cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Read Only Universe Security

former_member205194
Active Participant

on ‎10-20-2016 6:34 PM

0 Kudos

Hi Experts,

We have a requirement wherein a group of users (Group A) should be able to

1) Read Only few UNX universes (say eg : Universe Folder "Read-Only-Universes")

2) Publish / Export other UNX universes (say eg : Universe Folder : "Other-Universes")

Our analysis :

1) If we restrict "Publish universes" right under "CMC->Application->IDT->User Security", Group A users would not be able to ANY of the UNX universes. But as per reqt they should NOT be able to PUBLISH only a few UNX universes

2) We did not find "Publish Universe" right at the Universe Security. It is present only at the Application level (ie. Application->IDT->User Security)

3) Finally, we came across SAP note 2103385 which mentioned the 2 possible reasons for which one cannot PUBLISH a UNX universe. It mentioned that there are 2 rights which can cause this -

a) CMC->Apps->IDT->User Security->PUBLISH Universes right

b) "Add objects to folder" on the UNX universe

4) So, we did a bit of reverse engg, and DENIED the "Add to objects folder" right for the "GROUP A" users on the universe folder "Read-Only-Universes".

We were just wondering if there is any other way we could have gone about our requirement. They should surely be another better way of doing this. Kindly advise.

Thanks for your help !

Regards,

Monish

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

DellSC
Active Contributor
‎10-21-2016 6:59 PM
0 Kudos

You wouldn't set the denied to the individual universes, but to the folder they're located in and it will inherit down to the universes located in that folder.

However, in general, you want to use Explicitly Denied very rarely in your security because it can have unintended consequences. If you set the right to "Not Assigned" (the column with the yellow triangle at the top) that will effectively deny the access unless a user has been explicitly granted the right through something like and assignment to an additional user group. One of the biggest issues my clients run into with security is mis-managed access rights and using explicitly denying access.

-Dell

Show replies
Show replies
former_member205194
Active Participant
‎10-21-2016 5:56 PM
0 Kudos

Hi Amit,

Thanks a lot for your reply.

1) Yes, as mentioned in my question statement, we have created 2 separate folders eg : "Read-Only-Universes" & "Other-Universes'

and there are 2 groups for implementing the security (eg : "Read-Only-Group" & "Other-group")

2) At the app-level (CMC->Apps->IST->Security), Both the groups have been given the retrieve access & publish access has been left UNSPECIFIED for both the groups.

3) At the universe-level :

a. Read-Only-Universes - We have DENIED the "Add to objects folder" right for the "Read-Only-Universes" users on the universe folder "Read-Only-Universes". Additionally given them View & Retrieve Universe Rights.

b. Other-Universes - The UserGroup "Other-group" has been given rights as reqd.

Just wanted to check if the above is the only way of implementing this requirement ?

The challenging part here in this reqt is that you can deny the "PUBLISH" right directly at the app-level for both the Usergroups. You have to set some restriction at the Universe-level only, and hence the SAP note 2103385 came in handy here, which showed that "Add objects to folder" right can be used to put restriction at the universe-level.

Thanks once again Amit, for your inputs !!

Regards,

Monish

Show replies
Show replies
amitrathi239
Active Contributor
‎10-20-2016 7:33 PM
0 Kudos

create two universe folders.

One for read only view.

second for publish universes.

If you are looking to achieve both options for same user group in single universe folder then on individual universe you need to specfiy the access.

Show replies
Show replies
Ask a Question