This article was originally published on BusinessObjects Expert

Security within BusinessObjects is fairly sophisticated, and an administrator is provided a great deal of control in providing or denying access to the individual components to users and groups. Moreover, component-level security is handled with the assignment of access levels.

BusinessObjects comes installed with a number of predefined access levels: no access, view, schedule, view on demand, and full control. BusinessObjects also enables administrators to develop advanced or custom access levels. 

Managing Access Levels

Access levels in BusinessObjects can be viewed and managed in the access levels component of the BusinessObjects administration tool known as the Central Management Console (CMC).  After logging in to the CMC, an administrator can navigate to the access levels component via the drop-down menu in the top-left corner of the console (Figure 1).  From this screen the administrator can view existing access levels, modify access levels, and define new access levels.

Figure 1

The access levels component in the CMC

Setting Access Levels for Users or Groups

Setting access levels for a user or groups of users is done in the CMC’s Folders management component. Let’s look at some of the access actions you can take in Folders.

1. Navigate to the Folders component in the CMC via the drop-down menu in the top-left corner of the console (Figure 2).

Figure 2

The Folders component in the CMC

2. Expand the Objects List folder on the left to get a list of objects to choose from, or expand All Folders to get a list of folders to choose from. Locate the object or folder whose rights you want to modify, right click on the object or folder, and select User Security in the context menu (Figure 3). 

Figure 3

Select User Security for the folder

The User Security screen launches (Figure 4).

Figure 4

The screen for managing user security for a particular folder or object

3. To add security for principals (i.e., users or groups) that do not already appear, click the Add Principals button. Subsequently, the Add Principals screen launches, allowing an administrator to add users or groups with the arrow buttons (Figure 5).

Figure 5

Add principals (i.e., users or groups)

4. To deny or remove security for principals (i.e., users or groups) that have already been added, return to the User Security screen, highlight the principal to be removed, and click the Remove button (Figure 6).

Figure 6

Remove a user or group from the security settings for the folder or object

5. To see the rights in effect for the principal on an object or folder, click the View Security button. The Permissions Explorer launches and displays a list of rights for the selected principal (Figure 7).

Figure 7

The Permission Explorer window displays a list of effective rights

6. To designate an access level for a user or group, return to the User Security screen and click the Assign Security button (Figure 6). The Assign Security screen launches and allows you to set access levels or advanced security for the selected user or group using the corresponding tabs and arrow buttons (Figure 8).

Figure 8

The Access Levels tab

Predefined Access Levels

Predefined access levels are groups of individual security rights that are available in BusinessObjects. These levels provide common user access to components (Table 1). Use of predefined levels is simpler and more intuitive than advanced access levels as the settings already exist and do not need to be further configured.

Table 1

An overview of BusinessObjects predefined access levels

Choosing Between View and View On Demand Access Levels

Although View and View On Demand access levels allow users to view document data, these levels are different. The View access level allows users to view data only in documents that have been scheduled. It does not allow users to refresh data on their own. On the other hand, the View On Demand access level allows users to view data in scheduled documents and to refresh document data as necessary. The reason for the difference is to restrict the amount of network traffic, reduce the amount of queries against a database, and schedule document refreshes at times when network and database use is low.

Scheduled report instances are useful for dealing with data that isn't continually updated and can be queried on a scheduled basis. These scheduled report instances minimize data transfer over the network and lighten the database server’s workload. If a user requires only data that is refreshed periodically, then that user can be granted the View access level to restrict on-demand refreshes of documents.

In contrast, on-demand refreshes of a document provide users access to real-time data directly from the database server. If the underlying data is constantly changing, then users require the right to refresh their documents on an unscheduled basis. The View On Demand access level allows users to refresh documents as necessary. However, use of this access level may cause an increase in network traffic and database server use.

Advanced Rights

In addition to assigning complete access levels to a folder or object, an administrator can assign advanced or custom rights to a folder or object. Advanced rights provide increased flexibility over access levels as the administrator can grant or deny specific rights. Thus, advanced rights enable administrators to define security at a detailed or individual right level. For example, an administrator can explicitly grant or deny the right to create a document or edit SQL. 

The advance rights screen is in the Assign Security window under the Advanced tab (Figure 9).  This screen allows an administrator to view advanced rights that have been assigned to a user or group.

Figure 9

The Advanced tab

By clicking the Add/Remove Rights link in the Advanced tab, an administrator can grant or deny individual rights to a user or group or apply the rights to objects or sub-objects. A separate window opens to permit these actions (Figure 10).

Figure 10

The Add/Remove Rights window

The Add/Remove Rights window uses a matrix of icons to define rights options. The icons and their descriptions are listed in Table 2.

Table 2

Definitions of advanced rights options

Inheritance

With inheritance, the rights that users and groups have to objects are not explicitly set, but rather come from the settings on the parent group membership or the rights granted to an object’s parent folder. Inheritance solves the impracticality of setting the explicit value of every possible right for every object within the system.

Consider a system with 100 rights, 1,000 users, and 10,000 objects. To set rights explicitly on each object would require that an administrator manually set a right hundreds of thousands of times. Inheritance helps resolve this problem and is broken down into two types:

• Group inheritance allows users and groups to inherit rights as the result of a parent group membership. Group inheritance is useful when an organization’s security conventions are based on multiple group levels.
• Folder inheritance allows users or groups to inherit any rights that they have been granted on an object’s parent folder. Folder inheritance is useful when an organization’s security conventions are based upon folder hierarchies.

Inheritance can defined for a parent folder or parent group for all of its children folders and objects by checking the appropriate box in the Assign Security window (Figure 11). A company can have security conventions based on both group levels and folder hierarchies.

Figure 11

Assign inheritance to parent folders and parent groups

By right-clicking any folder or object listed in the CMC and choosing User Security from the context menu, an administrator can view the user security for that particular folder or object to see if any of the security is inherited (Figure 12).

Figure 12

Access level is indicated for the folder or object