BusinessObjects Enterprise Administrator's Guide

Setting advanced object rights

To provide you with full control over object security, the CMC allows you to make Advanced object rights settings for any user or group. These Advanced settings enable you to choose from a complete set of granular object rights. The result is an increased flexibility as you define security levels for objects that you have published to BusinessObjects Enterprise.

Use advanced rights, for instance, if you need to customize a user's or group's rights to a particular object or set of objects, or if you want to customize the default inheritance patterns. Most importantly, use advanced rights to explicitly deny a user or group any right that should not be permitted to change when, in the future, you make changes to group memberships or folder security levels.

Tip:    By default, users or groups who have rights to a folder will inherit the same rights for any object that you subsequently publish to that folder. Consequently, the best strategy is to set the appropriate rights for users and groups at the folder level first. Then publish objects to that folder.

Note:    Because of the relative priorities assigned by BusinessObjects Enterprise to granted and denied rights, you must disable inheritance entirely when you need to explicitly grant a right that has been denied elsewhere to the user or group. For complete details, see Priorities affecting advanced inheritance settings.

To view or set advanced rights

1. Go to the Objects or Folders management area of the CMC.
2. Locate the object whose rights you want to modify.
3. Click the link to the object, and then click its Rights tab.
4. In the Name column, locate the user or group whose rights you want to specify.

If the user or group is not listed, click Add/Remove. Add the appropriate user or group and click OK. You are returned to the object's Rights tab.

5. The next step depends upon the entry that already appears in the Access Level list for this user or group:
• If the Access Level is not already set to Advanced, click the list and select Advanced.
• If the Access Level is already set to Advanced, click the Advanced link in the Net Access column.

  The available object rights are displayed in the Advanced Rights page. This example shows advanced rights being applied to the Guest user for an Employee Profile report.

   

The first two options specify which types of inheritance affect the Guest user's rights to this object. In this example, the Guest user cannot inherit rights by virtue of group membership. But, the Guest user may inherit any rights that he or she has been granted to this report's parent folder.

The remainder of the Advanced Rights page lists all available object rights and shows how each right applies to the Guest user. To customize the overall security levels, you can explicitly grant or deny any given right, or you can specify that you want certain rights to be inherited.

The Inherited column serves as an indicator to show how inherited rights affect the Guest user's effective rights to this report object. A user or group can be granted or denied a right by virtue of inheritance. In addition, some rights may remain "not specified"—that is, they are neither granted nor denied. If an inherited right is labelled as "Not Specified", BusinessObjects Enterprise treats it as having been denied. (And if the right is later granted for a parent group or object, the user or group will automatically inherit the right at this level.)

In this example, the Guest user has two inherited rights (the right to "View document instances that the user owns" and to "Pause and Resume document instances that the user owns"). Currently, these rights are not specified, so the rights are denied by default. However, if the Guest user's rights should change on the report's parent folder, the rights will also change for this report object. This demonstrates how inheritance can facilitate future changes to the overall security model.

Tip:    For scalability and manageability, it is recommended that you leave as many rights as possible inherited, because the system automatically updates those rights as you modify and update your security settings throughout the folder and group hierarchies.

The Explicitly Granted column shows which actions the Guest user is allowed to perform on this report. The Guest user is currently granted eleven rights to this report (the right to "View objects," "Schedule the document to run," and so on). Because group inheritance is disabled, the Guest user will retain these rights, even if its group membership is modified or changed completely. This demonstrates how you can use explicit rights to override a group's rights for a particular group member.

The Explicitly Denied column works similarly to the Explicitly Granted column. Regardless of any future changes to the user's group membership, an explicitly denied right always prevents a user from performing the associated action. In this example, the Guest user has been explicitly denied eleven rights (the right to "Add objects to the folder," "Edit objects," and so on). Again, this demonstrates how you can use explicit rights to override a group's rights for a particular group member.

When you have made your changes on the Advanced Rights page, click OK.

Tip:    For detailed tutorials that walk you through sample implementations of object rights, see Customizing a 'top-down' inheritance model.

Click the appropriate link to jump to that section:

• Base rights and available rights
• Inheritance with advanced rights