Global to object level hierarchy

By default, groups and users will inherit rights from the highest level.

The highest level starts at the Global Settings level.  The second level is the folder level; and finally the lowest level is at the object level.  If we set rights at the current level itself, then those rights have precedence over inheritance (except if rights have explicitly been denied)

Here are a few examples of setting up a group at multiple levels

Group and User security Overlap

Use the following formulas as a guide to understand what happens when inheritance from multiple groups overlap

• Grant + Deny + Not Specified = Deny
• Grant + Not Specified = Grant
• Grant + Deny = Deny
• Not Specified = Denied

For Predefined access levels, the access level with more access will take precedence.

For example:

If user “James” is part of Group “Sales” and “Marketing”.

If “Sales” has “View” access on the Marketing Folder and “Marketing” has “Schedule” access on the Marketing folder.  “James” will have “Schedule” access on the Marketing folder.

User rights take precedence over inherited rights

User rights will always take precedence over inherited rights.

For example:

User “James” is part of the “Marketing” and has “Schedule” access on the Marketing folder.  However we set “James” with “View” access on the Marketing folder.  View access will then take precedence.

The only time an inherited right takes precedence is if an inherited right explicitly denies access.  To override an inherited deny, you must uncheck the box that inherits rights.

Recommendations

• Assign security at the folder level to groups whenever possible.  Avoid setting rights for specific users on specific report objects.  This will reduce the complexity of your system security model.
• Use predefined access levels whenever possible.
• Grant the “Everyone” group No Access at the global level and then grant specific rights to the appropriate groups to prevent any loopholes.
• When setting rights, make sure to include the appropriate Universes and Business Views as well since access may be denied if they are not included.

There are 2 ways of assigning access in Business Objects Enterprise

Predefined Access Levels

Predefined access levels are a collection of individual rights that have been set up in the Business Objects Enterprise system to provide common user access requirements.

Advanced rights

By going into the advanced rights, you may totally customize the type of access a user has on an object.

It is simplest to use predefined access levels, as we don’t have to manually configure every single right.

Below is a table of Predefined access levels

Security Hierarchy

The security levels flow in the following manner:

• Global security
• Folder-level security
• Object-level security

Global Security

The default security set for the entire system.   For example when a new folder is added, its default rights come from the global level.

If there are any access levels that are common for the entire system, you should set them at the global level.

Global level rights can be set at the settings management area of the Central Management Console

Folder-level security

Folder level security allows you to set access-level rights for a folder and objects contained within that folder.  Subfolders will inherit the security of their parent folders.

Folder level security can be set by going to the “Folders” page of the CMC, then selecting a folder, and then clicking on the Rights tab.

Object Level security

Object level security is the access-level rights set at the object level.

Folders and Categories

It is important to understand the differences between folders and categories.  Both provide a way of organizing documents and BI content.  Folders provide the physical storage location of a file as well as navigation to content.  Categories provide navigation only.  Folders are required whereas categories are optional.  Thus when using a combination of both, it is recommended that categories are used for navigation only and permissions be set at the folder level.

When you create a new folder, two sets of permissions are automatically assigned:

• Administrators are given the access level Full Control
• Everyone is given the access level Schedule

Since the “Everyone” group is assigned the default access level of Schedule when a folder is first created, all users are able to view, open and schedule any reports saved in the new folder.  For many companies, this type of access level may not be acceptable, so the best practice is to make sure “No Access” is set for the “Everyone” group when creating a new folder.  If you want to give more permission, you can tweak it later on.

I have experienced this first hand so I would like to write about some simple measures to take in order to plan your content.

Benefits of a well designed content plan include:

1. a dependable and secure implementation
2. prevent info overload from users accessing too many objects
3. unnecessary hits to the data source
4. securing confidential info
5. efficient structure so users are able to search the info they need easily

To stake holders this means:

• Usability – easy access to information in the system will increase effectivness of using the system
• User adoption – an organized easy to use system will help make it easier for users to commit to using the system
• Implementation time – setting a roadmap helps dampen unexpected circumstances.
• ROI – All of the above work together to increase the total ROI of the implementation

Creating a Logical Content Plan
Here we will map out who needs access to what content, then organizing users and contents based on those needs.

Creating a folder structure and organizing objects
First step is to assess the content according to the users who will be accessing the content. This organization will determine the folder structure of the system.
ie: The Accounting department has a set of reports to manage in BO Enterprise, you’ll put them in the Accounting parent folder. Then you might have a subfolder called called Accounts Receivable or Accounts Payable where reports can further be separated.

Organize users by creating a group/user structure
Now we want to create a group structure that will allow you to optimally manage user access to content.

This is similar to the folder structure, in our example we will have an Accounts group.

Set user and group access levels for folders and objects
Next we will want to establish the security access levels for folders and objects contained in your group/user structure. This next step is extremely critical in the planning process, otherwise you may risk setting inappropriate security access levels for your users.

Determining the needs of your users will help you establish who needs access to what folders/objects within the system. For example only users of the Accounts Payable group can access the Accounts Payable folder.

Creating Profiles for structured personalization
Next we will want to plan the security profiles that need to be created so that users will receive the correct data for any personalized reports.

For example, we have users in different regions that want to view a report belonging to their region by default. Here we can setup a profile that has the region variable set to their region (North American groups will have their region value set to “North America”), and apply it to the appropriate users.

Creating corporate categories and assigning objects
Finally you will want to define any corporate categories that need to be setup in the system. Setting up categories will provide users with the ability to search for and access reports and objects that are relevant to them. Categories should be setup depending on the user’s needs.

For example, the finance department may want to easily search for reports that are used in month-end processing, however they are scattered in many different folders. Setting up a category can help group the relevant reports and eliminate the need to go through each folder to look for what they want.

Those are the first steps you can take to creating a successfully planned content management system.

I have provided a template that can help you during your planning process that you can download here