BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Want to sponsor BOB? 
Want to sponsor BOB? (Opens a new window)  

General Notice: Upcoming Events: SAP Insider BI2017 Orlando: Mar 2.

XI 3.0 Security for Mere Mortals
4 members found this topic helpful
Goto page 1, 2, 3, 4, 5, 6  Next
 
Search this topic... | Search BOB's Downloads... | Search Box
Register or Login to Post    Forum Index -> BOB's Downloads  Previous TopicPrint TopicNext Topic
Author Message
Bob Junior
Site Administrator
Site Administrator



Joined: 23 Apr 2005

Posts: 204


flag
PostPosted: Wed Oct 22, 2008 1:37 pm 
Post subject: XI 3.0 Security for Mere Mortals

Dwayne Hoffpauir's 2008 GBN User Conference presentation.

A look at the XI security model, focusing on new features in XI 3.0:
- Custom access levels
- Ability to assign more than one access level
- Ability to selectively choose whether a given right "cascades" or not
- More granularity by specific document types

The new features enable a robust "building blocks" approach to security that makes security managable by "mere mortals." The download includes an Excel spreadsheet that lists every possible individual right (nearly 1,300 of them), categorized by the object to which they apply. Very useful in drafting / maintaining your own security matrix.

[edit 14-Dec-2009 ... additional attachment added listing all rights in XI 3.1 environment ... Dwayne]



XI 3.1 security matrix.zip
 Description:
Updated master list of rights for XI 3.1

Download
 Filename:  XI 3.1 security matrix.zip
 Filesize:  109 KB
 Downloaded:  10033 Time(s)


XI 3.0 Security for Mere Mortals.zip
 Description:

Download
 Filename:  XI 3.0 Security for Mere Mortals.zip
 Filesize:  726.18 KB
 Downloaded:  11273 Time(s)


_________________
Bob Junior
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Thu Oct 23, 2008 10:51 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

For those attending my presentation, I left out one "cool" use of the cascading / non-cascading feature that can now be applied to individual rights. In previous releases, when a developer was given broad rights over a folder, the could not only add / change / delete objects within the folder, but they could also DELETE THE FOLDER ITSELF!

With XI 3.0, you can set the delete right to apply ONLY to sub-objects. That way they can delete objects, sub-folders, etc., but NOT the object (folder) itself!

_________________
Dwayne Hoffpauir
Image link
Back to top
malc001
Senior Member
Senior Member



Joined: 26 Sep 2005

Posts: 82
Location: London


flag
PostPosted: Fri Oct 24, 2008 2:56 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

this is fantastic - thanks Dwayne!
_________________
Working in London
Currently Webi & Universe Designer XIr3 with InfoBurst

The past is history, the future's a mystery and this moment's a gift. That's why it's called the present....
Back to top
rachidb
Principal Member
Principal Member



Joined: 06 Jul 2006

Posts: 486
Location: Mississauga, ON Canada


flag
PostPosted: Fri Oct 24, 2008 12:10 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

This is great. And just the right timing as we are planning to upgrade to XI 3.1 soon.

Thanks Dwayne.
Rachid
Back to top
Sebastien Goiffon
Forum Fanatic
Forum Fanatic



Joined: 29 Sep 2004
ASUG Icon
Posts: 6446
Location: Boston, MA


flag
PostPosted: Fri Oct 24, 2008 1:00 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Dwayne Hoffpauir wrote:
For those attending my presentation


I attended and I really wanted to have a chat with you concerning some of your recommendations that I personnaly don't make icon_wink.gif next time!

_________________
360Suite: Security, backup, promotion, bursting, automated regression testing, BI on BI solutions.
Fast-track migration to bi4.2 80% time saver.
Back to top
Maddy_S
Forum Member
Forum Member



Joined: 06 Apr 2009

Posts: 14


flag
PostPosted: Thu Apr 23, 2009 11:05 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Hi Dwayne, I have a requirement like

50 folders for 50 different clients
for each client 3 different kind of users: Advanced, medium, general

As per security matrix in your presentation , do i need to create 50*3 =150 groups to acheive the security?

i am totally confused about how i should create groups.

can you please help me in designing group structure for theses folders..

Thanks a bunch,
Manda
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Fri Apr 24, 2009 8:15 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

manda wrote:
50 folders for 50 different clients
for each client 3 different kind of users: Advanced, medium, general

As per security matrix in your presentation , do i need to create 50*3 =150 groups to acheive the security?

You should be able to create 53 groups (50+3). Then make any given user a member of two groups ... one client group, and one "kind" group.

_________________
Dwayne Hoffpauir
Image link
Back to top
sovichet
Forum Member
Forum Member



Joined: 10 Jul 2007

Posts: 14



PostPosted: Wed Jun 03, 2009 3:53 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

ranmori wrote:
seeya.gif nopity.gif
Quote:
Dwayne Hoffpauir wrote:
PostPosted: 24 Apr 2009 13:15 Post subject: Re: XI 3.0 Security for Mere Mortals
manda wrote:
50 folders for 50 different clients
for each client 3 different kind of users: Advanced, medium, general

As per security matrix in your presentation , do i need to create 50*3 =150 groups to acheive the security?

You should be able to create 53 groups (50+3). Then make any given user a member of two groups ... one client group, and one "kind" group.

Such a good advice! Thanks


Is this only true when a user is always a "kind" of user? For instance, in a scenario with three kinds of users: Advanced, Medium, General and Two Groups: HR and Sales.

In your scenario there would be 5 groups. Let's say User: Bob is an Advanced User for the HR Group.

He would be placed in the "Advanced" group and the "HR" group. Later on, Bob also needs view only access to the "Sales" group. Due to security requirements, he is not allowed to be an advanced user of the Sales group.

Adding BOB to the "Sales" group while he is already in the "Advanced" group and the "HR" group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?

edit: without using overrides or individual user level security for Bob.
Back to top
liloo
Senior Member
Senior Member



Joined: 06 Jun 2007

Posts: 40


flag
PostPosted: Fri Jun 12, 2009 5:01 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Hi everybody !

I just don't understand something :
In the 3.1 matrix I understood that, we should better "play" with the different customised access level, and then apply those levels for a group in order them to have rights on folder or applications.

so a user belongs to a group

instead of :
creating groups with their rights on folders
creating groups with their rights on application

so a user belongs to 2 groups.

And following the questions upper, the solution proposed by Dwayne is the second one : a user belongs to 2 groups

So what is the best solution if ever ?
thanks for your answer
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Tue Jun 16, 2009 2:39 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

sovichet wrote:
Adding BOB to the "Sales" group while he is already in the "Advanced" group and the "HR" group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?

Still wouldn't help. Application rights are NOT applied to content folders. The only solution is two different user ID's.

_________________
Dwayne Hoffpauir
Image link
Back to top
Franko418
Forum Member
Forum Member



Joined: 07 Jul 2004

Posts: 10



PostPosted: Tue Jun 16, 2009 3:24 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Are there any additional rights in XI 3.1? If so, is there a new download for XI 3.1?
Back to top
sovichet
Forum Member
Forum Member



Joined: 10 Jul 2007

Posts: 14



PostPosted: Tue Jun 16, 2009 3:46 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Dwayne Hoffpauir wrote:
sovichet wrote:
Adding BOB to the "Sales" group while he is already in the "Advanced" group and the "HR" group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?

Still wouldn't help. Application rights are NOT applied to content folders. The only solution is two different user ID's.


That is correct for content folders. However, what about Universe folders? Setting "Not Specified" for the edit/delete permissions seem to effectively limit what these "mixed" users could do with the universes contained in the folders. I will try to post a real example tomorrow.
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Thu Jun 18, 2009 7:28 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

sovichet wrote:
Dwayne Hoffpauir wrote:
sovichet wrote:
Adding BOB to the "Sales" group while he is already in the "Advanced" group and the "HR" group would give him too much access.

In this particular type of scenario, would I need to create the 50x3 groups?
Still wouldn't help. Application rights are NOT applied to content folders. The only solution is two different user ID's.
That is correct for content folders. However, what about Universe folders? Setting "Not Specified" for the edit/delete permissions seem to effectively limit what these "mixed" users could do with the universes contained in the folders. I will try to post a real example tomorrow.

Let's see. I took your requirement against "give him too much access" rather literally I guess. I should ask, which application rights are the concern? Report authoring rights (DeskI, WebI), Designer rights, other? There is an individual right that can be applied to universes to allow data provider create / edit against that universe. It is the ONLY exception that I know of where what is essentially an application right is applied to content (documents, universes, etc.).

_________________
Dwayne Hoffpauir
Image link
Back to top
liloo
Senior Member
Senior Member



Joined: 06 Jun 2007

Posts: 40


flag
PostPosted: Thu Jun 18, 2009 8:56 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Hi ! must we always create rights for application AND rights for content.
Or is it possible to imagine that the ones who will refresh have all the same rights and can only access their folder and then refresh a webi document and so, we create a right "refresh", then
we create "accounting group" and apply the "refresh" right on the universe, connection, folder in relation with accounting, and the apply the same right "refresh" on application WebIntelligence

Then if there is the same behaviour on "sales group", we apply the same "refresh" right for the sales group, on sales folder, etc.
Back to top
itsmaloy
Principal Member
Principal Member



Joined: 25 Jan 2007

Posts: 215
Location: Mountain View, CA


flag
PostPosted: Mon Sep 21, 2009 11:15 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Dwayne,
To get to the list of all the rights, did you use something like VBA to go over the collections and print out the rights in Excel?

If so, it it possible for you to share the code?

Thanks
Maloy
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> BOB's Downloads  Previous TopicPrint TopicNext Topic
Page 1 of 6 All times are GMT - 5 Hours
Goto page 1, 2, 3, 4, 5, 6  Next
 
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Get community updates via Twitter:

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0920 seconds using 19 queries. (SQL 0.0059 Parse 0.0736 Other 0.0125)
CCBot/2.0 (http://commoncrawl.org/faq/)
Hosted by ForumTopics.com | Terms of Service
phpBB Customizations by the phpBBDoctor.com
Shameless plug for MomentsOfLight.com Moments of Light Logo