Using explicitly denied rights to globally remove privileges for non-administrators

Deny overrides grant in Business Objects

The way that "explicitly denied" rights work (on the advanced rights tab) enables us to globally remove rights for groups or individuals.

Important: "explicitly denied" rights will always override an "explicit grant"

For any given right, if a user is a member of any group where that specific right is denied, the net right is denied.

Deny always trumps grant.

Using explicit denies at the highest level

We can set folder rights in CMC at the highest level, the "Settings" level. Doing this will effectively deny the right at all levels (since the "settings" level is the parent folder of all folders). Setting rights at this level avoids needing to individually remove rights at the folder level for various groups.

 businessobjects global settings

 

Go to the "Rights" tab in the settings.

business objects rights tab

 

On the rights tab, add a group that you wish to explicitly deny rights.

In our case we created a "non-administrators" group. We wanted to deny all non-administrators certain rights, like scheduling reports. We added all non-admins to the non-administrators group. Added an entry on the rights tab for the non-admin group and set the advanced rights.

On the "Advanced Rights" each individual right (row) can be set to either "Explicitly Granted," "Explicitly Denied," or "Not Specified."

advanced rights explictly denied granted

 

By setting rights that are explicitly denied, it effectively denies the right for any members of the specified group (non-administrators in our case).

 

Here is a list of the rights that can be set in this way in BusinessObjects:

 

General Rights

  • Add objects to the folder
  • View objects
  • Edit objects
  • Modify the rights users have to objects
  • Schedule the document to run
  • Delete objects
  • Define server groups to process jobs
  • Delete instances
  • Copy objects to another folder
  • Schedule to destinations
  • View document instances
  • Pause and Resume document instances
  • Securely modify rights users have to objects.
  • Reschedule instances
  • Schedule on behalf of other users
  • Allow discussion threads
  • View objects that the user owns
  • Edit objects that the user owns
  • Modify the rights users have to objects that the user owns
  • Delete objects that the user owns
  • Delete instances that the user owns
  • View document instances that the user owns
  • Pause and Resume document instances that the user owns
  • Securely modify rights users have to objects that the user owns.
  • Reschedule instances that the user owns

Desktop Intelligence Rights

  • Refresh the report's data
  • Refresh List of Values
  • Use Lists of Values
  • View SQL
  • Export the report's data
  • Download files associated with the object

 

Desktop Intelligence Add in

  • Download files associated with the object

 

Report

  • Print the report's data
  • Refresh the report's data
  • Export the report's data
  • Download files associated with the report

 

Web Intelligence Document

  • Refresh the report's data
  • Edit Query
  • Refresh List of Values
  • Use Lists of Values
  • View SQL
  • Export the report's data
  • Download files associated with the object

 

 

Spread the word

del.icio.us Digg Furl Reddit

Permalink • Print • Comment

Trackback uri

http://www.boguru.com/businessobjects-explicitly-denied-rights/trackback/

WordPress database error: [Table './boguru/wp_comments' is marked as crashed and last (automatic?) repair failed]
SELECT * FROM wp_comments WHERE comment_post_ID = '11' AND comment_approved = '1' ORDER BY comment_date

Leave a Comment




WordPress database error: [Table './boguru/wp_ras_image' is marked as crashed and last (automatic?) repair failed]
INSERT INTO wp_ras_image (id, createtime, word) VALUES (541328, 1653509950, 'wg6f6bb')

*
To prove you're a person (not a spam script), type the security text shown in the picture. Click here to regenerate some new text.
Click to hear an audio file of the anti-spam word