Describing Rights Settings

Objective

After completing this lesson, you will be able to define rights settings using the Central Management Console (CMC).

Rights Settings

The CMC allows for greater flexibility in security by allowing granular level rights for objects and sub-objects.

Definition:
  • You can use the rights settings to customize a principal's rights to a particular object or set of objects.
  • You can use rights to deny a user or group that must not be changed if there is a modification to group memberships or folder security levels.
CMC allows for greater flexibility in security by allowing granular level rights for objects and sub-objects.

The following table summarizes the options that you have when you set rights.

Rights

Rights OptionDescription

Granted right

The right is explicitly granted to a principal on an object.

Denied right

The right is explicitly denied to a principal on an object, and cannot change. This is the most restrictive right and it has to be used with care on SAP BusinessObjects BI Platform 2025.

Not Specified right

The right is implicitly unspecified for a principal on an object. By default, implicit right Not Specified is a deny. An implicit right can be changed into an explicit right (either Granted or Denied) when an explicit right is applied for another principal on the same object.

Apply to Object scope

The right applies to the object. This option becomes available when you choose Granted or Denied.

Apply to Sub-object scope

The right applies to all sub-objects. This option becomes available when you choose Granted or Denied.

Hierarchical Rights Settings:

There is an embedded hierarchy between these rights settings:

  • Denied explicit right always overrides Granted explicit right.
  • Granted explicit right always overrides Not Specified implicit right.

If you want to not give an access to a principal, it is recommended:

  • To use the implicit right (Not Specified) instead of the explicit right (Denied).
  • To use the Deny explicit right with care, due to the fact it is the strongest right; it will be always as an effective right, even after having aggregated it with other implicit or explicit rights on a single object.
A Denied explicit right always overrides a Granted explicit right which always overrides a Not Specified implicit right in SAP BusinessObjects BI Platform 2025.

Scope is the level of propagation of the right. You can choose to apply an explicit right within a custom access level either to an Object or to Sub-object or both of them.

General versus Type-Specific Rights

Type-specific rights

Type-specific rights are rights that affect specific object types only, such as Crystal Reports, folders, or access levels. Type-specific rights consist of the following:

  • General rights for the object type:

    These rights are identical to general global rights (for example, the right to add, delete, or edit an object), you set them on specific object types to override the general global rights settings.

  • Specific rights for the object type:

    These rights are available for specific object types only. For example, the right to export a report's data appears for Crystal Reports, but not for Word documents.

Rights are divided into collections based on the object types to which they apply.

Rights Collections

Type-specific rights override General global rights:
  • Type-specific rights are useful because they let you limit the rights of principals based on a specific object type. A type-specific right is optional, but it will always override a General global right.
  • Consider a situation in which an administrator wants employees to add objects to a folder but not create sub-folders. The administrator grants the Add objects to the folder right at the General global level for the folder (General tab), and then denies the Add objects to the folder right for the Folder type-specific object (Content tab) in the custom access level.
The administrator grants Add rights at the General global level for the folder, but denies Add right for the Folder type-specific object.

Scope of Rights

Definition

Scope of rights controls the extent of rights-inheritance of an object:

  • Apply to Object
  • Apply to Sub-objects
Considerations:
  • Scope of rights refers to the ability to control the extent of rights inheritance.
  • To define the scope of a right, you decide whether the right applies to the object, its sub-objects, or both.
  • By default, the scope of a right extends to both object and its sub-objects.

Scope of rights can also limit the effective rights that a delegated administrator has.

For instance, a delegated administrator may have Edit rights on a folder, but the scope of these rights is limited to the folder only and don't apply to its sub-objects.

Note

If you choose Apply to Sub-object as a scope of a right, the right will be applied to all sub-objects (all descendants) and you cannot specify any level on sub-objects.
Scope of rights refers to the ability to control the extent of rights inheritance.

Scope of rights is used to protect personal content in public folders. For example, you have a shared Expense Claims folder that has Personal Expense Claims sub-folders for each employee. You want all employees to view the Expense Claims folder and add objects to it. But, you don't want employees to access other employees Personal Expense Claims sub-folders. To protect personal content, you can grant all employees View and Add rights on the Expense Claims folder. You limit the scope of these rights to the Expense Claims folder only. Then for each employee, you grant access to their assigned personal sub-folders.

Inheritance

Definition

With inheritance, the rights that users have to objects in the system come from a combination of their memberships in different groups and subgroups and from objects which have inherited rights from parent folders and subfolders.

Rights override is a rights behavior in which rights that are set on child objects override the rights set on parent objects. Rights override occurs under the following circumstances:

  • In general, the rights that are set on child objects override the corresponding rights that are set on parent objects.

  • In general, the rights that are set on subgroups or members of groups override the corresponding rights that are set on groups.

Considerations:
  • Even if it's possible in CMC, it is NOT recommended to disable inheritance from parent folder or parent group to set customized rights on an object.
  • By default, the child object inherits the rights settings of the parent object except for the rights that are explicitly set on the child object. Also, any changes to rights settings on the parent object apply to the child object.
List of Principals in Assign Security window. Both groups and some individual users listed. Examples of different access outcomes shown. For example, Full Control (Inherited), View On Demand, or No Access.

Summary

  • The CMC allows for flexible security with granular level rights for objects and sub-objects.
  • Rights can be granted, denied, or not specified for a principal, and can be applied to objects and sub-objects.
  • These rights affect specific object types and can override general global rights settings.
  • Rights are divided into General, Content, Application, and System collections based on object types and system components.
  • The scope of rights controls inheritance and can protect personal content; rights set on child objects or sub-groups override those on parent objects or groups.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn