The way that "explicitly denied" rights work (on the advanced rights
tab) enables us to globally remove rights for groups or individuals.
Important: "explicitly denied" rights will always override an "explicit grant"
For any given right, if a user is a member of any group where that specific right is denied, the net right is denied.
Deny always trumps grant.
We can set folder rights in CMC at the highest level, the "Settings"
level. Doing this will effectively deny the right at all levels (since
the "settings" level is the parent folder of all folders). Setting
rights at this level avoids needing to individually remove rights at
the folder level for various groups.
Go to the "Rights" tab in the settings.
On the rights tab, add a group that you wish to explicitly deny rights.
In our case we created a "non-administrators"
group. We wanted to deny all non-administrators certain rights, like
scheduling reports. We added all non-admins to the non-administrators
group. Added an entry on the rights tab for the non-admin group and set
the advanced rights.
On the "Advanced Rights" each individual right
(row) can be set to either "Explicitly Granted," "Explicitly Denied,"
or "Not Specified."
By setting rights that are explicitly denied, it
effectively denies the right for any members of the specified group
(non-administrators in our case).
Here is a list of the rights that can be set in this way in BusinessObjects:
General Rights
- Add objects to the folder
- View objects
- Edit objects
- Modify the rights users have to objects
- Schedule the document to run
- Delete objects
- Define server groups to process jobs
- Delete instances
- Copy objects to another folder
- Schedule to destinations
- View document instances
- Pause and Resume document instances
- Securely modify rights users have to objects.
- Reschedule instances
- Schedule on behalf of other users
- Allow discussion threads
- View objects that the user owns
- Edit objects that the user owns
- Modify the rights users have to objects that the user owns
- Delete objects that the user owns
- Delete instances that the user owns
- View document instances that the user owns
- Pause and Resume document instances that the user owns
- Securely modify rights users have to objects that the user owns.
- Reschedule instances that the user owns
Desktop Intelligence Rights
- Refresh the report's data
- Refresh List of Values
- Use Lists of Values
- View SQL
- Export the report's data
- Download files associated with the object
Desktop Intelligence Add in
- Download files associated with the object
Report
- Print the report's data
- Refresh the report's data
- Export the report's data
- Download files associated with the report
Web Intelligence Document
- Refresh the report's data
- Edit Query
- Refresh List of Values
- Use Lists of Values
- View SQL
- Export the report's data
- Download files associated with the object