If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

security merge

Started by iceacman, 25 Apr 2014 04:37:27 AM

Previous topic - Next topic

iceacman

For example
there are two user groups: A and B
in framework manager, we have a object X ,which A has access and B has NO access
now we have a user who is member of both groups: A and B
logically, he has no access to object X

Due to user's demands and some constraints, there is unfortunately one user like this who need to access X and there is no possibility to create another group just for him.
So, is there a way satisfay this need?

Thx

MFGF

Hi,

When you say group B has no access to object X, do you mean group B doesn't have "Allow" checked or do you mean group B has "Deny" checked?

If it's the former, simply add the user into the access list and check the "Allow" option for the user.

If the latter, you will need to change your strategy to use the former approach. Uncheck the "Deny" option for Group B and add the user to the list and check "Allow". Then make sure thsat Group B has no inherited access defined at higher levels within the structure.

Cheers!

MF.
Meep!

iceacman

Thanks MF
group B is denied to object X
and we cannot uncheck the deny for group B since there are other normal users who are under group B and who shouldn't have access to object X.

obviously there is a problem of designing the serucity group in the beginning, and as now it's already in production, i'm wondering maybe there is a workground other than creating a new group, which is doable but will cost pretty much dimes.
something like when user have two groups, 'allow' will take the place of 'deny' wherever there is a  contradiction.

Quote from: MFGF on 25 Apr 2014 05:35:20 AM
Hi,

When you say group B has no access to object X, do you mean group B doesn't have "Allow" checked or do you mean group B has "Deny" checked?

If it's the former, simply add the user into the access list and check the "Allow" option for the user.

If the latter, you will need to change your strategy to use the former approach. Uncheck the "Deny" option for Group B and add the user to the list and check "Allow". Then make sure thsat Group B has no inherited access defined at higher levels within the structure.

Cheers!

MF.

MFGF

Quote from: iceacman on 25 Apr 2014 06:31:15 AM
Thanks MF
group B is denied to object X
and we cannot uncheck the deny for group B since there are other normal users who are under group B and who shouldn't have access to object X.

obviously there is a problem of designing the serucity group in the beginning, and as now it's already in production, i'm wondering maybe there is a workground other than creating a new group, which is doable but will cost pretty much dimes.
something like when user have two groups, 'allow' will take the place of 'deny' wherever there is a  contradiction.

Hi,

It's not the way it works, sorry. If you omit access by not checking the "Allow" checkbox, then it's a simple job to allow access from a different user/group etc. However, checking "Deny" is specifying an explicit deny, and it overrides "Allow" checked elsewhere.

MF.
Meep!

iceacman

so just one question, if i uncheck 'deny' and 'allow' at the same time? will this group be granted the right to access or not?
Quote from: MFGF on 25 Apr 2014 07:16:24 AM
Hi,

It's not the way it works, sorry. If you omit access by not checking the "Allow" checkbox, then it's a simple job to allow access from a different user/group etc. However, checking "Deny" is specifying an explicit deny, and it overrides "Allow" checked elsewhere.

MF.

MFGF

Quote from: iceacman on 25 Apr 2014 08:11:18 AM
so just one question, if i uncheck 'deny' and 'allow' at the same time? will this group be granted the right to access or not?

No - not unless they are granted access elsewhere. That's my point. If you restrict access by not having "allow" checked, then you can easily allow it for another group or user - that's what I was suggesting in my first reply. If you have "deny" checked, it overrides any other "allow" options for the group or user.

Cheers!

MF.
Meep!

iceacman

ok thanks again, looks like we have no other choice but a group^.^
Quote from: MFGF on 25 Apr 2014 08:45:19 AM
No - not unless they are granted access elsewhere. That's my point. If you restrict access by not having "allow" checked, then you can easily allow it for another group or user - that's what I was suggesting in my first reply. If you have "deny" checked, it overrides any other "allow" options for the group or user.

Cheers!

MF.