BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Follow BOB on Twitter! 
Follow BOB on Twitter! (Opens a new window)  

General Notice: Upcoming Events: SAP BOBJ User Group DC: Nov 30.

XI 3.0 Security for Mere Mortals
4 members found this topic helpful
Goto page Previous  1, 2, 3, 4, 5, 6  Next
 
Search this topic... | Search BOB's Downloads... | Search Box
Register or Login to Post    Forum Index -> BOB's Downloads  Previous TopicPrint TopicNext Topic
Author Message
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Tue Jan 12, 2010 9:32 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Veronica wrote:
MikeD - Thank you so much for your helpful description, now that I know my Application/Content Access Level settings were doing what they were supposed to (and I need to 'expand' them slightly to get the desired results) I can go on about things with a bit more confidence, also I haven't seen that thread you mentioned before, it's quite helpful.

I'll give it a go, and see how things progress thumbsup.gif

Thanks to Mike and Sebastien for chiming in here. Sorry for the confusion, because the Content - Standard should definitely include the General, General right to View Objects (and sub-objects). Just an oversight on my part when transcribing things manually when I created the spreadsheet.

_________________
Dwayne Hoffpauir
Image link
Back to top
bregent
Senior Member
Senior Member



Joined: 05 Feb 2004

Posts: 97



PostPosted: Tue Mar 02, 2010 2:05 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Hi Dwayne, thanks for sharing these documents. I am confused about one point. On slide 13 you state:

--Base group structure on CONTENT only (like department or region)
--No separate APPLICATION (technical) groups ... common in XIr2
--Avoids complexity of multiple / acyclic group membership
--Use multiple custom access levels"

Are you saying that you should no longer create application groups as well as content groups? We currently have about 50 content groups and 3 different types of application groups (similar to View, Ad-Hoc, Designer). In keeping with your concepts above, how else would you structure this?

Also, can you give an example of when you would apply multiple customer access levels? Thanks.
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Thu Mar 04, 2010 9:48 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

bregent wrote:
Hi Dwayne, thanks for sharing these documents. I am confused about one point. On slide 13 you state:

--Base group structure on CONTENT only (like department or region)
--No separate APPLICATION (technical) groups ... common in XIr2
--Avoids complexity of multiple / acyclic group membership
--Use multiple custom access levels"

Are you saying that you should no longer create application groups as well as content groups? We currently have about 50 content groups and 3 different types of application groups (similar to View, Ad-Hoc, Designer). In keeping with your concepts above, how else would you structure this?

Also, can you give an example of when you would apply multiple customer access levels? Thanks.


I'm sure you understand that the presentation material is a framework, and has to be adapted to the business situation. I'll freely admit the guidance on that slide is narrow. Always a challenge to educate, but not overwhelm, in a brief 45 minute presentation. icon_smile.gif

Back to your question though. If your model is likely to use nearly all 150 combinations (50 content x 3 application), then it certainly makes sense to have 53 (50 + 3) groups, instead of 150 (50 x 3). Your users are then made a member of as many content groups as needed, and a member of the one application group that applies.

In my model, a given content area is EITHER "refresh only" OR "ad hoc" ... never both. Therefore, a user is made a member of a single group, and that one group is given the content and application privileges accordingly.

In either case, this is still very different than the way many XIr2 security models are built. It was common in XIr2 to have "application" groups, but instead of putting users in those groups directly, the group was made a parent of the content group. Why? For one, setting application rights was by definition an "advanced" (hand customized) access level in XIr2. There was no such thing as View, Schedule, etc. for applications. So, rather than have to manually maintain advanced rights for applications on each and every content group, application groups were created, rights maintained once, and then used as parent groups. Sound complicated? Yes! With XI 3.x custom access levels, all of that complexity can be eliminated.

_________________
Dwayne Hoffpauir
Image link
Back to top
Sanjit
Senior Member
Senior Member



Joined: 05 Apr 2004

Posts: 95



PostPosted: Tue Jun 01, 2010 8:29 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Hi Dwayne

The document was very helpfull. However i am still struggling to set up the Security in XI Rel 3. My requirement is very simple.

I have one folder (Finance) and one group (Finance_Group). There are three users who needs Refresh, Create (but not publish) and publish rights for webi reports in the finance folder respectively.

I have given "View on demand" right on Finance folder to the Finance_Group.

I have created 3 more groups called Refresh_Group , Create_Group and Publish_Group and given "View on Demand", "Full Control" to the fist two groups on Webi Application. For the 3rd group i created a CAL called "Publish_User" and provided that access to the webi application. This CAL group "Publish_User" has virtually every access to the General and Webintelligence options.

It not working as i except it to. I think there is a fundamental problem somehwre which i am missing. Ideally if i put a user in the Finance_Group and in Refresh_Group the user should be able to refresh report and henceforth. But unfortunately the user in any of the groups can publish the report in my case. Do you know where i am going wrong ?

Regards
Sanjit
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Fri Jul 02, 2010 6:42 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Sanjit wrote:
Do you know where i am going wrong ?

Yes, I have a pretty good idea. Honestly, I think the built-in Access levels (View on Demand, Scheduling, etc.) do more harm than good, because they MIX together, both application rights and content rights. The key here is to separate those rights.

Application rights apply to ... well, the application (WebI). If a user is a member of multiple groups, then those "conflicting" rights go through a process of resolution:
Mere Mortals presentation wrote:
Every right has three possibilities:
- Explicitly denied: Always takes precedence
- Explicitly granted: Applies when otherwise not explicitly denied
- Unspecified: Not explicitly granted or denied ... considered denied

Therefore, conflicting rights are resolved as follows
- Unspecified + Explicitly denied = Denied
- Unspecified + Explicitly granted = Granted
- Explicitly granted + Explicitly denied = Denied

Applied to your example, the user must be getting the "publish" right from somewhere ... one of the groups that they are members of. And this being an application right, it applies universally.

Now, we can talk about content ... folders, etc. Those rights (add, change, delete, schedule, etc.) are applied to the folders and their contents.

Hopefully this will help, by putting those two concepts together. Content rights drive which objects the user has access to, and application rights drive what can be done with those objects.

_________________
Dwayne Hoffpauir
Image link
Back to top
Sanjit
Senior Member
Senior Member



Joined: 05 Apr 2004

Posts: 95



PostPosted: Sun Jul 18, 2010 4:26 pm 
Post subject: Re: XI 3.0 Security for Mere Mortals

Thanks Dwayne

You are right. The built in access levels was causing my problem. When i created my own CAL (with help from your excel for Mere Mortals) the problem was resolved. Thanks a lot again. I would have been struggling without that document.
Back to top
Andreas
Forum Advocate
Forum Advocate



Joined: 20 Jun 2002

medal_silver.gif*2medal_gold.gif
Posts: 17323
Location: *** BEEP ...Dreaming of Africa... leave No message ; ) BEEP ***


flag
PostPosted: Fri Aug 06, 2010 3:20 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Senario:
- Standard documents (Web Intelligence) are exported to published folder "Department 1" --> OK
- Group power user should be able to create their own ad-hoc Web Intelligence documents --> OK
- Group power user can refresh the standard documents in the public folder "Department 1" --> OK

But I ran into the following challenge:
The power user group should be able to modify/edit the standard reports for on-the-fly analysis without being able to save those on-the-fly modified standard reports in the public folder "Department 1".
So far it seems to me, when I grant the right to edit the content (Webi documents) this does include the right to SAVE the modified content as well (thar is: ithe user can overwrite the standard report in the publich folder, which is not desired at all..).
Any ideas where I am going wrong, please?

_________________
Follow me on Twitter
Reading "The Design Of Everyday Things" by Don Norman
Focusing on Data Visualization, Design Thinking, SAP DesignStudio + scripting, SAP BI 4.x platform & architecture, SAP connectivity, Data Modeling, and SAP HANA Certified Associate
Back to top
bernard timbal
Forum Addict
Forum Addict



Joined: 26 May 2003

Posts: 3887
Location: Paris - FRANCE


flag
PostPosted: Fri Aug 06, 2010 3:31 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

And what about moving first the report to be edited in their personal folder where they could have full rights ?
_________________
Bernard TIMBAL DUCLAUX de MARTIN
BusinessObjects Platform Certified Consultant
Image link
(Co)author of 2 books about SAP BusinessObjects XI3.x and BI4.x Administration
Back to top
Andreas
Forum Advocate
Forum Advocate



Joined: 20 Jun 2002

medal_silver.gif*2medal_gold.gif
Posts: 17323
Location: *** BEEP ...Dreaming of Africa... leave No message ; ) BEEP ***


flag
PostPosted: Fri Aug 06, 2010 4:33 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Not an effective workflow IMHO:
user has to copy the standard report (Webi) first to their personal folder/favorite folder, has then to switch to that personal folder and open the report again, very cumbersome.

Is this indeed a product "defect", worthy of an enhancement request...?

_________________
Follow me on Twitter
Reading "The Design Of Everyday Things" by Don Norman
Focusing on Data Visualization, Design Thinking, SAP DesignStudio + scripting, SAP BI 4.x platform & architecture, SAP connectivity, Data Modeling, and SAP HANA Certified Associate
Back to top
Lugh
Forum Enthusiast
Forum Enthusiast



Joined: 16 Jul 2009

Posts: 1155
Location: Herndon, VA



PostPosted: Fri Aug 06, 2010 10:09 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

I believe that you can remove the "edit" right from the folder, and the user will still have the ability to modify the report. They simply will not be able to save their changes back to that folder. The "Save As" dialog will point them back to their "My Favorites" folder.
Back to top
Andreas
Forum Advocate
Forum Advocate



Joined: 20 Jun 2002

medal_silver.gif*2medal_gold.gif
Posts: 17323
Location: *** BEEP ...Dreaming of Africa... leave No message ; ) BEEP ***


flag
PostPosted: Mon Aug 09, 2010 6:22 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Nope, does not work. One does need EDIT OBJECTS rights on the folder (or individual Webi document) to be able to edit/modify it, but then one can save it in the very same location, overwriting the document, an abcolute no GO!

Any other ideas? Or is this indeed a product limitation?
I cannot believe nobody has come across such a trivial issue yet iamwithstupid.gif

_________________
Follow me on Twitter
Reading "The Design Of Everyday Things" by Don Norman
Focusing on Data Visualization, Design Thinking, SAP DesignStudio + scripting, SAP BI 4.x platform & architecture, SAP connectivity, Data Modeling, and SAP HANA Certified Associate
Back to top
joepeters
Forum Fanatic
Forum Fanatic



Joined: 29 Aug 2002

Posts: 6203
Location: Connecticut, USA


flag
PostPosted: Mon Aug 09, 2010 7:56 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

It's been discussed a couple of times before, but it does appear to be an intentional product limitation. Do let us know if you find a workaround icon_smile.gif

Joe
Back to top
Andreas
Forum Advocate
Forum Advocate



Joined: 20 Jun 2002

medal_silver.gif*2medal_gold.gif
Posts: 17323
Location: *** BEEP ...Dreaming of Africa... leave No message ; ) BEEP ***


flag
PostPosted: Mon Aug 09, 2010 8:10 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

Geez, this is a real bummer cryin.gif
I'll see if I can log an Enhancement request.

_________________
Follow me on Twitter
Reading "The Design Of Everyday Things" by Don Norman
Focusing on Data Visualization, Design Thinking, SAP DesignStudio + scripting, SAP BI 4.x platform & architecture, SAP connectivity, Data Modeling, and SAP HANA Certified Associate
Back to top
Andreas
Forum Advocate
Forum Advocate



Joined: 20 Jun 2002

medal_silver.gif*2medal_gold.gif
Posts: 17323
Location: *** BEEP ...Dreaming of Africa... leave No message ; ) BEEP ***


flag
PostPosted: Thu Aug 12, 2010 3:56 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

** bump ** Anybody any ideas?
_________________
Follow me on Twitter
Reading "The Design Of Everyday Things" by Don Norman
Focusing on Data Visualization, Design Thinking, SAP DesignStudio + scripting, SAP BI 4.x platform & architecture, SAP connectivity, Data Modeling, and SAP HANA Certified Associate
Back to top
MilkSjeik
Forum Member
Forum Member



Joined: 07 Sep 2007

Posts: 23


flag
PostPosted: Tue Sep 14, 2010 7:58 am 
Post subject: Re: XI 3.0 Security for Mere Mortals

I think you need to grant "edit" rights for the application and deny "edit/delete" access to the folder.
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> BOB's Downloads  Previous TopicPrint TopicNext Topic
Page 3 of 6 All times are GMT - 5 Hours
Goto page Previous  1, 2, 3, 4, 5, 6  Next
 
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Get community updates via Twitter:

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0154 seconds using 18 queries. (SQL 0.0030 Parse 0.0004 Other 0.0120)
CCBot/2.0 (http://commoncrawl.org/faq/)
Hosted by ForumTopics.com | Terms of Service
phpBB Customizations by the phpBBDoctor.com
Shameless plug for MomentsOfLight.com Moments of Light Logo