Hi,
One of the best features of BOE ( in my opinion) is the flexibility of rights assignment - the hierarchical method allow you to set access rights ( by Group or Individual or multiple groups or individuals) at a top folder level and as you progress down through the sub-folders those rights can be changed to a more restrictive set of access rights, right down to an individual report which can be set to allow only one user or group to access it.
Just remember that it is top-down so the restriction set at the topmost level must be the least restrictive needed in the entire folder/subfolder set.
( The method: AD, NT (windows local), Enterprise, whatever) does not matter but having a centralized system ( Like AD) make maintenance/updates much easier..
Enjoy ( just be sure the administrator account has full and unlimited access to all areas.)
To Paraphrase:"The Help you get is proportional to the Help you give.."
Thank you for your response. I am using AD authentication too.
You said "...while my external users use the Enterprise authentication." Do you mean users that are not on the domain? If so, how do they access the application? Did you use another product to give this functionality?
Thank you for your response, this is great information.
Question: You mentioned that NT is windows local. Does that mean I can set up NT authentication for the local machine that enterprise is on or? I'm still learning the differences with AD and NT. It has been explained to me but the lightbulb just hasn't turned on yet.
Hi,
Yes..The NT authentication uses the same Security settings as on the server itself..It uses whatever permissions/rights, etc that the NT user has been granted through Windows.
Its disadvantage is that all users must then have an account on the server and that may not be the best way to handle things...
AD, with its central administration, is, in my opinion, the easiest to manage and to update when needed - BOE will update its 'knowledge' of the change usually within 15-20 minutes ( depending on the complexity of your AD structure) and you can also, using the CMC, 'force' an update if needed.
To Paraphrase:"The Help you get is proportional to the Help you give.."
Hi,
I was a little unclear in my last post..You would still have to set the BOE permissions ( just like with AD) but the user account is local to the server and, therefore, could log in directly to it, so its rights on the server have to be carefully restricted.
To Paraphrase:"The Help you get is proportional to the Help you give.."
Rule of thumb that I follow for assigning access rights:
Assign users to groups, assign access rights to groups at the folder level.
BO allows you to assign rights to a specific report for a specific user, but that becomes a nightmare to maintain. You want to assign rights at the highest level possible. So, if you group reports by folders and then assign access to the folder instead of to individual reports, you've greatly simplified your security model.
When you assign rights by user group, not only does it simplify your security model even further, it also makes it MUCH simpler to say "give user B the same access as user A." I even have one or two user groups that only have a single user who needs special access to something so that we can follow this model.
-Dell
A computer only does what you actually told it to do - not what you thought you told it to do.
Thank you for your rule of thumb information. I went back into the CMC and re-evaluated how I had set some groups up. This was very useful and stamped in my memory to have an easier maintainence plan.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.