BusinessObjects Enterprise Administrator's Guide

Calculating a user's effective rights

When a user attempts to perform an action on a BusinessObjects Enterprise object, the CMS determines the user's rights to that object. If the user possesses sufficient rights, the CMS permits the user to perform the requested action.

Although the calculations performed by the CMS can become quite complex, there are several ways to keep your object security model clear, consistent, and easy to maintain. For complete details on setting up a system that makes sense for your BusinessObjects Enterprise system, see Customizing a 'top-down' inheritance model.

To calculate the user's effective rights, the CMS follows a complex algorithm. This sequence of steps, and its various possible outcomes, is provided for administrators and/or system architects who prefer to know exactly how the CMS calculates the rights a user has to any object. The algorithm is described here and then illustrated in a different way using pseudocode:

  1. The CMS checks the rights that have been directly granted or denied to the user's account. The CMS immediately denies any right that is explicitly denied.

    2. Tip:    If an individual user's account has not been assigned any rights to the object, then group inheritance is enabled by default. As the result, you can make all your object rights settings at the group level to save administrative effort.

  2. If folder inheritance is enabled for the user, the CMS determines the rights that the user has to the object's parent folder. The CMS determines these rights by ascending the inheritance tree to the level at which the inherited rights begin to take effect. The CMS denies any right that is explicitly denied (even if the right had already been explicitly granted).
  3. If group inheritance is enabled for the user, the CMS determines the rights specified on the object for each of the groups that the user belongs to. The CMS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted).
  4. If group inheritance is enabled for the user, and folder inheritance is enabled for a group that the user belongs to, then the CMS determines the rights that the group has to the parent folder. The CMS denies any right that is explicitly denied in any group (even if the right had already been explicitly granted).
  5. The CMS completes the algorithm by denying any rights that remain "Not Specified."

As the result, when both types of inheritance are enabled, the CMS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied.

When you disable both types of inheritance for a user, you reduce this algorithm to two steps (1 and 5). Thus, the CMS grants the user only those rights that he or she has been explicitly granted. This provides you with the least complicated way of ensuring that a user has only those rights that you have explicitly granted to him or her for a particular object.

When you disable folder inheritance for a user, you reduce this algorithm to three steps (1, 3, and 5). When you disable group inheritance for a user, you reduce this algorithm to three different steps (1, 2, and 5). In both cases, the CMS grants the user only those rights that are explicitly granted in one or more locations and never explicitly denied.

This pseudocode is provided as another way to illustrate and describe the algorithm that the CMS follows in order to determine whether a user is authorized to perform an action on a particular object:

IF {

    (User granted right to object = True)

    OR    [

        (Inherit Parent Folder Rights = True) AND (User granted right to parent folder = True)

        ]

    OR        [

        (Inherit Group Rights = True) AND (Group granted right to object = True)

        ]

    OR  [

        (Inherit Group Rights = True) AND (Group granted right to parent folder = True)

    ]

}

AND    {

    (User denied right to object = False)

    AND    [

        (Inherit Parent Folder Rights = False)

        OR ((Inherit Parent Folder Rights = True) AND (User denied right to parent folder =  False))

        ]

    AND    [

        (Inherit Group Rights = False)

        OR ((Inherit Group Rights = True) AND (Group denied right to object = False))

        ]

    AND    [

        (Inherit Group Rights = False)

        OR ((Inherit Group Rights = True) AND (Group denied right to parent folder = False))

        ]

}

THEN        {

    User action authorized = True

}

ELSE        {

    User action authorized = False

}


Business Objects
http://www.businessobjects.com/
Support services
http://www.businessobjects.com/services/support/
Product Documentation on the Web
http://support.businessobjects.com/documentation/