Each of the applications in the BOBJ suite which are administered through the CMC exposes different rights on themselves to control which actions a user can perform on them. Access Rights can be of different types depending on the type of Content Management System (CMS) object they are defined on.
- General – These are most general rights and shared by the other InfoObject types in the CMC. As the name suggests they are general in nature and allow users to view, edit or delete objects.
- Application – These are rights exposed by the different applications managed in the CMC and control access to the individual applications.
- Content – These rights control access to content like folders and the reports contained their-in
- System – These are core objects in the CMS like users, group, connections and universes and are used by one or more applications.
Individual rights can be Granted, Denied or Undefined. If a user doesn’t have an rights defined for a particular object at all through all her user groups, the right is evaluated as denied. If a right for a particular object is granted via one group and denied via another, the right is still denied for the user. For objects which take the form of hierarchies, folders containing reports for instance, rights can be assigned for a particular level or for all levels in the hierarchy. An idea of the different groupings of rights can be better visualized by looking at the following screenshot from the CMC
To facilitate easier maintenance, rights are seldom assigned individually but are grouped into “Access Levels”. CMC comes with certain predefined access levels like Full Control, No Access, View Only or View on Demand. You can access the default access levels or create new access levels by navigating to the Access Level section in the CMC home. The screen below shows the default and new access levels created in a particular CMC.
The rights included in the default access levels provided by SAP can not be changed. However, the access levels themselves can be copied over to new access levels and then updated to include new rights. While designing security for BOBJ its a best practice to follow this approach and specifically add or remove rights as per client requirements. We can change the assigned rights to a custom access level by selecting it and then navigating to the menu entry Actions> Included Rights.
From the included rights screen we can choose the Add/Remove Rights button to specifically add or deny rights for an access level. On saving the new rights defined for the access level we are taken to the following screen.
In the next step we would look at how to use access levels to secure individual objects within the CMC.