Sep 14 2010

What Happened to Security Access Levels?

Categories: General Dave Rathbun @ 9:28 am

In the “good old days” we used to have a somewhat primitive form of object-level security. In the universe a designer could pick from one of five security access levels for each individual object. The settings were public, controlled, restricted, confidential, and private. The text was just a placeholder; behind the scenes the values were stored in the OBJ_M_ACTOR table as as value from zero (0) to four (4). As long as a user had a security level that was greater than or equal to an object security level, that user could see that object.

Last week I was asked to discuss security objects on a universe, and of course I thought about this. However, it seems that there is no matching setting in the CMC anymore. In my experience, nobody used this feature very much (it’s not very flexible and it takes a long time to set up) but it seems weird that it’s just gone from CMC.

Is anyone using this feature? If so, how to you configure the user side of the system?

security_access screen shot

11 Responses to “What Happened to Security Access Levels?”

  1. Comment by Ifan Paxton

    Hi Dave
    This is not something I am using, but after your post was determined to find out where it was set! I am using BOE 3.1 SP3 and it’s set under universes in the CMC, right click the universe and select universe security you can then select the group or user to apply the object level security to.
    Cheers
    Ifan

  2. Comment by Lugh

    Are you talking about in 4.0? Because I still use it in 3.1. I just checked in my CMC, and it is there. Right-click on a universe, and select Universe Security. You can set those levels for groups or individual users.

    I use it in cases where I want to only reveal an object or class to a specific group. Object-level security only allows you to hide objects, not reveal them. I frequently have scenarios in which I do not have a neat inverse group to hide specific objects with.

  3. Comment by Ton

    Hi Dave, Never used it and I am pretty sure this feature is overlooked by the BO technicians with regards to the CMC. Never wanted to know the name of the store anyway 🙂

  4. Comment by adnohr

    I think all you can do is create restrictions on the universe by creating a group and adding objects that you don’t want to be accessible, then assign users to the groups being restricted. I don’t think the levels work anymore. You can create unlimited groups instead of the 5 levels. But why it’s still there is a mystery. They probably never used it either and forgot all about it!

    We could never figure out how to use those restrictions without damaging the ‘corporate documents’ if the user couldn’t use an object, but had rights to change a report.

  5. Comment by Dave Rathbun

    I never used it for serious security work. However, I did use the “private” setting in some universes. What I would do during development is create objects for primary keys, surrogate keys, and other table columns that users would normally never see. I would set this to “private” on the screen shown above. Then I would set all of my universe developers up as “private” users at the same time. That meant I could log in to production and see keys and other table contents that I might need for debugging purposes.

    To everyone that responded, thanks for the tips! I would never have looked at the universe because I was predisposed to look at the user configuration, since that’s how it worked in 6.5 and earlier. I will have a look and see if I can make it happen.

    Now here’s the interesting part: I did set an object to Private and export the universe, and I was still able to see it even without promoting my user account to that same level. Should that have happened?

  6. Comment by Ran Braun

    At my firm we don’t use this feature for our universe security (we are running BO6.5, in the middle of moving to BOXI 3.1) – it’s too general, say I want you to see objects in 1 universe but not in another, while allowing someone else the opposite.
    We manage the security via universe groups in the supervisor, we open a group per universe, and “hide” the objects at the Universe properties of that group.

  7. Comment by Mike McErlain

    Dave if you’ve had the great pleasure of managing security in a 2.x or 3.x environment you’ll find that the best way to set this up is with security groups which then have access to the appropriate level(s) for the universe. If it’s set up properly then providing the access is quick by adding a user to the group. And only those users with that belong to the group will be able to see the “secured” objects.

    In case you want to know where I learned this? It was on BOB! Still an incredible resource after all these years (or because of all these years and all the good people)!

  8. Comment by Norm Rosen

    We have used this feature through several versions of BO to hide objects that allow the user to identify individual members of our health plans (Full Name, SSN, etc.). It works just as well in XI as it did in versions 5 and 6.

    Some objects are set to Controlled and some are Restricted. Since all our security is done at the group level, we set up 2 groups – CDW Object Security Level Controlled and CDW Object Security Level Restricted – and gave them Controlled and Restricted security, respectively, on the CDW universe folder. A user with query access to a CDW universe can request access to the Controlled and/or Restricted objects. If approved, they’re added to the appropriate group. Haven’t had any problems with it yet.

  9. Comment by Vamsi Ch

    Hello,

    I used this when i tried to show few objs to a group as mentioned in http://www.forumtopics.com/busobj/viewtopic.php?t=138908

    Vamsi Ch

  10. Comment by Melwyn D'souza

    Hi,

    Is there any basic difference in the workings of the different levels or is it just a hierarchical access restricition on the objects of a universe??

  11. Comment by Dave Rathbun

    There were two security levels: one for each object, and one for a user. As long as the user security level was greater than or equal to the object security level they could see that object on the query panel. It wasn’t very flexible, but useful in certain cases.