Controlling Access Using Rights


The CE security model includes a series of rights that control a user s access to the various CE objects such as folders and reports. For example, a user may be able to view a report and schedule it to run at a particular time, but may not be able to refresh the data or delete report instances. As another example, you may imagine a CE system where company executives have access to all folders, the sales team has access only to the Sales and Inventory folders, and the head of the Human Resources department is the only non-executive with access to the Salary and Compensation Reports folder.

Note  

This chapter discusses rights from a report and folder perspective. Separate rights exist for objects in the Crystal Enterprise repository, as well as for the new CE 10 Business Views feature. Repository details can be found in Chapter 7. Business Views are covered in detail in Chapter 17.

There are more than 20 rights that may be individually set, if so desired. However, these individual rights have been conveniently grouped into predefined access levels that can greatly ease the administration of rights. These access levels have been set up to create several commonly used combinations of rights in increasing order of access capabilities:

  • No Access

  • View

  • Schedule

  • View On Demand

  • Full Control

These rights and access levels may be set for both individual users and groups, as well as for CE folders, subfolders , and report objects within the folders.

One very important concept with CE security is that of inheritance. Users may inherit their rights from their groups, subgroups may inherit rights from their parent group, and both users and groups may inherit rights from parent folders. Group inheritance is most useful when CE users are grouped according to their position in the organization, such as in groups called Sales, Marketing, and Human Resources. Parent folder inheritance is most useful when the reports are organized in folders that represent the organization, such as Sales, Inventory, and Vendors. For example, if the right to delete instances is specifically granted to the Sales group, that right would also be inherited by each user member of the Sales group , and could also be inherited by a subgroup of Sales called Sales Assistants. If necessary, inheritance from the parent folder may be turned off for a user or group in order to explicitly define rights for that object. As you can probably imagine, inheritance can greatly reduce the number of settings required to control access across the entire CE system.

Another important concept is the ability to grant or deny rights. Each right may be set as Explicitly Granted, Explicitly Denied, or Not Specified. Using these settings, an administrator can specifically allow one user to print reports, while specifically disallowing another user to refresh reports. If a right is Not Specified, the default is to deny that right unless the right is inherited. And if a right is inherited as granted from one parent group and denied from another parent group, that right is denied . The purpose of denying rights as a default is to be sure that no user is given rights that are not explicitly granted at some level by the administrator.

The combination of user/group, inheritance, and explicitly granted and denied rights produces an extremely flexible (and sometimes confusing) security system. For example, the right to Delete objects may be Explicitly denied for the Everyone group at the group level, so that no user may delete a folder or report anywhere in the system. For most folders and reports, the Delete objects right is Not Specified, and therefore the right is inherited as Denied. However, for the VP of Sales user, the Delete objects right may be Explicitly Granted for the Sales folder so that she may delete older sales reports that are no longer needed. And the Administrators group may have Full Control set at the top user/group level, giving them all rights for all objects, regardless of other rights settings.

Note  

This chapter covers procedures to set rights for existing folders and reports. Information on how to add new Folders and Reports is covered later in this chapter. Once additional folders and reports are added, use steps discussed here to set their rights.

Setting Rights

Crystal Enterprise rights can be set at two high levels within CE: at the overall group or user level (this level is sometimes known as the CE root folder), and at the folder/subfolder/object level. You don t have to set rights at either level; you may set rights at one level or the other, or at both levels. Just remember the rules of inheritance: top-level folder rights are inherited from group- and user-level rights, subfolder rights are inherited from parent folders, and report object rights are inherited from the folders in which they reside.

Setting Group- and User-Level Rights

When you initially install Crystal Enterprise, a set of group-level rights are already applied for the Everyone and Administrators Groups at the highest (sometimes referred to as Root Folder ) level. These rights can be inherited throughout the rest of the folder and object levels within the CMS. You may merely leave these default rights as-is, change the default rights, or set rights for new users and groups at this same high level.

To display or set Group Level and User Level Rights, click Settings from the Manage category of the CMC home page. Then, click the Rights tab.

click to expand

You may now change existing access levels for the Administrators or Everyone groups, or click the Add/Remove button to add or remove groups or users. Once you ve added the additional groups or users, you ll be returned to the Rights tab, where you may set rights for the new group or user. Make sure to click Update when you ve set new rights to save the changes to the CMS.

Setting Folder- and Object-Level Rights

Once you ve set group- and user-level rights (or even if you haven t), you may set rights at the folder and object levels. The process of setting the rights is identical for both folders and report objects.

First, click the desired Folders or Objects links from the Organize category of the CMC home page. Each will show a list of existing folders and objects. Click the desired folder or report object you want to change rights for. Then click the Rights tab. You ll immediately see rights inherited from the group and user levels (for example, you ll see the Administrators and Everyone groups listed with their rights set to Inherited Rights). You ll also notice that the display includes a column entitled Net Access. This column displays the final rights setting for that user or group after all inheritance and explicitly set rights have been combined.

Setting rights involves two processes: selecting the users or groups you want to set rights for, and then setting their actual rights. To choose groups or users for the chosen folder or object, click the Add/Remove button in the upper-right corner. If you would like to add a group, select the group from the left-hand list box and click the right-arrow button. If you would like to add a user, select Add Users from the Select Operation drop-down. You may then either select a visible user or use the Find option to narrow down the list of users. Select the desired user from the left-hand list box and click the right-arrow button. Once you ve added your desired users and groups, click OK.

click to expand

You will be returned to the folder or report Rights tab screen, where you will see that your newly chosen users or groups have been added to the list. You ll note the default access level of Schedule. If this is the desired access level, then click the Update button in the upper-right corner to save the new settings. Or, you may set the rights by choosing a different access level from the drop-down list. If you wish to simply inherit rights from the group and user levels, or from higher-level folders, choose (Inherited Rights). You may also choose one of the pre-defined access levels. Or, you may set individual rights with the Advanced option.

Caution  

Don t forget to click the Update button after making any changes. If you don t, your changes won t be saved to the CMS.

To set individual rights, select Advanced from the Access Level drop-down. You will automatically be taken to the Advanced Rights page. You ll see three columns : Inherited, Explicitly Granted, and Explicitly Denied. The first thing you may want to do is view the inherited rights by checking the boxes at the top of the screen and clicking on the Apply button. This will display the rights as they are inherited so that you see a more complete picture of the rights for this user or group. Then you may choose one setting for each right listed on the right-hand side. Finally, click the OK button to complete the process.

click to expand
Tip  

To get back to the Advanced Rights page for a user or group that you ve previously set, you must click on the word Advanced in the Net Access column. Because the Advanced option is already selected in the Access Level drop-down, you must click the Advanced hyperlink to go back to the Advanced Rights page.

One of the most important aspects of setting up your CE system is assigning rights to various folders and objects. This is the key to displaying only desired folders for certain users and groups, allowing only certain reports to be viewed or scheduled, preventing unauthorized deletion of folders, objects, and instances, and so forth. The Crystal Enterprise security model is very flexible. As is often the case, flexibility can also introduce confusion. More detailed security discussions and scenarios are found in the online CE Administrator s Guide. Also, you ll want to take the time to test your security model to ensure that users are being granted and denied proper rights at the proper folder and object levels throughout your CE system. In many cases, you may not be able to determine the exact ramifications of various security and inheritance settings until you actually test behavior by logging into the CE Web Desktop with various user accounts.




Crystal Reports 10
Crystal Reports 10: The Complete Reference
ISBN: B005DI80VA
EAN: N/A
Year: 2004
Pages: 223
Authors: George Peck

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net