I actually kind of dig the security model with XI. Call me crazy. I do believe it is more than a few steps up from the days of 6.5 and older. I know it has its shortcomings but it is getting better.
One challenge I’ve dealt with a few times is delegated administration. The goal is in putting user administration in a corporate information security group’s hands rather than a Business Objects Admin’s hands. This makes perfect sense in a deployment that didn’t necessarily start on a Windows AD or LDAP deployment or relies heavily Enterprise groups for access control.
Things changed a little from XI R2 to XI 3.x. This post will focus largly on XI 3.x but we’ll talk about XI R2 towards the end. In order to jump start this post, an Enterprise group is created. Visit the CMC as an administrator group user (or just plain old administrator) to construct the group. Click the Users and Groups link to continue.
Click the “Manage” button on the toolbar, select “New” and choose “New Group”.
Let’s make this group easily identifable. Call it “Helpdesk Administrators” and give it a description so it is easy to recall it’s intended purpose.
With a group in place, return to the Users and Groups section of the CMC and head back to the “Manage” menu option but this time start in the “Top-Level Security” menu item. We’ll begin but looking at the rights for all groups.
Danger! OK not too dangerous. A quick warning dialog reminds you that you are modifying rights for the entire group structure for your CMS. Granted, you could delegate way down here and do it at an individual group level. This is relevant because in a decentralized development world you may wish to give indvidual groups their own rights to control access to their reporting application. However, this exercise focuses on the whole enchilada.
Click OK to continue, you now want to Add Principles. There, search for the Helpdesk Administrators group (or whatever it was called) and add to the selection and click Add and Assign Security button to give this group full control of your groups. Do you have to go full control? Not necessarily. You can get granular using advanced rights. That is the administrators call (or the information security overlord’s mandate).
That’s really it. When completed your new group can modify groups. Wash, rinse, and repeat on the Top-Level Security for Users and you’ve got it. There are other applications for this, for example, in Server Administration. If you ponder it I’m betting there are more applicaitons.
Now in the XI R2 world it was a little more tricky. I actually did not want all the CMC stuff to show up for someone in the CMC. The key difference here was to go into each section of the CMC and set the rights for that section to No Access for the Helpdesk Administrators group. A little tidious but not an unbearable task.
UPDATE: I would be a bad friend if I didn’t mention that you should REALLY be cautions in giving helpdesk admins full control to control groups. You espeically don’t want to give someone access to add someone to the administrators group, for example. Just a thought…