Importance of Apply to Subobject in User Security
November 26, 2014 by: David LaiAs a user security best practice in SAP BusinessObjects, it is best to start with no access and then slowly grant access to the groups whom require access. Otherwise we will end up having to explicitly remove access for every group that should not have access, which is really a pain in the ***.
As you know when you add a new user, that user is added to the Everyone group by default.
Before providing any rights to the Everyone group, users that belong only in the Everyone group won’t be able to access any folders at all.
Example 1
Is the most common mistake I’ve seen, where we set View access on the Everyone group at the Root Folder.
This is okay, except that you will need to explicitly set no access to the Everyone group on every folder where only certain groups can view.
This is okay if there are a few first level folders that only allow certain groups to view, however if there are let’s say 50 first level folders, then we would have to do a lot of unnecessary extra work.
Example 2
Is even worst than example 1. Here we give all our groups other than Everyone “View” access at the Root Folder level.
Now imagine what we have to do if we have 50 first level folders. We have to explicitly set each group to no access that should not be able to view each folder which would make things super messy!
Taking into account Apply to Subobject
We can see that the 2 examples above require us to apply extra security settings at level 1 folder.
Here’s what we can do to allow users to be able to enter the public folders directory and not have to remove access at every level 1 folder.
Step 1:
In CMC, go to Manage Top-Level Security -> All Folders
Step 2:
Click on Assign Security for the Everyone group
Step 3:
Click on the Advanced tab and then click on the link Add/Remove Rights
Step 4:
On the View objects right, click on Granted. Also be sure to remove the check from Apply to Subobject
Now users will be able to enter the public folders directory but not be able to access the level 1 folders unless their group has the appropriate access granted.
As you can see, the ability to uncheck the option Apply to Subobject is very important as it will save us a lot of time and complexity in the long run.