Determine Effective Rights and Inheritance


After completing this lesson, you will be able to:

  • Implement a security model in the BI platform
  • Evaluate security model

Rights and Inheritance

Rights are set on an object for a principal to control access to the object. It's difficult for you to set the explicit value of every possible right for every principal on every object. If you have 100 rights, 1000 users, and 10,000 objects, you'll need to store billions of rights in memory and maintain each one.

The BI platform recognizes two types of inheritance:

Inheritance resolve this problem. With inheritance, the rights that principals have to objects in the system come from a combination of their memberships and objects. These memberships are in different groups and sub-groups, and the objects, have inherited rights from parent folders and sub-folders. These principals can inherit rights as the result of group membership. Sub-groups can inherit rights from parent groups. Principals can inherit rights from parent folders.

By default, principals who have rights to a folder inherit the same rights for any objects that are then published to that folder. The strategy is to set the appropriate rights for principals at the folder level first, then publish objects to that folder.

Determining Effective Rights

If a user belongs to more than one group, and a conflict exists in the rights assignments between the groups to which the user belongs, the Denied (D) right overrule a Granted (G) right. The Granted (G) right overrule a Not Specified (NS) right.

  • NS = D
  • NS + G = G
  • NS + D = D
  • G + D = D
  • NS + G + D = D

See the following video to determine effective rights scenarios involving users, groups and folders.​

Following scenarios are covered in the video:

  1. A user is a member of a group. The user and group have different rights to the same folder. ​
  2. A user is a member of two different groups, and each group has been assigned different rights to the same folder. ​
  3. A user is a member of two different groups and each group have rights to folders at different levels. ​
  4. A user is a member of a subgroup that is a member of a group. The parent group is Granted and the subgroup is Denied to the same folder.​
  5. A user is a member of a subgroup that is a member of a group. The parent group is Denied while the subgroup is Granted access to the same folder. ​
  6. A user is a member of a subgroup that is a member of a group. The group and subgroup have different assigned rights to a folder and subfolder.
  7. A subgroup is a member of a group and the user is a member of both the group and subgroup. The group and subgroup have different rights to the same folder.​

Keep these considerations in mind when you set rights on an object:

  • Each access level grants some rights, denies some rights, and leaves the other rights unspecified. When a user is granted several access levels, the system aggregates the effective rights and denies any unspecified rights by default.
  • When you assign several access levels to a principal on an object, the principal has the combination of each access level's rights.
  • Advanced rights can be combined with access levels to customize the rights settings for a principal on an object. But, if the advanced right contradicts a right in the access level, the advanced right will override the right in the access level.
  • Rights override makes it possible for rights set on a child object to override rights that are inherited from the parent object.

Folder Inheritance

Folder inheritance allows principals to inherit any rights granted from the parent folder. Folder inheritance is useful when you organize BI platform content into a folder hierarchy based on your organization's current security conventions. For example, suppose that you create a folder called Sales Reports, and you give your Sales group with View On Demand access to this folder. By default, every user that has rights to the Sales Reports folder will inherit the same rights to the reports that you then publish to this folder. You need set the object rights only once, at the folder level.

Group Inheritance

Group inheritance allows principals to inherit rights as the result of group membership. Group inheritance proves especially useful when you organize all of your users into groups that coincide with your organization's current security conventions.

When group inheritance is enabled for a user who belongs to more than one group, the rights of all groups which they belong to on that object are considered when the system checks credentials. The principal is denied any right that is explicitly denied in any parent group. The principal is also denied any right that aren't specified. So, the principal is granted only those rights that are granted in one or more groups (explicitly or through access levels) and don't have any explicitly denied rights.

Implement Folder Security

Troubleshooting Rights Issues

Troubleshooting user rights can be a laborious undertaking for a system administrator. The BI platform includes two tools that could be used.

  • Security Query

    The Security Query tool enables an administrator to list the objects a principal can access. It also enables the administrator to change the security settings from the query result interactively.

  • Permissions Explorer

    The Permissions Explorer displays principal rights.

Security Queries

Sometimes, you want to know the objects to which a principal has been granted or denied access.

Security queries let you determine which objects a principal have certain rights to and manage user rights. For each security query, you enter the following information:

Parameters for Security Queries

  • Query Principal

    You specify the user or group that you want to run the security query for. You choose one principal for each security query.

  • Query Permission

    You specify the right or rights that you want to run the security query for, the status of these rights, and the object type on which these rights are set.

  • Query Context

    You specify the areas that you want the security query to search. For each area, you can choose whether to include sub-objects in the security query.

Verify Access Rights using Permissions Explorer and Security Query

Summary of Hierarchical Rules

The following is a summary of Hierarchical Rules:

  • A more specific assignment overrides over a less specific assignment, such as a sub-object over a parent object.
  • Groups can have sub-groups and users. Subgroups and users are treated as members of the parent group.
  • The rights given to the group closest to the principal take precedence (without breaking inheritance).

Summary of Recommendations

The following are the recommendations for security:

  • Set rights and access levels on top-level folders. Enabling inheritance will allow these rights to be passed down through the system with minimal administrative intervention.

  • Avoid breaking inheritance whenever possible.

For more information on recommendations of rights administration:

Summary of recommendations for rights administration

Log in to track your progress & complete quizzes