|
Siebel Analytics Web Administration Guide > Managing Siebel Analytics Web Security >
Inheritance of Siebel Analytics Web Permissions and Privileges
Permissions and privileges can be assigned to users directly or through membership in groups. From another perspective, permissions and privileges can be assigned explicitly or effectively. Effective permissions and privileges are assigned indirectly through Web Group inheritance, which is the recommended way to set up your security. Permissions and privilege inheritance occurs when one Web Group is a member of another Web Group. This section contains the following topics:
Rules for Inheritance in Siebel Analytics Web
- Any permissions or privileges given explicitly to a user override any permissions or privileges inherited from the Web Group to which the user belongs.
As an example, All Authenticated Users have access to Dashboard X, except for George.
- If a user belongs to two groups and both groups are assigned permissions, the least restrictive permissions are given to the user.
For example, if one group allows Read access and another allows Change access, the least restrictive access would be granted; in this example, Change access.
NOTE: The exception to this is if one of the two groups is explicitly denied the permissions, in which case the user is denied.
- If a user belongs to Web Group X, and Web Group X belongs to Web Group Y, any rule assigned to group X overrides any rule assigned to group Y.
For example, if Marketing has Read permissions, Marketing Administrators, which is a member of Marketing, can have Full Control permissions.
- Explicitly denying access takes precedence over any other permissions or privileges.
When assigning permissions or privileges it often useful to look at resolved permissions for users and groups at the bottom of the screen to make sure that everyone is inheriting correctly. Example of Inherited Privileges in Siebel Analytics Web
Figure 3 shows an example of how privileges are inherited through Web Groups.
Figure 3. Example of Web Group Privilege Inheritance
|
In this example: - User1 is a direct member of Group 1 and Group 2, and is an indirect member of Group 3, Group 4, and Group 5.
- The permissions and privileges from Group 1 are no access to DashboardA, Read access to DashboardB, and Full Control over DashboardC.
- If permissions and privileges are conflicting, the least restrictive level of authority is granted. Therefore, the inherited permissions and privileges from Group 2 include Change and Delete access to DashboardD.
- Specifically prohibiting access always takes precedence over any other settings. Therefore, Group 1's denial of access to DashboardA overrides Group 4's Read access. The result is that Group 1 provides no access to DashboardA. Likewise, Group 5 provides no access to DashboardE because access to it is explicitly denied in Group2.
The total permissions and privileges granted to User1 are as follows: - No access to DashboardA and DashboardE because access is specifically denied.
- Read access to DashboardB.
- Full Control over DashboardC.
- Change and Delete access to DashboardD.
TIP: Do not add the default Everyone or Authenticated Users Web Groups to any other Web Groups that you create. This makes sure that only the desired Web Groups (and users) have the specified permissions and privileges, by preventing users or authenticated users from unintentionally inheriting permissions and privileges from another Web Group.
|
