Describing Rights Settings

The CMC allows for greater flexibility in security by allowing granular level rights for objects and sub-objects.

For example, you can use the rights settings to customize a principal's rights to a particular object or set of objects. You can use rights to deny a user or group that must not be changed if there is a modification to group memberships or folder security levels.

The following table summarizes the options that you have when you set rights.

Type-specific rights are rights that affect specific object types only, such as Crystal Reports, folders, or access levels. Type-specific rights consist of the following:

• General rights for the object type

  These rights are identical to general global rights (for example, the right to add, delete, or edit an object), you set them on specific object types to override the general global rights settings.

• Specific rights for the object type

  These rights are available for specific object types only. For example, the right to export a report's data appears for Crystal Reports, but not for Word documents.

Type-specific rights are useful because they let you limit the rights of principals based on object type. Consider a situation in which an administrator wants employees to add objects to a folder but not create sub-folders. The administrator grants Add rights at the general global level for the folder, and then denies Add rights for the folder object type.

Rights are divided into collections based on the object types to which they apply.

Rights Collections

General

These rights affect all objects.

Content

These rights are divided according to particular object types. Examples of content object types include Crystal Reports and Adobe Acrobat PDFs.

Application

These rights are divided according to which BI platform application they affect. Examples of applications include the CMC and BI Launch Pad.

System

These rights are divided according to which core system component they affect. Examples of core system components include Calendars, Events, and Users and Groups

Type-specific rights are in the Content, Application, and System collections. In each collection, type-specific rights are further divided into categories based on object type.

Scope of rights controls the extent of rights-inheritance. You can define the scope of rights to the object, its sub-objects, or both. 

Scope of rights is used to protect personal content in public folders. For example, you have a shared Expense Claims folder that has Personal Expense Claims sub-folders for each employee. You want all employees to view the Expense Claims folder and add objects to it. But, you don't want employees to access other employees Personal Expense Claims sub-folders. To protect personal content, you can grant all employees View and Add rights on the Expense Claims folder. You limit the scope of these rights to the Expense Claims folder only. Then for each employee, you grant access to their assigned personal sub-folders.

Scope of rights can also limit the effective rights that a delegated administrator has. A delegated administrator may have Edit rights on a folder, but the scope of these rights is limited to the folder only and don't apply to its sub-objects.

Rights override happens under the following circumstances:

• The rights that are set on child objects override the rights that are set on parent objects.

• The rights that are set on sub-groups or members of groups override the rights that are set on groups.

You don’t need to disable inheritance to customized rights on an object. The child object inherits the rights settings of the parent object except for the rights that are explicitly set on the child object. Any changes to rights settings on the parent object apply to the child object.