David Lai's Business Intelligence Blog » Best Practices http://davidlai101.com/blog Just another WordPress weblog Fri, 20 Aug 2010 20:56:44 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Understanding Business Objects Inheritance http://davidlai101.com/blog/2010/02/20/understanding-business-objects-inheritance/ http://davidlai101.com/blog/2010/02/20/understanding-business-objects-inheritance/#comments Sat, 20 Feb 2010 22:02:26 +0000 David Lai http://davidlai101.com/blog/?p=233 When setting up user and group rules, it is important to understand inheritance and how inheritance works.  Otherwise you may run into unexpected access rights for your groups and users.

Global to object level hierarchy

By default, groups and users will inherit rights from the highest level.

The highest level starts at the Global Settings level.  The second level is the folder level; and finally the lowest level is at the object level.  If we set rights at the current level itself, then those rights have precedence over inheritance (except if rights have explicitly been denied)

Here are a few examples of setting up a group at multiple levels


Group and User security Overlap

Use the following formulas as a guide to understand what happens when inheritance from multiple groups overlap

  • Grant + Deny + Not Specified = Deny
  • Grant + Not Specified = Grant
  • Grant + Deny = Deny
  • Not Specified = Denied

For Predefined access levels, the access level with more access will take precedence.

For example:

If user “James” is part of Group “Sales” and “Marketing”.

If “Sales” has “View” access on the Marketing Folder and “Marketing” has “Schedule” access on the Marketing folder.  “James” will have “Schedule” access on the Marketing folder.

User rights take precedence over inherited rights

User rights will always take precedence over inherited rights.

For example:

User “James” is part of the “Marketing” and has “Schedule” access on the Marketing folder.  However we set “James” with “View” access on the Marketing folder.  View access will then take precedence.

The only time an inherited right takes precedence is if an inherited right explicitly denies access.  To override an inherited deny, you must uncheck the box that inherits rights.

Recommendations

  • Assign security at the folder level to groups whenever possible.  Avoid setting rights for specific users on specific report objects.  This will reduce the complexity of your system security model.
  • Use predefined access levels whenever possible.
  • Grant the “Everyone” group No Access at the global level and then grant specific rights to the appropriate groups to prevent any loopholes.
  • When setting rights, make sure to include the appropriate Universes and Business Views as well since access may be denied if they are not included.
]]> http://davidlai101.com/blog/2010/02/20/understanding-business-objects-inheritance/feed/ 2 Understanding Business Objects Access Levels http://davidlai101.com/blog/2010/02/19/understanding-business-objects-access-levels/ http://davidlai101.com/blog/2010/02/19/understanding-business-objects-access-levels/#comments Fri, 19 Feb 2010 05:44:03 +0000 David Lai http://davidlai101.com/blog/?p=209 Understanding the Business Objects security model will enable you to map out a content management strategy for your organization.  Visit my previous post at http://davidlai101.com/blog/2008/11/06/content-management-planning-in-business/ after understanding user access levels and inheritance to setup your content. In this article we’ll go through the Business Objects Enterprise Access Levels.

There are 2 ways of assigning access in Business Objects Enterprise

Predefined Access Levels

Predefined access levels are a collection of individual rights that have been set up in the Business Objects Enterprise system to provide common user access requirements.

Advanced rights

By going into the advanced rights, you may totally customize the type of access a user has on an object.



It is simplest to use predefined access levels, as we don’t have to manually configure every single right.

Below is a table of Predefined access levels

Access Level Rights
No Access The no access level may be misleading.   The no access level does not explicitly deny access, but rather, sets all permissions to “Not Specified.”  This can be overridden through inheritance.
View When set at the folder level, the user can view the folder, the objects contained in the folder, and all generated instances of each object.

At object level, the user can view the object, history of the object, and all generated instances of the object.

The user cannot schedule or refresh the report, however by default; the user can edit the report and save to a personal folder to refresh there.  You can deny users from copying the object by going to advanced and denying “Copy Objects to another folder”
Schedule A user can generate instances by scheduling the object to run against a specified data source once or on a recurring basis.  The user has full access to the scheduled instances that they own.  They can also schedule to different formats and destinations, set parameters, pick servers to process jobs, add contents to the folder, and copy the object or folder.
View On Demand A user can refresh a report in real time.  Note that if a report is a WEBI document, the user will also need View On Demand access to the universe and universe connection to perform the refresh.
Full Control Allows users to modify all of the object’s properties.  This is the only access level that allows users to delete objects.

Security Hierarchy

The security levels flow in the following manner:

  • Global security
  • Folder-level security
  • Object-level security

Global Security

The default security set for the entire system.   For example when a new folder is added, its default rights come from the global level.

If there are any access levels that are common for the entire system, you should set them at the global level.

Global level rights can be set at the settings management area of the Central Management Console

Folder-level security

Folder level security allows you to set access-level rights for a folder and objects contained within that folder.  Subfolders will inherit the security of their parent folders.

Folder level security can be set by going to the “Folders” page of the CMC, then selecting a folder, and then clicking on the Rights tab.

Object Level security

Object level security is the access-level rights set at the object level.

Folders and Categories

It is important to understand the differences between folders and categories.  Both provide a way of organizing documents and BI content.  Folders provide the physical storage location of a file as well as navigation to content.  Categories provide navigation only.  Folders are required whereas categories are optional.  Thus when using a combination of both, it is recommended that categories are used for navigation only and permissions be set at the folder level.

When you create a new folder, two sets of permissions are automatically assigned:

  • Administrators are given the access level Full Control
  • Everyone is given the access level Schedule

Since the “Everyone” group is assigned the default access level of Schedule when a folder is first created, all users are able to view, open and schedule any reports saved in the new folder.  For many companies, this type of access level may not be acceptable, so the best practice is to make sure “No Access” is set for the “Everyone” group when creating a new folder.  If you want to give more permission, you can tweak it later on.

]]> http://davidlai101.com/blog/2010/02/19/understanding-business-objects-access-levels/feed/ 0