Administering Access Rights

Rights are the base units for controlling user access to the objects, users, applications, servers, and other features in the BI platform. They are administered using CMC.

They play an important role in securing the system by specifying the individual actions that users can do by enabling access control to your BI platform content, rights enable you to delegate user and group management to different departments. Rights also give your IT department access to servers and server groups.

You can set rights on folders and objects using principals; that is, users and groups who access the objects. To give a manager access to a particular folder, you add the manager to the Access Control List for the folder. You can't give the manager access by configuring the manager's rights settings in the Users and Groups area. The User Security settings for the manager in the Users and Group area are used to grant other delegated administrators access to the manager as an object in the system.

Rights on objects can be Granted, Denied, or Not Specified. If a right is Not Specified, the right is denied by default (due to the lack of a grant right) for an object. Also, if the rights results is both Granted and Denied to a User or Group, the right is denied (a Deny right overrides a Grant right).

An important exception to this rule happens when a right is explicitly set on a child object that contradicts the rights inherited from the parent object. In this case, the right set on the child object overrides the inherited rights. This exception also applies to users who are members of groups. If a user is explicitly granted a right that is denied to the user's group, the right set on the user overrides the inherited right from the group.

BI Platform Security Terminology

• A right in the BI platform is also referred to as Access Control Entry (ACE).
• An ACE can be set to one of three states: Explicit Denial (D), Explicit Grant (G), or Not Specified (NS).
• A list of all ACEs is referred to as an Access Control List (ACL).
• A combination of ACEs and states (for example Right to Schedule - G, Right to View - G, Right to Modify - D, and so on) makes up an Access Level.
• The BI platform includes predefined Access Levels: View, Schedule, View On Demand, and Full Control. You can create Custom Access Levels.
• Groups and users in the system are also referred to as principals. In the BI platform, you give rights to principals on objects (folder, document, application).

You can assign rights to groups or users (called Principals). It is recommended that you assign rights to groups rather than users to simplify overall security management. To assign rights in the CMC, navigate to the object (folder, report, application, etc.) and then identify the principal (user or group) for whom you need to modify access. For example, if the Global Sales Team needs access to a specific folder, you navigate to that folder (not to the group).

Access Levels

Access levels are groups of rights that users often need. They allow administrators to set common security levels quickly and uniformly rather than setting individual right separately. BI platform also comes with several predefined access levels.

Inheritance

The BI platform recognizes two types of inheritance: group inheritance and folder inheritance. Group inheritance allows principals to inherit rights as the result of group membership. Folder inheritance allows principals to inherit any rights that they've been granted on an object's parent folder.

Top-level folder security

Top-level folder security is the default security set for each specific object type (for example Universes, Groups, and Folders). Each object type has its own top-level folder (root folder) that all the sub-objects inherit rights from.

If there are any access levels common to certain object types that apply throughout the whole system, set them at the top-level folder specific to each object type. For example, if the Sales group needs the View access level to all folders, you can set this access at the root level for Folders.

Folder-level security

Folder-level security enables you to set access-level rights for a folder and the objects within the folder. While folders inherit security from the top-level folder (root folder), sub-folders inherit the security of their parent folder. Rights set explicitly at the folder level override inherited rights.

Object-level security

Objects in BI platform inherit security from their parent folder. Rights set explicitly at the object level override inherited rights.

Predefined access levels are based on a model of increasing rights: Beginning with View and ending with Full Control, each access level builds upon the rights granted by the previous level.

These can be used to quickly assign commonly needed access rights. Also, exploring the specific assigned rights in these predefined access level will help you identify which rights are logically combined together. For example, if a user has the right to Edit Object, they also would need View Object granted in order to actually make modifications. In other words, you can't edit it if you can't see it.

The following link summarizes the rights that each predefined access level includes.

Predefined Access Levels

You can create your own custom access levels, which greatly reduce administration related with content security.

In a situation where you manage two groups, sales manager and sales employees, you can then create two custom access levels one for each group. You add both groups as principals to the folders that contain report objects. Then you can, control report access by assigning the custom access level. We will discuss overlapping security rights scenarios such as these later in this course.