Controlling Repository Rights | Crystal Reports 10: The Complete Reference

With a shared repository, as with company database connections and network resources, you may wish to limit the ability to update or delete repository objects to a certain set of key users, while permitting the rest of those sharing the repository to just add existing repository items to their reports. As the Crystal Reports 10 repository is now managed by Crystal Enterprise, you make use of Crystal Enterprise user and group permissions to accomplish this.

While typical Crystal Enterprise user and group right assignment is accomplished in the Crystal Management Console (more detail on Crystal Enterprise architecture and management is discussed in Part II of the book), repository rights are maintained in the new Crystal Enterprise Business View Manager. If you don t already have access to the Business View Manager in an existing Crystal Enterprise installation, you must specifically install the Business View Manager on a Windows computer from the CE product CD. And, needless to say, since the repository is now part of Crystal Enterprise, you must have a functional Crystal Enterprise system in place to make use of the Business View Manager.

Note	Other Business View capabilities of the Business View Manager not relating to repository rights are covered in Chapter 17, Creating and Using Business Views.

Start the Business View Manager from your Windows start menu. You will be prompted to log on to Crystal Enterprise. Ensure that you use a CE user ID (initially, the Administrator ID or a member of the Administrators group will be required) that provides sufficient rights to change repository security. The Business View Manager will appear, with a docked Repository Explorer window appearing inside it (similar in appearance to the Repository Explorer in Crystal Reports). If you choose, you may undock the Repository Explorer and move it around as a free-floating window.

Notice that the folder structure of the repository is exposed in the Repository Explorer: your CE Crystal Management Server name appears at the top of the folder hierarchy, with top-level folders appearing below them. If you click the plus sign next to a folder, it expands to show any subfolder or repository objects within it.

Notice an additional folder labeled Custom Functions that you may not have seen before in other versions of the Repository Explorer for Formula Workshop. This is the dedicated folder within the repository where all custom functions are held. As you can t specify a folder name in the Formula Workshop when adding a custom function, they will all be placed in this single repository folder.

Consider this repository folder and object hierarchy carefully when planning your repository security plan. If you simply want to supply a single set of repository rights for the entire repository (perhaps you want Administrators to have full repository rights, but everyone else to have only read rights), you may set repository rights at the Crystal Management Server level . However, if you want to provide more granular rights (perhaps you want a Sales group to have full rights to the entire Sales repository folder or just certain objects or subfolders within the Sales folder), then you may set rights at the folder and object level .

Furthermore, you will want to consider the concept of rights inheritance , the capability to set rights at a higher level in the repository (perhaps on the Crystal Management Server or a top-level folder) and have the rights automatically inherited by folders, subfolders, and objects at lower levels. By creative use of different levels of rights and inheritance, you have very tight control (perhaps more than you ll need) over repository rights.

Controlling Rights at the Crystal Management Server Level

Begin by considering the overall set of rights you want to give to the repository as a whole; these will be the rights you set at the Crystal Management Server level. All folders, subfolders, and objects in the repository will inherit the rights you set here. If, as discussed previously, you only wish to have a single set of rights apply to the entire repository, you need only set rights at this level.

Begin by selecting the top-level Crystal Management Server name in the Repository Explorer. Then, right-click and choose Edit Rights from the pop-up menu. The Edit Rights dialog box will appear, as illustrated in Figure 7-1.

Figure 7-1: The Edit Rights dialog box

You ll see a list of Crystal Enterprise groups and users that have already been granted or denied rights at the Crystal Management Server level (a freshly installed Crystal Management Server will initially show the Administrators and Everyone group here). Note the three different rights that can be set for each user or group:

View The ability to add objects in the repository to reports
Edit The ability to add new objects to the repository, or update and delete existing objects in the repository
Set Security The ability to change repository security settings for others

Further, if you cycle through the available options for each right by clicking the check box, you ll notice that a right can be granted, denied, or inherited. Granting the right explicitly gives that right to the chosen group or user. Denying the right explicitly takes the right away from the chosen group or user. And, allowing the right to be inherited will grant or deny the right on the basis of higher-level security settings (at the Crystal Management Server level, inherited rights apply only to the Administrators group, which is automatically granted all rights to the repository).

If you wish to specifically grant or deny rights to additional groups or users, you ll need to add the group or user to the list by clicking the Add Groups or Add Users button in the Edit Rights dialog box toolbar. These buttons will display an additional Add Groups or Add User dialog box showing all Crystal Enterprise groups or users (to actually create additional CE groups or users, you must use other CE administrative tools, such as the Crystal Management Console ”you can t add these here). Use this dialog box to choose an additional group or user to add to the Edit Rights dialog box.

Once the additional groups or users you ve added appear in the Edit Rights dialog box, you can grant or deny rights to that group or user by clicking the appropriate check boxes. The next time you set rights for the Crystal Management Server, the new groups and users you added will reappear with the specific rights you granted or denied appearing next to them. If you wish to remove a group or user that you previously set rights for, select the user or group and click the Delete toolbar button (the X).

Although it s not as relevant at the Crystal Management Server level, you may still want to see what the ultimate or net set of rights is for each group or user. Do this by clicking the Preview button in the Edit Rights dialog box toolbar. The list of users and groups will change, showing the actual combination of rights that result from explicit settings and inheritance. If you need to change any rights, click the Preview button again to return the list to its editable state.

Once you ve set rights for all necessary groups and users, just click OK to close the Edit Rights dialog box. The rights you set will be saved on the Crystal Enterprise system and will take effect immediately for all repository users. The rights you set at the Crystal Management Server level will automatically be inherited by all folders and objects in the repository.

Caution

Be careful when denying rights at the Crystal Management Server level. If you deny a right to a group or user at this level, that user or group won t have the right anywhere in the repository, even if you explicitly grant it at a lower level. Because of the repository s inheritance rules, denial of rights takes precedence over granting of rights when rights are inherited.

Controlling Rights at the Folder and Object Level

If you wish to take advantage of Crystal Enterprise s folder- and object-level repository security, perform similar steps to those discussed previously for setting repository security at the Crystal Management Server level. However, prior to choosing the Edit Rights option from the pop-up menu, ensure that you ve selected the desired folder, subfolder, or object in the Repository Explorer that you want the rights to apply to. The same Edit rights dialog box will appear.

If you ve granted or denied rights for groups or users at a higher level, you ll already see the group or user listed in the Edit Rights dialog box. You may either change rights that may be inherited by clicking the check boxes for existing groups or add additional groups or users to the Edit Rights dialog box by clicking the Add Groups or Add Users button in the Edit Rights dialog box toolbar.

The important thing to consider when setting rights at this level is inheritance. If a right has already been granted or denied at a higher level (the Crystal Management Server or a higher-level folder), that right will be inherited at this lower level. Specifically, if a right has been denied at a higher level, even granting it at this lower level won t give the group or user the right. If a right hasn t been granted or denied at all, granting at this level will enable the right for the group or user. If a right has never been specifically granted (either at this or a higher level), then the user won t have the right.

Once you ve specified rights at the lower level, click the Preview button to see the set of net rights granted to users and groups. This net rights display takes into account inherited rights from a higher-level folder and the Crystal Management Server, as well as rights specifically granted and denied at this level. By using the Preview button, you can see what each group and user will ultimately be able to do within this folder or to this object. If you need to modify rights after viewing net rights, click the Preview button again to return the list of groups and users to an editable state.

Note

Preventing users from updating or deleting repository objects will still allow them to detach objects from the repository and change them once they ve been placed on the report. However, if they make any changes to such objects, they still won t be able to update the repository with their updated versions.