Importance of Apply to Subobject in User Security

November 26, 2014 by: David Lai

As a user security best practice in SAP BusinessObjects, it is best to start with no access and then slowly grant access to the groups whom require access.  Otherwise we will end up having to explicitly remove access for every group that should not have access, which is really a pain in the ***.

As you know when you add a new user, that user is added to the Everyone group by default.
Before providing any rights to the Everyone group, users that belong only in the Everyone group won’t be able to access any folders at all.

cannot enter Folders
image-831

Example 1

Is the most common mistake I’ve seen, where we set View access on the Everyone group at the Root Folder.

everyone view root folder
image-832

This is okay, except that you will need to explicitly set no access to the Everyone group on every folder where only certain groups can view.

set everyone to no access
image-833

This is okay if there are a few first level folders that only allow certain groups to view, however if there are let’s say 50 first level folders, then we would¬†have to do a lot of unnecessary extra work.

lots of first level folders
image-834

Example 2

Is even worst than example 1. Here we give all our groups other than Everyone “View” access at the Root Folder level.

all groups view root folder
image-835

Now imagine what we have to do if we have 50 first level folders. We have to explicitly set each group to no access that should not be able to view each folder which would make things super messy!

 

Taking into account Apply to Subobject

We can see that the 2 examples above require us to apply extra security settings at level 1 folder.

Here’s what we can do to allow users to be able to enter the public folders directory and not have to remove access at every level 1 folder.

Step 1:

In CMC, go to Manage Top-Level Security -> All Folders

manage top level security
image-836

Step 2:

Click on Assign Security for the Everyone group

Step 3:

Click on the Advanced tab and then click on the link Add/Remove Rights

Step 4:

On the View objects right, click on Granted. Also be sure to remove the check from Apply to Subobject

uncheck apply to subobject
image-837

Now users will be able to enter the public folders directory but not be able to access the level 1 folders unless their group has the appropriate access granted.

As you can see, the ability to uncheck the option Apply to Subobject is very important as it will save us a lot of time and complexity in the long run.

 

Leave a Reply


4 × nine =