Comments on: Understanding Business Objects Inheritance http://davidlai101.com/blog/2010/02/20/understanding-business-objects-inheritance/ Just another WordPress weblog Thu, 19 Aug 2010 07:09:49 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: David Lai http://davidlai101.com/blog/2010/02/20/understanding-business-objects-inheritance/comment-page-1/#comment-26 David Lai Tue, 23 Feb 2010 19:16:05 +0000 http://davidlai101.com/blog/?p=233#comment-26 Hi Yoav, Thanks for your view on security. For your first issue, I wrote on my previous article that if you want to prevent someone from refreshing in his own mailbox, that the user should have the "Copy objects to another folder" rights disabled. By default, this is disabled until you get to the Schedule access level. For the second issue, the only way to prevent that is to further customize your security. Unfortunately the predefined security access levels may not provide the exact specs a System Administrator may want, however in most cases, security specs are satisfied. Hi Yoav,
Thanks for your view on security.
For your first issue, I wrote on my previous article that if you want to prevent someone from refreshing in his own mailbox, that the user should have the “Copy objects to another folder” rights disabled. By default, this is disabled until you get to the Schedule access level.

For the second issue, the only way to prevent that is to further customize your security.

Unfortunately the predefined security access levels may not provide the exact specs a System Administrator may want, however in most cases, security specs are satisfied.

]]> By: Yoav http://davidlai101.com/blog/2010/02/20/understanding-business-objects-inheritance/comment-page-1/#comment-25 Yoav Tue, 23 Feb 2010 13:55:44 +0000 http://davidlai101.com/blog/?p=233#comment-25 Hi David, Thanks for the great explanation, I have many problems with the security system in CMC but I have two in mind for now: 1.Even if a user is just a "refresh" guy, as soon as he gets a report to his inbox he can edit it since he has full ownership on his inbox, this can of course be adjusted but as a beginner it is a security breach, many organizations I work with attend to miss that "hole". 2. Another major issue: security will be always very limited as long as people who don't have the right to a universe can still get the result and watch it since they are not activating the universe in view mode. Since you can't always turn all the queries in your repo to refresh on open it would be wise to my perspective to also allow security in the view level: When a report is opened, its universe id is recognized and checked against the user rights, if he isn't allowed to use the universe, the report won't open as well. Which security problems do you recognize in the CMC security mechanism ? Best regards Yoav Hi David,

Thanks for the great explanation,
I have many problems with the security system in CMC but I have two in mind for now:
1.Even if a user is just a “refresh” guy, as soon as he gets a report to his inbox he can edit it since he has full ownership on his inbox, this can of course be adjusted but as a beginner it is a security breach, many organizations I work with attend to miss that “hole”.
2. Another major issue: security will be always very limited as long as people who don’t have the right to a universe can still get the result and watch it since they are not activating the universe in view mode.
Since you can’t always turn all the queries in your repo to refresh on open it would be wise to my perspective to also allow security in the view level:
When a report is opened, its universe id is recognized and checked against the user rights, if he isn’t allowed to use the universe, the report won’t open as well.
Which security problems do you recognize in the CMC security mechanism ?

Best regards

Yoav

]]>