Question:
My BW Team is requesting that I give limited PFCG access to 1) administrators and 2) endusers. They want to be able to maintain folders within a specific range of roles. Anyone have any opionions on either one of these requests? I am particularly interested in how you feel about #2.
Answer:
Absolutly NOT for either administrator or enduser.
Answer:
Whilst your administrators/end users (if they had PFCG) could do the things you say, they could also unlock all and any security - why would your company want this risk ?
If you want help combatting this I suggest you have a word with your systems manager (if you have one) or failing this with your internal audit group or even external auditors - all of whom would have a fit at handing out PFCG.
Have fun...
_________________
Best Regards
Bazza
Answer:
We CAN control what they could do down to adding URL's to the menus of a range of roles and then saving the role. 1) They are proposing this be done directly in PROD. 2) When they do this they are unable to generate the role and it remains ungenerated in PROD.
I need some indisputable reasons why we should not grant PFCG at all.
Best practices or horror stories welcome.
Answer:
Don't freak about this question unless you understand BW workbook security. Of course I wouldn't give it to all end users but PFCG can be used with restrictions on
1. assigning roles to users
2. assigning transactions to roles
3. generating authorizations
4. assigning authorizations and field values
You can restrict maintenance to named ranges of roles.
The question is, at the end of the day, about creating a menu structure of workbooks. It is perfectly reasonable to allow a subset of non-administrators to maintain workbooks and workbook roles. Yes you can and yes you should allow this. I have seen very few BW installations that did not allow this as a practical way of handling the creation of work book roles.
One caveat: You must not allow workbooks to substitute for real security. I have seen companies segregate access to data by limiting access to workbooks. This is a bogus strategy.
But don't be scared off. Some of the previous answers are from folks who have little or no understanding of BW.
Answer:
One caveat: You must not allow workbooks to substitute for real security. I have seen companies segregate access to data by limiting access to workbooks. This is a bogus strategy.
Please expound
[/quote]
Answer:
One caveat: You must not allow workbooks to substitute for real security. I have seen companies segregate access to data by limiting access to workbooks. This is a bogus strategy.
Please expound
[/quote]
Its easy to choose any query you want from the query selection dialog boxes in the bex analyzer. Companies that "depend" on workbook security typically give access to all queries using the query authorization object. They probably don't use any query naming conventions and they probably are not using reporting objects. So while it may look like a user can only access certain workbooks they probably can get to any query.
There are a lot of other reasosn to avoid this kind of security.
Answer:
One caveat: You must not allow workbooks to substitute for real security. I have seen companies segregate access to data by limiting access to workbooks. This is a bogus strategy.
Please expound
Its easy to choose any query you want from the query selection dialog boxes in the bex analyzer. Companies that "depend" on workbook security typically give access to all queries using the query authorization object. They probably don't use any query naming conventions and they probably are not using reporting objects. So while it may look like a user can only access certain workbooks they probably can get to any query.
There are a lot of other reasosn to avoid this kind of security.[/quote]
Simple matter to craft URL's to get to all those unprotected queries