Objects security model will enable you to map out a content management strategy for your organization. Visit my previous post at http://davidlai101.com/blog/2008/11/06/content-management-planning-in-business/ after understanding user access levels and inheritance to setup your content. In this article we’ll go through the Business Objects Enterprise Access Levels.
There are 2 ways of assigning access in Business Objects Enterprise
Predefined Access Levels
Predefined access levels are a collection of individual rights that have been set up in the Business Objects Enterprise system to provide common user access requirements.
Advanced rights
By going into the advanced rights, you may totally customize the type of access a user has on an object.
It is simplest to use predefined access levels, as we don’t have to manually configure every single right.
Below is a table of Predefined access levels
| Access Level | Rights |
| No Access | The no access level may be misleading. The no access level does not explicitly deny access, but rather, sets all permissions to “Not Specified.” This can be overridden through inheritance. |
| View | When set at the folder level, the user can view the folder, the objects contained in the folder, and all generated instances of each object.
At object level, the user can view the object, history of the object, and all generated instances of the object. The user cannot schedule or refresh the report, however by default; the user can edit the report and save to a personal folder to refresh there. You can deny users from copying the object by going to advanced and denying “Copy Objects to another folder” |
| Schedule | A user can generate instances by scheduling the object to run against a specified data source once or on a recurring basis. The user has full access to the scheduled instances that they own. They can also schedule to different formats and destinations, set parameters, pick servers to process jobs, add contents to the folder, and copy the object or folder. |
| View On Demand | A user can refresh a report in real time. Note that if a report is a WEBI document, the user will also need View On Demand access to the universe and universe connection to perform the refresh. |
| Full Control | Allows users to modify all of the object’s properties. This is the only access level that allows users to delete objects. |
Security Hierarchy
The security levels flow in the following manner:
- Global security
- Folder-level security
- Object-level security
Global Security
The default security set for the entire system. For example when a new folder is added, its default rights come from the global level.
If there are any access levels that are common for the entire system, you should set them at the global level.
Global level rights can be set at the settings management area of the Central Management Console
Folder-level security
Folder level security allows you to set access-level rights for a folder and objects contained within that folder. Subfolders will inherit the security of their parent folders.
Folder level security can be set by going to the “Folders” page of the CMC, then selecting a folder, and then clicking on the Rights tab.
Object Level security
Object level security is the access-level rights set at the object level.
Folders and Categories
It is important to understand the differences between folders and categories. Both provide a way of organizing documents and BI content. Folders provide the physical storage location of a file as well as navigation to content. Categories provide navigation only. Folders are required whereas categories are optional. Thus when using a combination of both, it is recommended that categories are used for navigation only and permissions be set at the folder level.
When you create a new folder, two sets of permissions are automatically assigned:
- Administrators are given the access level Full Control
- Everyone is given the access level Schedule
Since the “Everyone” group is assigned the default access level of Schedule when a folder is first created, all users are able to view, open and schedule any reports saved in the new folder. For many companies, this type of access level may not be acceptable, so the best practice is to make sure “No Access” is set for the “Everyone” group when creating a new folder. If you want to give more permission, you can tweak it later on.
In BO 4. 0, how can we make a user/usergroup owner of a folder which is present in “Public Folders” ??
Hi Puneeth,
You need to set the security at the folder level.
For example I have folder X. In CMC I would right click on the folder and click on “User Security” then you can set the security there.
Hope that helps.
David
Hi David ,
Thanks for the reply . But what user security should be set inorder to make myself owner of that particular folder ?? We have many default access levels and also we can create custom access level. So I am looking for the particular right / access level which will make me owner of that particular folder , so that the owner rights apply ..
Thanks,
Puneeth
Hi Puneeth,
You can give yourself Full Control of the folder and that would be equivalent to be the owner of the folder.
Hope that helps.
David
Hi David,
Any replies from my previous question ??
Any answer for my question please ??
Hi David,
I’m faced by situation where in our client has asked for document/process on refresh of ‘All access level objects’ from Production to Developement to QA.
I did check the Import Wizard in this case, only to be discontented on it.
Any pointers are most welcome.
Env Details : BI4 SP13 , Windows Server 2008 64 bit
Thanks~S
Hi Sachin,
Import Wizard no longer exists in BI4.
To learn how to use the promotion management tool properly please read chapter 12 from the latest BOBJ Admin Guide.
Thanks
David
Hi David,
Thanks for sharing your knowledge.
I have a question about granting modification rights to business super users.
In our project, a few business users should have modification rights on reports in BO.
As BI developers and according to best practices, we develop reports in Dev and promote them to Prod via LCM but what if just a few business users should also have modification rights?
I know one approach is asking them to save reports in their favorites but I’d like to know about other best practice approaches. Shall we grant them rights in Dev and schedule promotions to move their changes to Prod? Is it a good idea to give them access to Dev server? Or shall we grant rights to Prod server and move their changes from Prod to Dev to make sure that the servers are kept in sync??
Thanks in advance
In the CMC, our previous Business Objects Administrator set up groups with sub-groups. For example: There is a ‘Elementary’ Group and within the ‘Elementary’ Group are multiple ‘School Location’ groups. Users are assigned to their ‘School Location’ group and only has access to their ‘School Location’ data. I’m assuming some type of filter or security has been applied to the individual ‘School Location’ groups, but I can’t find where or how. There are no Profiles set up. I’m new to the administration side of Business Objects and don’t know where this special setting has been applied. Do you have any ideas?
Hi Leah,
You can perform a relationship query on that particular group.
In CMC go to “Query Results”
Then learn about “Security Queries”
It’s quite simple.
Hope that helps
Hi David,
I have created a folder enviornement where access is gained via groups. Each floder has view and refresh groups and a Super User group. The Super Users can create reports, organise the folder, schedule reports & publications etc. The problem occurs when a user is a member of a super group for one folder and a View & Refresh group for another folder as they are able to create new documents in the view & refresh folder and I don’t want this. If I explicitly deny the create documents in the View & Refresh access level this takes precedence over the Super user access level and they can no longer create documents in the Super User folder. Any help would be appreciated.
Thanks
Tracey
Hi Tracey,
There is a setting when you are assigning security security to allow inheritance. If you don’t want access propagated down to the sub folders, you can remove the inheritance checkmarks on the sub folder.
Hope that helps
Hi David,
Thanks very much for sharing your knowledge.
My problem is that I appear to have a conflict of permissions. I have a floder structure where you can either write reports or view & refresh reports dependant on what group you are in. A person who is in a write group for one folder but a view & refresh group for another folder appears to be able to create a new report in the folder where he/she should only be able to view & refresh. If I explicitly deny the create option in the custom access level then they can no longer create anything in any folder.
Your help would be greatly appreciated.
Tracey
Hi
i am trying to understand how our BOXI permissions have been set up but find it quite confusing.
in the CMC i can see that the groups ‘administrators’ and ‘everyone’ have permissions on the ‘everyone’ group, which makes sense, but i am also seeing that they both have permissions on the ‘administrators’ group, which does not – surely that means that anyone/ everyone could change the rights on the administrators group?!!
i’m not sure that it has been set up right.
i am also wondering if this has happened because ‘administrator’ is a member of ‘everyone’, and whether that should not be the case?
sorry if these are silly questions!
thanks
David,
I’m facing a situation where the scheduled instances are assigned to ‘Administrator’ and ending up failed. We found that the person who created left the firm. Is there a way to avoid this mess, coz, our only solution right now is to recreate them.
Thanks,
Bharath
Hi Bharath,
Whenever a user is deleted from the system, all objects belonging to the deleted user will automatically be assigned to the Administrator.
What type of failure error are you receiving when the instances are assigned to Administrator?
Hello David,
How about the audit feature in BOBJ. I need to find who assigned view access on a root folder.
Is there a way to do it.
BR
Arya
Hi Arya,
You can try looking through the SAP BI Audit event database and see if it captures security modifications to folders. I haven’t tried that though.
Hi David,
How to enable access to a user who needs to have the below functionalities
input controls/export/drill filters and refresh
I have tried multiple instances using Advanced but somehow I’m unable to get the above functionalities.
Kindly help
Regards
Poojitha
Hi Poojitha,
You can control that at the user/group level.
In the CMC
1. Go to user/groups
2. Right click on the user or group you want to modify
3. Select “Customization”
4. The options you mentioned are in Web Intelligence customization
Hope that helps
Hi David,
In our BO instance we have some custom access levels created. Is there a way we can pull or extract report to find what permissions are assigned or denied under each of these access levels for different access rights (General, content, application)
Regards
Kavitha
Hi Kavitha,
Try the following java app
http://www.forumtopics.com/busobj/viewtopic.php?t=193493
Thanks
David