cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security Role for universe

Former Member

on ‎09-30-2014 5:15 AM

0 Kudos

Hi

I want to create a security role that allows user to refresh reports created on a particular universe but that does not allow them to create new reports based on the same universe.

In the CMC, I select the universe and I have assigned it a customs access level I have created. In that CAL, if I don't include the right "view objects" then the users are not able to refresh the report, but that also allow them to see the universe when creating a new report and to create and run one, which I would like to avoid. Is there any way to do it?

Thanks

Teresa

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member182521
Active Contributor
‎09-30-2014 5:57 AM
0 Kudos

refer this to understand the End to End Security implementation.

Though it is for XI 3.x, Still you can refer here if you are in BI 4.x

Show replies
Show replies
Former Member
‎09-30-2014 9:42 AM
0 Kudos

Thanks, but that document does not describe what I am trying to do.

My requirements for one BI Application are:

- That a users group called staff can access the reports created for that BI application, which are stored in a specific folder created for that. They should also be able to refresh the report. They should not be able to create reports based on the universe for that BI application (but they can create reports for other BI applications)

That document describes how:

- How to give users the availability to either create or not reports: - my users can always create reports, it is only for one universe that they should not create reports

- How to give users access to the universe data - my users can access the universe data by refreshing an existing report but should not be able to see the universe when creating new reports.

We have already done most of the steps described there with the difference that I am using Custom access level instead of functional groups.

If I compare my set up which the one described in the document I have only one functional group called staff which can view document, refresh and create documents.

For the Web Intelligence, in CMC> Applications > Web Intelligence the staff group has a Custom Access Level that allow them to do that similar to the advanced users group in the document. (they only difference is that I save in a CAL instead of adding manually).

In terms of the public folder access,  the staff group is assigned a CAL View access level which allow them to View objects, refresh the report .. it is the same that the document describe for the advance  group for the public folder with the exception that I don't allow them to edit the query

At the connection level they have  General > view access and Connection > data access as described in the document as well.

The document says that the advance report should be able to view and refresh reports, and to create reports for the universe they have access to. But it does not say to refresh a report but not to create for a universe.

If I now compare the settings for the BI Application:

I have only one group which is my before described staff group, since I am using CAL.

We have one folder for the BI application, or the universe in scope. I add the staff principle and give them the CAL view access.

The document says :

   Here we want all members of this group to be able to view this folder and the contents of the folder. What they can then do with this folder is controlled by membership of the functional groups

In the folder of the BI Universe I give them access to Universe > View objects

By giving them access to Universe > view objects they can see the universe when creating a new document. Without this access they are not allow to refresh the document even if they see the refresh button available.

Hope it clarifies

Thanks

Teresa

andreasja_schneider
Advisor
Advisor
‎10-01-2014 10:31 AM
0 Kudos

I believe this is just not possible:


The Refresh (ViewonDemand) right is granted

  • on a per user (ideally user group)
  • and on a  per universe (ideally per folder)
  • and on a per universe connection (ideally per folder)

basis for granting rights.

Meaning: For one universe with underlying universe conenction I can grant REFRESH/VIewonDeamn (VoD) rights to user A, for another user I can deny that right for user A.

But creating Webi Reports is a global right, a right granted on a

  • per user (ideally user group)
  • and per application, WebIntelligence Tool  in this case or IDT in another scenario

basis. This right (creating Webi reports that is) cannot be limited to a particular universe.
In other words, either user A can create Webi reports or he/she cannot. If user A has the right to create Webi reports then he/she can create Webi reports against ANY universe, he/she has been granted Refersh/VoD rights against; hence my use of GLOBAL right.

Former Member
‎10-23-2014 4:52 AM
0 Kudos

Thanks Andreas, it is a good explanation

Ask a Question