Rights are the base units for controlling user access to the objects, users, applications, servers, and other features in the BI platform. They are administered using CMC.
They play an important role in securing the system by specifying the individual actions that users can do by enabling access control to your BI platform content, rights enable you to delegate user and group management to different departments. Rights also give your IT department access to servers and server groups.
You can set rights on folders and objects using principals; that is, users and groups who access the objects. To give a manager access to a particular folder, you add the manager to the Access Control List for the folder. You can't give the manager access by configuring the manager's rights settings in the Users and Groups area. The User Security settings for the manager in the Users and Group area are used to grant other delegated administrators access to the manager as an object in the system.
Rights on objects can be Granted, Denied, or Not Specified. If a right is Not Specified, the right is denied by default (due to the lack of a grant right) for an object. Also, if the rights results is both Granted and Denied to a User or Group, the right is denied (a Deny right overrides a Grant right).
An important exception to this rule happens when a right is explicitly set on a child object that contradicts the rights inherited from the parent object. In this case, the right set on the child object overrides the inherited rights. This exception also applies to users who are members of groups. If a user is explicitly granted a right that is denied to the user's group, the right set on the user overrides the inherited right from the group.
BI Platform Security Terminology
- A right in the BI platform is also referred to as Access Control Entry (ACE).
- An ACE can be set to one of three states: Explicit Denial (D), Explicit Grant (G), or Not Specified (NS).
- A list of all ACEs is referred to as an Access Control List (ACL).
- A combination of ACEs and states (for example Right to Schedule - G, Right to View - G, Right to Modify - D, and so on) makes up an Access Level.
- The BI platform includes predefined Access Levels: View, Schedule, View On Demand, and Full Control. You can create Custom Access Levels.
- Groups and users in the system are also referred to as principals. In the BI platform, you give rights to principals on objects (folder, document, application).
You can assign rights to groups or users (called Principals). It is recommended that you assign rights to groups rather than users to simplify overall security management. To assign rights in the CMC, navigate to the object (folder, report, application, etc.) and then identify the principal (user or group) for whom you need to modify access. For example, if the Global Sales Team needs access to a specific folder, you navigate to that folder (not to the group).