Folder Rights - Restricting 1 user 1

[phellis]

I'm having problems with setting up the rights to a folder within CMC.

Basically I'm trying to grant Everyone view rights to the folder (easy enough so far) but I don't want AUser to have access.

I've tried setting up (a simplistic demo)
Everyone - View
AUser - NoAccess

This results in AUser having access as they are a member of Everyone.

Am I doing something wrong or is this "by design"?
Is there anyway of taking this member out of the everyone group?

Setting up a group for all the members who need access and excluding AUser isn't an option due to the way the users/groups are currently set up and added to the system.

 

[satinsilhouette]

Is AUser still a member of the Everyone group? If they are they would inherit those rights.

 

[gshadz37]

Is the folder that you don't want 'AUser' to see a main folder or a sub-folder?

There's no way to remove a user from Everyone. Which version of Enterprise are you on?

 

[phellis]

I'm using Crystal Enterprise 10.
From what I can gather the Everyone View right overides the AUser No Access rights.

 

[Turkbear]

Hi,
Yes..If you grant a right to 'Everyone' you are granting that right to everyone...


You could use a record selection formula that,if the CurrentCeUser = "AUser", then no records would be shown ( and you could even show a message informing that user that 'No Access is Permitted'..)








To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[knyque]

There is another possibilitie that you can try. Use Advanced... and Explicitly Deny that user from seeing the report. You should generally stay away from the Advanced rights, but if this is needed, it is effective.

However, you may want to check your rights, because anytime you give (or take away) rights for a user, that overrides rights for a group, so by giving NoAccess to the user, it shouldn't matter what group they are in or what access that group has, they will have no access.

 

[phellis]

Thank you. That worked.

So my understanding now is
Everyone - Access Level - View
AUser - No Access

Results in Auser having access.

Using the Advanced option results in AUser not having access.

Once again. Thanks

 

[elsenorjose]

The BO Admin Guide provides the exact algorithm used to determine a user's effective rights. Here is a summary:

To calculate the user’s effective rights, the CMS follows a complex algorithm.

1. The CMS checks the rights that have been directly granted or denied to the user’s account. The CMS immediately denies any right that is explicitly denied. Tip: If an individual user’s account has not been assigned any rights to the object, then group inheritance is enabled by default. As the result, you can make all your object rights settings at the group level to save administrative effort.

2. If folder inheritance is enabled for the user, the CMS determines the rights that the user has to the object’s parent folder. The CMS determines these rights by ascending the inheritance tree to the level at which the inherited rights begin to take effect. The CMS denies any right that is explicitly denied (even if the right had already been explicitly granted).

3. If group inheritance is enabled for the user, the CMS determines the rights specified on the object for each of the groups that the user belongs to. The CMS denies any right that is explicitly denied in any group (even if
the right had already been explicitly granted).

4. If group inheritance is enabled for the user, and folder inheritance is enabled for a group that the user belongs to, then the CMS determines the rights that the group has to the parent folder. The CMS denies any right that is explicitly denied in any group (even if the right had already
been explicitly granted).

5. The CMS completes the algorithm by denying any rights that remain “Not Specified.”

 

[hilfy]

To add to what elsenorjose posted...

If a use has been explicitly denied access to an object (report, folder, etc.) in either a user group or explicitly on the users, that will ALWAYS override security that explicity grants access in a different user group.

The rule of thumb that I learned in the Managing Content and Users class is that you generally want to avoid explicitly denying access. However, there are cases like this one where it is useful.

I would probably handle it another way, though. I would set the Everyone group set to No Access at the top folder level. I would then have two user groups - one that gives view access to everything and one that denies access to the specific report that you're trying to control and grants access to everything else. That way you can set the security at the group level instead of the user level so that if you have another user whose access you want to limit, you don't have to specifically edit that user's access.

-Dell

A computer only does what you actually told it to do - not what you thought you told it to do.