Comments on: Denying Security Access Explicitly in Business Objects XI 3.1

By: Laxman

Laxman — Tue, 29 Nov 2011 08:15:00 +0000

I am new to CMCApplication,
I have question, that how to assign rights to user on particular webi folder . My requirement is, he can view and refresh reports contained in that folder.

By: Laxman

Laxman — Thu, 17 Nov 2011 16:30:44 +0000

Thanks Julian for reply.

By: Julian

Julian — Mon, 24 Oct 2011 12:26:29 +0000

Hi Laxman, what you seek can only be obtained using the Business Objects SDK or some third-party tool developed using the SDK. I don’t have any to recommend, sorry.

By: Laxman

Laxman — Wed, 19 Oct 2011 10:40:32 +0000

Is anyone have inforamation about, how to find list of all user with their groups and privileges

By: Sambasiva

Sambasiva — Wed, 14 Sep 2011 12:56:14 +0000

Thanks for pointing out that we miss “No Access” Access level.

By: Julian

Julian — Tue, 24 Aug 2010 12:42:38 +0000

Knut, thanks. This is very insightful and helpful.

By: Knut

Knut — Tue, 24 Aug 2010 11:50:03 +0000

If possible use only Custom Access Level (CAL) definitions.
The way I solved the dilemma to allow access to normal folders but not subfolders was to create two CALs. One grants access to the folder (and by inheritance to all subfolders that might lurk beyond it). Then another CAL that explicitely denies access to a specific subfolder.
CAL One is applied to the folder itself and inheritance is working.
CAL Two is applied to the sub folder and also keeps inheritance working.
The effect is that a user under both these CALs has access to the folder and its subfolders except the one (and its sub folders) where access is denied.

This also works for folders where users can run reports but in sub folders shall only view. Explicitely denying the rights to run/schedule reports and refresh data reverts rights back to View level only (I don’t use any of the predefined standards as they can be too coarse) so that my users now can run reports as they like in the standard folder but only view contents in the folder below, where the automated distributions are kept.

By: Don

Don — Fri, 23 Apr 2010 14:48:42 +0000

Brian,
Thanks for the information.
I have been struggling with a re-design of a BO Security deployment. I was trying to set Everyone to No Access for top-level folders and have been trouble-shooting why I was unable to grant access at any other folder level.

This explains it. But I must agree I don’t know why BO would use this logic for top-level folders. It seems it would be much better to use no access at the top level and then only grant access to those folders a user group needs.

Also, I find it surprising that such a major change in security access rules is not documented and pointed out in BO’s documentation. Maybe it’s in the what’s new section, but I cannot find this section. I know I read it a year or so ago before I started using XI R3.
Since this isn’t documented, maybe this is actually an oversight (bug) on SAP BO’s part. I wonder if they will change this back again with a future release?
Thanks again.

By: Brian

Brian — Mon, 15 Feb 2010 23:35:40 +0000

Marshall, no offense but your article is wrong in a number of places.
1. If you set the everyone group to have ‘No access’ at the top level then your users will not be able to see any of the folders. V3 and 3.1 went back to the old ‘v5/6 Supervisor’ option of forcing users to have at least ‘View’ access on a top level folder before they could ‘see’ anything beneath it. This is completely different from v2 of BOXI.

2. In v2.0, 2.1, 3.0 and 3.1 the rule is “the least restrictive” applies. The rule you specified was true for every version before XI.
You can easily test this out by setting the top level folder setting to ‘Everyone – No Access’ and then , say, ‘Sales – Full Control’. If we had a user , bob, who is in the ‘Everyone’ group (as is always the case for every user in the entire deployment) and also in Sales then there is a conflict of permissions. Is it ‘No Access’ or is it ‘Full Control’? The answer is ‘Full Control’.

By: Julian

Julian — Thu, 31 Dec 2009 00:39:11 +0000

Hey Marshall, thanks for keeping me straight. You make excellent points. I like your “recycle bin” group idea. In my recent case I needed to ensure that members of a particular group could not touch certain folders that they didn’t even yet have access to (through any other group). I found that the only way to accomplish without screwing up their other access, was to do the above. Now I am wondering if this really is as rock-solid a solution as I had hoped.