BusinessObjects Enterprise Administrator's Guide

Controlling user access overview

Rights are the base units for controlling users' access to objects, users, applications, servers, and other features in BusinessObjects Enterprise. When granted, each right provides a user or group with permission to perform a particular action. Using rights, you can set security levels that affect individual users and groups. Rights allow you to control access to your BusinessObjects Enterprise content, to delegate user and group management to different departments, and to provide your IT people with administrative access to servers and server groups.

To set rights within the Central Management Console (CMC), you first locate the object, user, or server and then you specify the rights for different users and groups. Each right can be Explicitly Granted, Explicitly Denied, or Inherited. The BusinessObjects Enterprise security model is designed such that, if a right is left "not specified," the right is denied by default. Additionally, if contradictory settings result in a right being both granted and denied to a user or group, the right is denied by default. This "denial based" design assists in ensuring that users and groups do not automatically acquire rights that are not explicitly granted.

To facilitate administration and maintenance, BusinessObjects Enterprise includes a set of predefined access levels that allow you to set common security levels quickly. Each access level grants a set of rights that combine to allow users to accomplish common tasks (such as view reports, schedule reports, and so on). It is recommended that you use the predefined access levels whenever possible, because they can greatly reduce the complexity of your object security model. For more information, see Setting common access levels.

Whether or not you use access levels, you can also take advantage of the inheritance patterns recognized by BusinessObjects Enterprise: users can inherit rights as the result of group membership; subgroups can inherit rights from parent groups; and both users and groups can inherit rights from parent folders. When you need to disable inheritance or to customize security levels for particular objects, users, or groups, the Advanced Rights pages allow you to choose from the complete set of available object rights. Most importantly, the advanced object rights allow you to explicitly deny any user or group the right to perform a particular task.

Users require specific licensing and rights to create or modify reports through the Report Application Server (RAS).



Business Objects
http://www.businessobjects.com/
Support services
http://www.businessobjects.com/services/support/
Product Documentation on the Web
http://support.businessobjects.com/documentation/