$(function () { pageContext.i18n.modTalk = 'moderation talk'; pageContext.i18n.replyToComment = 'Reply'; pageContext.i18n.modTalkEmpty = 'moderation talk is empty'; pageContext.url.getModTalk = "/comments/%25ID%25/listModTalk.json"; pageContext.url.possibleCommentRecipients = "/comments/%ID%/possibleRecipients.json"; pageContext.url.commentEdit = '/comments/%25ID%25/edit.html'; pageContext.url.commentView = '/comments/%ID%/view.html'; pageContext.i18n.commentVisibility = { 'full': 'Viewable by all users', 'op': 'Viewable by the original poster', 'mod': 'Viewable by moderators', 'opAndMod': 'Viewable by moderators and the original poster', 'other': 'Advanced visibility', 'dialogTitle': 'Comment visibility', 'selectGroups': 'Visible to groups', 'selectOther': 'Other recipients', 'selectOriginalPoster': 'Original poster', 'selectModerators': 'Moderators', 'selectAssignees': 'Asked to answer users' }; pageContext.i18n.commentMenuLabels = { 'comment-edit': 'comments.menu.edit', 'comment-delete': 'comments.menu.delete', 'comment-convert': 'comments.menu.convert' };pageContext.i18n.answer= { bestAnswer: 'Best Answer', controlBar : { accept: 'Accept', unaccept: 'Unaccept', acceptCommand: 'Accept this answer as correct', cancelAcceptedCommand: 'Remove this answers accepted status' } }; window.croles = { u: false, op: false, m: false, og: false, as: false, ag: false, dc: false, doc: false, eo: false, ea: false }; tools.init({ q: { e: false, ew: false, eo: false, r: false, ro: false, d: false, dow: false, fv: false, c: false, co: false, p: false, tm: false , ms: false, mos: false }, n: { f: false, vf: false, vfo: false, vr: false, vro: false, c: false, co: false, vu: false, vd: false, w: false, wo: false, l: false }, c: { e: false, eo: false, d: false, dow: false, ta: false, tao: false, l: false }, a: { e: false, ew: false, eo: false, d: false, dow: false, a: false, aoq: false, ao: false, tc: false, tco: false, p: false, tm: false }, pc: croles }, { tc: true, nsc: true }); commandUtils.initializeLabels(); }); Skip to Content
0

Read Only Universe Security

Oct 20, 2016 at 05:34 PM

62

avatar image

Hi Experts,

We have a requirement wherein a group of users (Group A) should be able to

1) Read Only few UNX universes (say eg : Universe Folder "Read-Only-Universes")

2) Publish / Export other UNX universes (say eg : Universe Folder : "Other-Universes")

Our analysis :

1) If we restrict "Publish universes" right under "CMC->Application->IDT->User Security", Group A users would not be able to ANY of the UNX universes. But as per reqt they should NOT be able to PUBLISH only a few UNX universes

2) We did not find "Publish Universe" right at the Universe Security. It is present only at the Application level (ie. Application->IDT->User Security)

3) Finally, we came across SAP note 2103385 which mentioned the 2 possible reasons for which one cannot PUBLISH a UNX universe. It mentioned that there are 2 rights which can cause this -

a) CMC->Apps->IDT->User Security->PUBLISH Universes right

b) "Add objects to folder" on the UNX universe

4) So, we did a bit of reverse engg, and DENIED the "Add to objects folder" right for the "GROUP A" users on the universe folder "Read-Only-Universes".

We were just wondering if there is any other way we could have gone about our requirement. They should surely be another better way of doing this. Kindly advise.

Thanks for your help !

Regards,

Monish

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

AMIT KUMAR
Oct 20, 2016 at 06:33 PM
0

create two universe folders.

One for read only view.

second for publish universes.

If you are looking to achieve both options for same user group in single universe folder then on individual universe you need to specfiy the access.

Share
10 |10000 characters needed characters left characters exceeded
Monish Patel Oct 21, 2016 at 04:56 PM
0

Hi Amit,

Thanks a lot for your reply.

1) Yes, as mentioned in my question statement, we have created 2 separate folders eg : "Read-Only-Universes" & "Other-Universes'

and there are 2 groups for implementing the security (eg : "Read-Only-Group" & "Other-group")

2) At the app-level (CMC->Apps->IST->Security), Both the groups have been given the retrieve access & publish access has been left UNSPECIFIED for both the groups.

3) At the universe-level :

a. Read-Only-Universes - We have DENIED the "Add to objects folder" right for the "Read-Only-Universes" users on the universe folder "Read-Only-Universes". Additionally given them View & Retrieve Universe Rights.

b. Other-Universes - The UserGroup "Other-group" has been given rights as reqd.

Just wanted to check if the above is the only way of implementing this requirement ?

The challenging part here in this reqt is that you can deny the "PUBLISH" right directly at the app-level for both the Usergroups. You have to set some restriction at the Universe-level only, and hence the SAP note 2103385 came in handy here, which showed that "Add objects to folder" right can be used to put restriction at the universe-level.

Thanks once again Amit, for your inputs !!

Regards,

Monish

Share
10 |10000 characters needed characters left characters exceeded
Dell Stinnett-Christy Oct 21, 2016 at 05:59 PM
0

You wouldn't set the denied to the individual universes, but to the folder they're located in and it will inherit down to the universes located in that folder.

However, in general, you want to use Explicitly Denied very rarely in your security because it can have unintended consequences. If you set the right to "Not Assigned" (the column with the yellow triangle at the top) that will effectively deny the access unless a user has been explicitly granted the right through something like and assignment to an additional user group. One of the biggest issues my clients run into with security is mis-managed access rights and using explicitly denying access.

-Dell

Share
10 |10000 characters needed characters left characters exceeded