Business Objects Tips
Business Objects tips, tricks, articles, blog, guides…
Comments
Posts

Posts Tagged ‘Security’

Denying Security Access Explicitly in Business Objects XI 3.1

Maybe I am the only one, but I have struggled twice with this topic and so I thought that I would write this short article to make sure I remember the correct workflow and hopefully help someone else out too.

Sometimes You Just Want to Say “Stay Out”

There are times when you may want to refuse access to a specific user or user group. In my case, this is usually for a specific sub-group of users where the parent group is allowed access. To be honest, there are many reasons and some may be just to appease over-cautious administrators, customers, etc.

Most Restrictive Rights Always Take Precedence

Whatever the reason, the rule of Business Objects security is always that “the most restrictive rights always take precedence”. Knowing this, some choose to deny access explicitly, even though it was never granted in the first place, just to be sure that now and in the future that user/group does not get access.

Adding the Users or Groups

In our example we will use a folder, but this translates to any object, top-level rights, or even applications. Of course, you will want to log in to the Central Management Console (CMC) using an account that is a member of the “Administrators” group. Locate your object, we are using the “BOT Expenses” folder I created for this example. By default when I select the “User Security” option from the right-click drop-down menu on the folder I see this:
business-objects-xi-3.1-explicitly-denying-access-folder-user-security
By default my environment denies access to the “Everyone” group. This is done by editing the top-level folder security in advance.
Next we need to select “Add Principal” and choose the groups to whom we want to deny access.
business-objects-xi-3.1-explicitly-denying-access-add-principals

Assign Security – What? Why? I Want to Deny not Assign!

Click the “Add and Assign Security” button and you will see the following page:
business-objects-xi-3.1-explicitly-denying-access-assign-security
Now here is where I was getting confused. At first I was looking for an Access Level called “No Access”, this was the BO XI R2 in me. Then I thought well, maybe it is implicit here and all I have to do is “Save” and be done. I clicked “Apply” and the screen just re-drew itself, making no changes. Then I clicked “OK” and I saw this message:
business-objects-xi-3.1-explicitly-denying-access-warning-message
Click “OK” here just returned me to the screen depicted in the first screenshot above and erased all of the “principals”. Thank you CMC, I love you too.

So How Do You Make It Work?

OK, I will just tell you how to make it work. Return back to this screen:
business-objects-xi-3.1-explicitly-denying-access-assign-security
Now either click the “Remove Access” button or manually un-check the boxes next to “Inherit From Parent Folder” and “Inherit From Parent Group”. Either action results in the same result. Now click “OK” and you will still get this prompt:
business-objects-xi-3.1-explicitly-denying-access-warning-message
But this is “OK” this time… so click “OK”.

Successfully Explicitly Denying Security Access in Business Objects XI 3.1

Now you should see the groups that you select with the most desired access level of “No Access”.
business-objects-xi-3.1-explicitly-denying-access-successful

Congratulations, to you if you figured this out on your own and can remember this less-than-intuitive CMC security workflow. Once you look at the removing inheritance aspect it makes sense, but it still seems like there should have been an access level called “No Access”. Perhaps, an overly cautious Business Objects XI 3.1 administrator would create a custom access level that has everything explicitly denied and call this one “No Access”, unless Business Objects XI reserves that name in which case you could call it “No Access – Thanks to BusinessObjectsTips.com!”. That would be a great name for sure.

Please read Marshall’s important note below for additional explanation.

What is a Universe Overload?

What a cool and confusing name!

I have to admit that the name “Universe Overload” tends to send my imagination going to exciting science-fiction worlds and different dimensions. I think the person that coined the phrase must have chosen it for that reason, because for me it does not seem to represent. To calm my imagination and to help the phrase prompt more appropriate understanding I tend to replace the word “Overload” with “Override”. In general, “Universe Overloads” override the default restrictions placed on the universe objects.

Then what are “Access Restrictions”?

Prior to BO XI 3, “Universe Overrides” were called “Universe Overrides”. In Business Objects XI 3.1 “Universe Overrides” we renamed (like so many other things) “Access Restrictions”. The incremental boringness of this new name is off-set by an equal increase in the descriptiveness of the name. “Universe Overrides” or “Access Restrictions” are simply object restrictions, table mapping, and row restrictions which are directly added to a universe.

How can I add or modify a Universe Overload?

You can modify/view these “Access Restrictions” by opening the universe in Designer. Then select Tools > Manage Security… > Manage Access Restrictions. Nevertheless, if you did not know that already then you will need more than this brief article to get you safely going into the exciting and futuristic world of “Universe Overloads”.