BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Follow BOB on Twitter! 
Follow BOB on Twitter! (Opens a new window)  

General Notice: Upcoming Events: SAP BOBJ User Group DC: Nov 30.

XI 3.0 Security for Mere Mortals
4 members found this topic helpful
Goto page Previous  1, 2, 3, 4, 5, 6  Next
 
Search this topic... | Search BOB's Downloads... | Search Box
Register or Login to Post    Forum Index -> BOB's Downloads  Previous TopicPrint TopicNext Topic
Author Message
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Wed Sep 23, 2009 12:26 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

itsmaloy wrote:
To get to the list of all the rights, did you use something like VBA to go over the collections and print out the rights in Excel?

I tried, but never found a reliable way to do so. It took a few hours of copy / paste from CMC. Tedious and possibly error prone, but in the end quicker than fiddling with code. The SDK just isn't very good at this "master data" kind of thing.

_________________
Dwayne Hoffpauir
Image link
Back to top
anorak
Forum Enthusiast
Forum Enthusiast



Joined: 13 Sep 2002

Posts: 1204
Location: U.K.


flag
PostPosted: Tue Oct 06, 2009 4:00 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Dwayne,

I'm playing around with Xi3 security for the first time, having not done any security modelling since the days of v5 / v6. I'm trying to reproduce the blocks in your presentation, but am confused by what I see as duplicate permissions.

What is the difference between 'View SQL' within the Content\Desk Intelligence Report group, and 'View SQL' within the Application\Desktop Intelligence group? What happens if one is granted and the other isn't?

There are other similar duplicates for both Deski and Webi.

Thanks...

_________________
Available for part-time contract work.
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Thu Oct 08, 2009 8:52 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

anorak wrote:
What is the difference between 'View SQL' within the Content\Desk Intelligence Report group, and 'View SQL' within the Application\Desktop Intelligence group? What happens if one is granted and the other isn't?

Let's start with the easy part. The application one will drive what you do ... well, within the application. Same for content ... it would apply to individual DeskI documents.

Now as to the interaction between them, I haven't tested it, but this would be my "hypothesis." You'd have to have the application right, or you wouldn't even be able to choose that option in the DeskI client. That would enable you to create new documents, see the SQL, etc. The content right would then be a matter of granularity. You could prevent viewing of SQL for some documents, and not others. Again, my hypothesis, but should be easily verified.

_________________
Dwayne Hoffpauir
Image link
Back to top
JPetlev
Forum Enthusiast
Forum Enthusiast



Joined: 01 Nov 2006

Posts: 1097



PostPosted: Tue Oct 13, 2009 3:24 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

One quick question...

I understand how the new XIR3 security model works, but am awaiting a password before I can get into my CMC to fiddle with it... I've been spending the past week preparing scope documents and such..

On Column "D" of the spreadsheet above, it is labeled "Applicability", is this something new in XIR3? I don't quite understand what that column is used for when planning your security model..

At first I thought "General" and "Override General" were indications that this model is overriding the default settings.. but then I see "Specific" and it kind of throws that idea away...

What is that column telling me to consider that I'm missing?
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Tue Nov 17, 2009 2:25 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

JPetlev wrote:
One quick question...

I understand how the new XIR3 security model works, but am awaiting a password before I can get into my CMC to fiddle with it... I've been spending the past week preparing scope documents and such..

On Column "D" of the spreadsheet above, it is labeled "Applicability", is this something new in XIR3? I don't quite understand what that column is used for when planning your security model..

At first I thought "General" and "Override General" were indications that this model is overriding the default settings.. but then I see "Specific" and it kind of throws that idea away...

What is that column telling me to consider that I'm missing?

I missed this post originally, so my apologies there. You are on the right track. This is something new in XI 3.x. The "General / General" rights are still there ... basic add, edit, delete, view, etc. In XI 3.x, you can get more granular, based on the content type ... hence the "override general" terminology used by XI 3.x. As an example, it is possible to allow someone to "add" Excel documents to a folder, but not a WebI document, using this "override general" granularity.

My advice is to NOT use the "General / General" rights in custom access levels at all. Unless of course that is exactly what you intend ... that the rights apply universally, regardless of content type. Otherwise, it's just too easy to grant unintended access.

_________________
Dwayne Hoffpauir
Image link
Back to top
JPetlev
Forum Enthusiast
Forum Enthusiast



Joined: 01 Nov 2006

Posts: 1097



PostPosted: Mon Dec 07, 2009 1:55 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

I almost forgot to ask, is the spreadsheet posted in the original post above still applicable to XI 3.1 SP2? Or has rather has there been any changes which might make some of these access levels obsolete or broken in any way?

EDIT: Ok it seems I was able to answer my own question... the spreadsheet above is NOT all inclusive of all 3.1 SP2 rights. I have't been able to spend the time to go through them all, but so far I've noticed the auto-save rights are not in the sheet. This leads me to believe it was not updated beyond XI3.0.

If anyone's already done the work of updating one for 3.1 SP2, if you could provide a link that would be great. Right now I'm just updating my own sheet as I find missing items.
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Mon Dec 14, 2009 9:19 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

JPetlev wrote:
I almost forgot to ask, is the spreadsheet posted in the original post above still applicable to XI 3.1 SP2? Or has rather has there been any changes which might make some of these access levels obsolete or broken in any way?

EDIT: Ok it seems I was able to answer my own question... the spreadsheet above is NOT all inclusive of all 3.1 SP2 rights. I have't been able to spend the time to go through them all, but so far I've noticed the auto-save rights are not in the sheet. This leads me to believe it was not updated beyond XI3.0.

If anyone's already done the work of updating one for 3.1 SP2, if you could provide a link that would be great. Right now I'm just updating my own sheet as I find missing items.


I have added an additional attachment to the original post here. Items that are new in XI 3.1 are highlighted in a different color. Here is a summary:
    - New WebI application right: Enable Autosave for this user
    - New content types: Analytic, Dashboard, Xcelsius DM
    - The only other change I found was basically a re-labeling (or add / delete if you prefer). For WebI application right, it is now Edit SQL instead of Java Report Panel: Edit SQL.
To be clear, this is the result of a screen by screen manual comparison, nothing programmatic. Therefore it may still have flaws, but I think it's close.

_________________
Dwayne Hoffpauir
Image link
Back to top
JPetlev
Forum Enthusiast
Forum Enthusiast



Joined: 01 Nov 2006

Posts: 1097



PostPosted: Thu Dec 17, 2009 2:35 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Dwayne Hoffpauir wrote:
I have added an additional attachment to the original post here.


Thanks!
Back to top
Veronica
Principal Member
Principal Member



Joined: 22 Nov 2002

Posts: 153



PostPosted: Sat Jan 09, 2010 5:01 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Can someone please clarify something for me with regards to the Security For Mere Mortals Powerpoint slide ?

I created a group of users, with :

Application Access Level - Refresh (Assigned to Infoview, and WebI application)
Content Access Level - Standard (Assigned to a universe, its connection, and the folder containing the WebI reports)

Ideally, I want these users to login, see the reports folder (and any sub folders contained within), and to be able to open a report, and only be able to refresh/save it (but not modify, edit query/sql etc).

However, this is not happening, when a user from that group logs in, they are only able to see the folder itself with no reports inside nor any of the sub folders contained within.

Also, if I change the Content Access Level on the folder to "Developer" then users would see the sub folders and any WebI reports there. However, if I try to refresh any report it would say universe not found, and when I click on Edit Query there are thus no objects on the left hand pane. I just want to know what kind of Content/Application access should I grant a group for them to be able to see a folder and all its sub folders, and to be able to refresh the reports in there but not modify nor view SQL really. I believe page 18 in the Powerpoint presentation details this, but I must be doing something wrong as I'm not getting the desired results crazy.gif

Oh, and the Everyone group has "View Folder Only" Content Level Access on the root folder in case anyone's wondering. ...so where do I need to look to fix this ? any ideas ? our implementation is BO XI R3.1 by the way. Thanks in advance for any ideas/help.[/b]
Back to top
Sebastien Goiffon
Forum Fanatic
Forum Fanatic



Joined: 29 Sep 2004
ASUG Icon
Posts: 6460
Location: Boston, MA


flag
PostPosted: Sat Jan 09, 2010 5:08 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Veronica wrote:


However, this is not happening, when a user from that group logs in, they are only able to see the folder itself with no reports inside nor any of the sub folders contained within.


You probably check the option apply to folder only for the right View objects

You should also setup the rights on universe folders and on connection ...

I recommend no to mix acess level. I mean one access level for folder security, another one for universes ... Thus you won't miss to setup the security on all the objects. And you are obliged to do so objects per objects!

_________________
360Suite: Security, backup, promotion, bursting, automated regression testing, BI on BI, version control solutions.
Fast-track migration to bi4.2 80% time saver.
Back to top
Veronica
Principal Member
Principal Member



Joined: 22 Nov 2002

Posts: 153



PostPosted: Sat Jan 09, 2010 10:49 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Sorry Sebastien, I may need more clarification,
Sebastien Goiffon wrote:
You probably check the option apply to folder only for the right View objects
...but in the XI 3.0 Security Matrix Excel sheet (in the "Content - Standard" tab), it only has "View documents instances that the user owns" and it is granted for both objects and sub-objects, so I guess if an admin makes a report for a user in this group they wouldn't be able to see it which is why this is happening ?.

I don't see any reference to "View Document Instances" or "View Objects" in the "Standard" Content Access Level tab of the Excel sheet. (only to the ones a user owns)
Sebastien Goiffon wrote:
You should also setup the rights on universe folders and on connection ...
I believe I have done, as I have given Content Access Level - Standard (Assigned to a universe, its connection, and the folder containing the WebI reports), is there some place else I missed ?.
Sebastien Goiffon wrote:
I recommend no to mix acess level. I mean one access level for folder security, another one for universes
So basically I should give "Standard" Content Access Level to the Universe folder, and the Reports folder correct ?

What would be the best Application Access Level and Content Access Level settings to give users who can log in and find reports made for them that they can only refresh and save ? (I thought it would be Application - Refresh, and Content - Standard, but I'm thinking I may need to change some of the default values specified in the Excel sheet to allow more control such as to see objects not just made by the user themselves)

Thanks for your help.
Back to top
MikeD
Forum Addict
Forum Addict



Joined: 18 Jun 2002

Posts: 3017
Location: Cape Town


flag
PostPosted: Sun Jan 10, 2010 2:14 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

AL = Access Level

1. Correct - depending on the base layer of security you might want to either change the Content Standard AL to include the 2 General rights:
View Objects
View Document Instances

Or - create an additional access level for this functionality to add to specific situations that requires it.
I.e. this model is based on inheritance so you can add the 'building block' that includes generic object and instance rights if your situation requires the general restriction to be applied in most instances.


2. If you amend the Content Standard you will then only need to apply this AL to both the connection and universes as mentioned.
There is a good discussion re the various scenario's at:
http://www.forumtopics.com/busobj/viewtopic.php?t=144462&highlight=universe+rights

3. Correct - simply add the generic view rights as per the above.
We initially included these rights in Content Standard but have since started creating finite more specific rights as opposed to a generic right so that we can rather provide security in smaller building block methods.

_________________
Image linkImage linkImage linkImage link
Back to top
Veronica
Principal Member
Principal Member



Joined: 22 Nov 2002

Posts: 153



PostPosted: Sun Jan 10, 2010 6:13 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

MikeD - Thank you so much for your helpful description, now that I know my Application/Content Access Level settings were doing what they were supposed to (and I need to 'expand' them slightly to get the desired results) I can go on about things with a bit more confidence, also I haven't seen that thread you mentioned before, it's quite helpful.

I'll give it a go, and see how things progress thumbsup.gif
Back to top
JPetlev
Forum Enthusiast
Forum Enthusiast



Joined: 01 Nov 2006

Posts: 1097



PostPosted: Mon Jan 11, 2010 3:51 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Dwayne, Thanks again for the 3.1 list of security but I'm a bit confused about two particular 'content' security settings.

Publication
Analytic

I'm trying to make sure that my users cannot "New-->Publication" or Analytic , nor view any publications or analytics. (We aren't using them nor will support them at this time).

I cannot seem to find where they are getting the permissions from... everything I look at says that all of those content permissions are 'not-specified' , which I understood to mean "You do not have access to currently unless you are granted that permission elsewhere".

The only way I can see to remove this ability is to apply a "Deny" permission at some level... but I hate to do that in case later we decide to open it up for specific users... I won't be able to 'grant' to those users because it's being denied.

Since neither of these are applications but rather CONTENT rights.. where would I look to find the highest level where this is set to 'grant' (which is what I assume must exist somewhere to grant this access).

OR.. are these a case of "ohh Business Objects defaults the permission to 'grant' even though it states 'not-specified' "
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Tue Jan 12, 2010 9:09 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

JPetlev wrote:
Dwayne, Thanks again for the 3.1 list of security but I'm a bit confused about two particular 'content' security settings.

Publication
Analytic

I'm not going to be of much help here. I don't use those functionalities. I simply listed them for completeness in the document.

_________________
Dwayne Hoffpauir
Image link
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> BOB's Downloads  Previous TopicPrint TopicNext Topic
Page 2 of 6 All times are GMT - 5 Hours
Goto page Previous  1, 2, 3, 4, 5, 6  Next
 
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Get community updates via Twitter:

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0503 seconds using 18 queries. (SQL 0.0034 Parse 0.0335 Other 0.0133)
CCBot/2.0 (http://commoncrawl.org/faq/)
Hosted by ForumTopics.com | Terms of Service
phpBB Customizations by the phpBBDoctor.com
Shameless plug for MomentsOfLight.com Moments of Light Logo