Determining Effective Rights and Inheritance

Objective

After completing this lesson, you will be able to implement a security model in SAP BusinessObjects BI Platform 2025.

Rights and Inheritance

Inheritance

Rights are set on an object for a principal to control access to the object. It's difficult for you to set the explicit value of every possible right for every principal on every object. If you have 100 rights, 1000 users, and 10,000 objects, you'll need to store billions of rights in memory and maintain each one.

Inheritance resolves this problem. With inheritance, the rights that principals have to objects in the system come from a combination of their memberships and objects. These memberships are in different groups and sub-groups, and the objects, have inherited rights from parent folders and sub-folders. These principals can inherit rights as the result of group membership. Sub-groups can inherit rights from parent groups. Principals can inherit rights from parent folders.

By default, principals who have rights to a folder inherit the same rights for any objects that are then published to that folder. The strategy is to set the appropriate rights for principals at the folder level first, then publish objects to that folder.

SAP BusinessObjects BI Platform 2025 recognizes two types of inheritance for an object security:

  • Inherit from Parent Folder

  • Inherit from Parent Group

Inherit From Parent Group:

If needed, an administrator can disable this inheritance from parent group to set customized rights on an object.

  • By default, this setting is enabled on any object in SAP BusinessObjects BI Platform 2025.
  • The child group inherits the rights settings of the parent group by default, except for the rights that are explicitly set on the child group. Also, any changes to rights settings on the parent group apply to the child group by default.
  • It is strongly recommended to keep enabled by default inheritance for parent group.
You can choose an object to inherit or not its security from a principal's Parent Group.
Inherit From Parent Folder:

If needed, an administrator can disable this inheritance from parent folder to set customized rights on an object.

  • By default, this setting is enabled on any object in SAP BusinessObjects BI Platform 2025.
  • The child folder inherits the rights settings of the parent folder by default, except for the rights that are explicitly set on the child folder. Also, any changes to rights settings on the parent group apply to the child group by default.
  • It is strongly recommended to keep enabled by default inheritance for parent folder.
You can choose an object to inherit or not its security from its Parent Folder.

Determining Effective Rights

We have seen that each access level grants some rights, denies some rights, and leaves the other rights unspecified. When a user group is granted several access levels, the system aggregates the effective rights and denies any unspecified rights by default.

Aggregation of effective rights:

If a user belongs to more than one group, and a conflict on the same object (a folder, for instance) exists in the rights assignments between the groups to which the user belongs, the system aggregates the effective rights based on their place in the hierarchy of rights to apply them for the user:

  • The Denied (D) right always overrules a Granted (G) right.
  • The Granted (G) right always overrules a Not Specified (NS) right.
Calculation rules:

Here are some examples of aggregation of several rights on a single object to calculate and apply effective rights for this object in SAP BusinessObjects BI Platform 2025:

  • Not Specified (NS) + Not Specified (NS) = Not Specified (NS)
  • Not Specified (NS) + Granted (G) = Granted (G)
  • Not Specified (NS) + Denied (D) = Denied (D)
  • Granted (G) + Denied (D) = Denied (D)
  • Not Specified (NS) + Granted (G) + Denied (D) = Denied (D)

SAP BusinessObjects BI Platform 2025 will calculate these effective rights during the user's logon. If you change any right on SAP BusinessObjects BI Platform 2025, it is recommended to ask for the user to logoff then login again to take in account the updated security model.

To better understand aggregation of rights, let's see this sample table. It shows some predefined and custom access levels with their included rights on SAP BusinessObjects BI Platform 2025:

Sample matrix of included rights in predefined access levels and custom access levels.

Now, let's see several security scenarios with a user (A01) belonging to two groups (G1 and G2) and two access levels set for a single object. Effective rights will be applied to the user A01 as shown in the following scenarios:

Effective rights for A01 user after rights calculation (No Access + No Access aggregation).
Effective rights for A01 user after rights calculation (No Access + View aggregation).
Effective rights for A01 user after rights calculation (No Access + Full Control aggregation).
Effective rights for A01 user after rights calculation (Full Control + Deny All Access (CAL) aggregation).
Effective rights for A01 user after rights calculation (Schedule + View and Design Content (CAL) aggregation).
Effective rights for A01 user after rights calculation (No Access + Deny All Access (CAL) aggregation).

Watch the following video to determine effective rights scenarios involving users, groups and folders.​

Following scenarios are covered in the video:

  1. A user is a member of a group. The user and group have different rights to the same folder. ​
  2. A user is a member of two different groups, and each group has been assigned different rights to the same folder. ​
  3. A user is a member of two different groups and each group have rights to folders at different levels. ​
  4. A user is a member of a subgroup that is a member of a group. The parent group is Granted and the subgroup is Denied to the same folder.​
  5. A user is a member of a subgroup that is a member of a group. The parent group is Denied while the subgroup is Granted access to the same folder. ​
  6. A user is a member of a subgroup that is a member of a group. The group and subgroup have different assigned rights to a folder and subfolder.
  7. A subgroup is a member of a group and the user is a member of both the group and subgroup. The group and subgroup have different rights to the same folder.​

Keep these considerations in mind when you set rights on an object:

  • Each access level grants some rights, denies some rights, and leaves the other rights unspecified. When a user is granted several access levels, the system aggregates the effective rights and denies any unspecified rights by default.
  • When you assign several access levels to a principal on an object, the principal has the combination of each access level's rights.
  • Advanced rights can be combined with access levels to customize the rights settings for a principal on an object. But, if the advanced right contradicts a right in the access level, the advanced right will override the right in the access level.
  • Rights override makes it possible for rights set on a child object to override rights that are inherited from the parent object.

Folder Inheritance

Definition:

Folder inheritance allows principals to inherit any rights granted from the parent folder.

  • You need to set the object rights only once, at the folder level.
  • Folder inheritance is useful when you organize BI content into a folder hierarchy based on your organization's current security conventions.
For example, suppose that you create a folder called Sales Reports, and you give your Sales group with View On Demand access to this folder. By default, every user that has rights to the Sales Reports folder will inherit the same rights to the reports that you then publish to this folder. You need to set the object rights only once, at the folder level.

In the figure "Folder inheritance example", rights have been set for a Group on a folder. Rights 1 and 5 have been granted, while the rest have been left unspecified. With folder inheritance enabled, members of Group have rights on the object level identical to the rights of the group on the folder level. Rights 1 and 5 are inherited as granted, while the rest have been left unspecified.

With folder inheritance enabled, members of Group have rights on the object level identical to the rights of the group on the folder level.

Group Inheritance

Definition:

Group inheritance allows principals to inherit rights as the result of group membership.

  • Group inheritance proves especially useful when you organize all of your users into groups that coincide with your organization's current security conventions.
  • When group inheritance is enabled for a user who belongs to more than one group, the rights of all groups which they belong to on that object are considered when the system checks credentials.

The principal is denied any right that is explicitly denied in any parent group. The principal is also denied any right that aren't specified. So, the principal is granted only those rights that are granted in one or more groups (explicitly or through access levels) and don't have any explicitly denied rights.

Example 1:

In the "Example 1" figure, you can see how group inheritance works.

  • Red Group is a subgroup of Blue Group, so it inherits Blue Group's rights. In this case, it inherits right 1 as granted, and the rest of the rights as unspecified. Every member of Red Group inherits these rights.
  • In addition, any other rights that are set on the subgroup are inherited by its members. In this example, Green User is a member of Red Group, and thus inherits right 1 as granted, rights 2, 3, 4, and 6 as not specified, and Right 5 as denied.
Group inheritance example 1.
Example 2:

In "Example 2", Green User is a member of two unrelated groups.

  • From Blue Group, he inherits rights 1 and 5 as "granted" and the rest as not specified.
  • However, because Green User also belongs to Red Group, and Red Group has been explicitly denied right 5, Green User's inheritance to right 5 from Blue Group is overridden.
Group inheritance example 2.

Implement Folder Security

In this exercise, you will implement folder security in SAP BusinessObjects BI Platform 2025.

ExerciseStart Exercise

Summary

  • Rights control access to objects, but setting explicit rights for every user and object can be impractical due to the sheer number of combinations.
  • SAP BusinessObjects BI Platform 2025 uses group and folder inheritance to simplify rights management, allowing principals to inherit rights based on their group memberships and the objects' location within folders.
  • In case of conflicts, 'Denied' rights override 'Granted' rights, and 'Granted' rights override 'Not Specified' rights.
  • Principals inherit rights from parent folders, making it efficient to set rights at the folder level rather than individually for each object.
  • Principals inherit rights from their group memberships, with explicit denials in any group taking precedence.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn