When you modify inheritance patterns with advanced rights, there are several important considerations to keep in mind. Where relevant, these considerations appear elsewhere in this section. They have been summarized here for reference.
Denied rights take precedence over granted rights. This can cause seemingly contradictory results when inheritance is enabled. Suppose that the "View objects" right is explicitly denied to a Sales group for a particular folder of reports. For the same folder, the "View objects" right has been explicitly granted to a Manager user, and the "Respect current security by inheriting rights from parent groups" check box is selected. The Manager user is a member of the Sales group. In this scenario, the Manager user is both granted and denied the "See object" right to the folder. Because denied rights take precedence, the Manager user is effectively denied the ability to see the folder, so long as the user account inherits rights from its parent group (Sales). To remedy this situation, you could clear the "Respect current security by inheriting rights from parent groups" check box on the Advanced Rights page for the Manager user, or you could remove the Manager user from the Sales group.
Rights that are not specified are denied by default. On the Advanced Rights page for any object, the Inherited Rights column may label certain rights as "Not Specified." This entry denotes rights that are neither granted nor denied by inheritance. To prevent possible security breaches, BusinessObjects Enterprise automatically denies rights that are not specified.
Business Objects http://www.businessobjects.com/ Support services http://www.businessobjects.com/services/support/ Product Documentation on the Web http://support.businessobjects.com/documentation/ |