Access Levels to change Universe

Hi
I have created a WebI template (with formated layout) based on a kind of 'dummy universe'.
The goal is that some 'power users' should be able to copy this template to their favorites and then change the universe to one they are allowed to use.
These 'ad hoc ' universes are accessible when you create a new webi report but when you want to change it to one of the other adhoc univereses then they are not viewable.
The current access levels let the power users choose an universe to work with. So that's OK.
But rights in the Access levels should be set on the universe (sub) folder where these adhoc Univ's are stored?
I assigned already these rights to the universe folder:
System - Connection   => Data Access
System - Connection   => Use connection for Stored Procedures
System - Connection   => View objects
System - Universe       => Create and Edit Queries Based on Universe
System - Universe       => Data Access
System - Universe       => View objects
We're working with BOE XI R3.1 sp 3 fixpack 5
Thx in advance for your answers
JP - BO Admin

Hi Jean-Pierre,
The only thing that comes to mind is the possibility that the universes are in a different domain, meaning different repository, etc. Do you all log into the exact same CMS/Infoview server?
If that is not the issue, then try creating a new user with the same access rights as yours, the one that can access the other universes, and see how that works, then change theirs to match, and then restrict them as necessary.
Hope that helps.

Similar Messages

How to change lookup code with Access Level as 'System'

Hi,
I need to append new lookup codes in a lookup type having access level as 'SYSTEM'. Is there any standard way to do the same or just updating the customization level column will do ? Please let me know if you have any solution for this.
Regards
Girish

You can also change the meaning on that value to something like "*** DO NOT USE***". This will make it obvious to the user that he/she should not choose it.
You can try to add a when-validate-record personalization to show error if someone selected a disabled value.
You can also try to modify the list of values associated with the field using personalizations.
If nothing else works, you can use a SQL to uncheck the enabled flag. The risks involved in this are well known.
Hope this answers your question
Sandeep Gandhi
Independent Consultant
513-325-9026

Change Custom Access Level on a personal folder

Hi All,
This is about Business Objects XI 3.x
I'm looking for a solution to change the security settings on a personal folder.
Within 3.x it isn't possible to "overide" the user settings on a personal folder with the use of an usergroup.
So what I'm looking for is a way to overide the user settings Access level (by default this is Full Controll) with a custom Access level so I can take away some privilige on the personal folder.
Is there a Java script allready be developed by some one that I can use?
Thanks in advance.
Cheers,
Jan

Hi Jan,
You can use the following code snippet:
// folders is IInfoObjexts collection that contains the personal folders.
folders = oInfoStore.query(query);
          if (folders.size() > 0)
// query for the user for whom you want to set custom access role over the personal folder.
query = "select * from ci_systemobjects where si_name ='" + testUser + "' and si_kind ='user'";
users = oInfoStore.query(query);
// set the custom role.
folder = (IInfoObject) folders.get(0);
user = (IInfoObject) users.get(0);
IExplicitPrincipals explicitPrincipals = folder.getSecurityInfo2().newExplicitPrincipals();
IExplicitPrincipal explicitPrincipal = explicitPrincipals.add(user.getID());
// customRoleID is SI_ID of te custom role. You can retrieve custom role just as you retrieve any other
//info objet. You can use the query like : select * from ci_systemobjects where si_name='custom role
//name' and si_kind='customrole'
IExplicitRole explicitRole = explicitPrincipal.getRoles().add(customRoleID);
oInfoStore.commit(folders);
I hope this helps.
Thanks
Aasavari               }

Access level changes captured in Auditing ?

Hi, do auditing capture Access level changes / modifications in the CMC and how i can access them.
Need to know. Thanks. Toor.

Thankyou for the replies. I kept the following coding in the Exits. The problem is that i kept the break-point in the three exits and after running ME22N,its entering first into Exit 16 and after checking the field(Check Box) in Customer Data Tab ,its entering into Exit 17. But the zfield in I_EKPO is empty,the value 'X' is not reflecting here. Please suggest where i am doing wrong. I went through many SDN threads and i am unable to solve the issue.
INCLUDE ZXM06TOP.
data: gl_aktyp type c,
      gl_no_screen type c,
      gl_ekpo_ci like ekpo_ci,
      gl_ekpo like ekpo,
      gl_ucomm like sy-ucomm.
data: gt_ref_ekpo_tab type table of ekpo_tab.
EXIT_SAPMM06E_016
gl_aktyp = i_aktyp.
gl_no_screen = i_no_screen.
ekpo_ci = i_ci_ekpo.
gl_ekpo = i_ekpo.
EXIT_SAPMM06E_017
move-corresponding i_ekpo to gl_ekpo_ci.
gl_ekpo = i_ekpo.
EXIT_SAPMM06E_018
e_ci_ekpo        = gl_ekpo_ci.
if gl_ekpo_ci-zz_vend ne ekpo_ci-zz_vend.
e_ci_ekpo-zz_vend = ekpo_ci-zz_vend.
if gl_aktyp ne 'A'.
    e_ci_update = 'X'.
endif.
endif.
Regards
K Srinivas

Security and access levels

I have created 4 users access levels, however, when I try to implement, when I keep inheritence, default security keeps coming up, e.g. try changing everyone to my new access level and I get the new access level, but I also get view (inherited) - how can I "clean out" the old security settings??

Sorry for the delay!
OK, here's our situation - it's pretty straight forward;
1500 users
1500 (all) users in Everyone
Of the 1500 users in Everyone;
1200 in subgroup A
200 in subgroup B
90 in subgroup C
10 users in Administrators
4 universes
1 connection
Goal:
Everyone and subgroups, same as admin, exception: can't delete or save to "corp" doc's. My thought is to use same access level, then use the advanced configuration on the folders to prevent everyone from deleting any "corp docs"
I have applied this access level to everyone and admin at;
application > infoview, webi. cmc, deski, discussions, search
universes > all 4
connections > the 1
folders > root folder, level 1, denied access to everyone accordingly on level 2
I have also added this access level to the top level security for users and groups
Issues;
1. When I check the access level for everyone on folders, level 1 and below, I get the custom access level as inherited, but also view aslo as inherited.
2. The users added to the admin group do not have same rights as the "administrator - for example, administrator can delete objects in the folders, but other users (within admin group) can not? if I manually add the users to the folders, I can get this to work, but doesn;t make sense, why would a user within a group have different rights, than any other user within the same group, with the same rights???
Hope this helps!
Edited by: Michael Bujarski on Jun 5, 2009 3:56 PM

How to implement row level secuirty at universe level

Hi All
How can we implement row level security in universe ?
John

HI,
Can we try this?
Open designer >>tools>>Manage security>Manage access retrictions
Click on "new" under available restrictions area .
Select "rows" tab click add select the table and an appropriate where condition.
Click ok .
Add a user\group on which the retriction is to be imposed Click Ok.
Hope this will help
Kultar

How to include group access level in a ws call

I want to include a Group Access Label in a Permission for a Course using an iTunes web service call.
I don't see how to do this in the docs.
(The example in iTunesUAdministratorsGuide.pdf at page 111 doesn't include the Group Access Label.
And it's not in the schema for the ws xml document at http://deimos.apple.com/iTunesURequest-1.0.xsd)
Is this an obvious omission or am I missing something? Anyone know how to do this?
Background:
We're creating most Courses programmatically.
Obviously, we'd strongly prefer not to require an administrator to go into every Course and manually add a common Group Access Label to the Permission. (This manual piece is essentially what's now missing from the ws call or at least from my understanding of it.)
Either way -- manually by an administrator or programmatically -- our instructors would then be able to set Permissions themselves on any Group they create -- doing this themselves and without the help of an administrator.

To resume with a little progress made:
I have a Section
* with Access Level == Edit for Credential == Instructor@...${IDENTIFIER} with no Group Access Label, and also
* with Access Level == Download for Credential == Student@...${IDENTIFIER} with Group Access Label == Student.
I'm doing ws calls to add a Course including an identifier. This is successful, and I can then go into the iTunes client as Instructor@...${IDENTIFIER} (substitution made) and manually add Groups and change Access to each individually. (I'm adding Groups "Download", "Shared Uploads", and "Drop Box", changing the Access Level accordingly for Group Access Label "Student".
But naturally I want to do the manual part programmatically, to save n instructors from having to learn how to do this same thing and then to do it.
So I'm trying to change my ws call to add the Groups, including Permissions. Schema http://deimos.apple.com/rsrc/xsd/iTunesURequest-1.1.xsd doesn't include Group Access Label for Permission. What does this mean?
I've tried the actual Credential == Student@...${IDENTIFIER} (with IDENTIFIER substitution made before the call) and also Credential == Student (to see if I'm supposed to match the Group Access Label, instead).
For either of these trials, the ws call successfully adds the Groups and a ShowTree includes the Permissions for the Groups. But in the iTunes client user interface, it's as if I gave no Permissions in adding the Groups.
Am I approaching this wrong or is there a bug here?
(I haven't tried yet a separate call to add the Group Permissions, not wanting to suffer the processing wait of getting handles for the three Groups.)
Anyone else doing this? (successfully or not ) Thanks.

Help creating apple script to create folder and set access levels

I'm trying to create folders in FileMaker Pro using apple script and need some help in setting the access level for the folders. I want to set both Staff and everyone to Read and Write access. Secondly I would like to have a function key set on the desktop to create new folders and set that same access level. The default access is Read and I can not find a way to change that.
Thanks

I'm trying to create folders in FileMaker Pro using apple script and need some help in setting the access level for the folders. I want to set both Staff and everyone to Read and Write access. Secondly I would like to have a function key set on the desktop to create new folders and set that same access level. The default access is Read and I can not find a way to change that.
Thanks

How to get object level security in Universe?

Hi,
I need to get the object level security for an Universe. I'm able to get the list of objects and its security access level (Public / Controlled / Restricted / Confidential / Private / ) from the (.Unv) file using the Designer SDK.
But I need to get the list of users who has the object level security in the universe. In the CMC, by clicking the Universe and click on the Object Level Security tab, we can see the list of users there.
I need to get the same using BOE SDK.
I have used the following query to get the universe from the repository,
"select * from ci_appobjects where si_kind='universe' "
But I'm not able to get the list of users having obj. level security for that universe.
Kindly help me to proceed.
Thanks.

The access security level is encapsulated in the SI_KIND='Overload' object.
Look for those types of objects, and the doc for the Overload class.
An Overload references the Universe to which it's associated, and User/UserGroup objects are associated with the Overload via SecurityInfo.
Sincerely,
Ted Ueda

Problem with user access level

David,
I have so far succesfully implementend your tutorial on users registering and having to validate their emailaddress (both part I and II).
Part I: http://cookbooks.adobe.com/post_Registration_system_that_requires_the_user_to_vali-16646.h tml
Part II: http://cookbooks.adobe.com/post_Registration_system_that_requires_the_user_to_vali-16649.h tml
When creating a login form however, I don't get it to work based on the access level verified = y. The database is set up exactly as you described in the above tutorials.
This is the HTML for the log in form (index.php):
<form ACTION="<?php echo $loginFormAction; ?>" method="POST" id="logon">
<label for="user">Username</label>
<input type="text" id="user" name="username" />
<br />
<label for="pass">Password</label>
<input type="password" id="pass" name="password" />
<br />
<label for="done"> </label>
<input type="submit" value="Log On" />
</form>
Below the code that is found above the <html> tag in the index.php file:
<?php require_once('../Connections/conn.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
return $theValue;
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "verified";
$MM_redirectLoginSuccess = "overview.php";
$MM_redirectLoginFailed = "index.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_conn, $conn);
$LoginRS__query=sprintf("SELECT username, password, verified FROM users WHERE username=%s AND password=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
$LoginRS = mysql_query($LoginRS__query, $conn) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
    $loginStrGroup = mysql_result($LoginRS,0,'verified');
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;
    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
    header("Location: " . $MM_redirectLoginSuccess );
else {
    header("Location: ". $MM_redirectLoginFailed );
?>
On the overview.php page, I applied the restrict access to page behaviour, which results in the following code:
<?php require_once('../Connections/conn.php'); ?>
<?php
if (!isset($_SESSION)) {
session_start();
$MM_authorizedUsers = "y";
$MM_donotCheckaccess = "false";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    // Or, you may restrict access to only certain users based on their username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    if (($strUsers == "") && false) {
      $isValid = true;
return $isValid;
$MM_restrictGoTo = "index.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
?>
Any idea/thoughts on what I'm not adding to the page in order to work?

David,
Thank you for that insight, I figured it would be something like that and when I woke up this morning, it all made sense. I changed somthing from the tutorial (part I) you wrote and now it works fine.
I had trouble with the validation link in the email that is sent automatically. In your tutorial, section "generating and sending the validation email", you write:
$message .= urlencode($_POST['username']);
$message .= '&t=';
$message .= urlencode($token);
When using the code like this, it wouldn't set the verified column to y. However, when I changed the middle $message to
$message .= '&t=';
it updated the verified column to y. The URL that displayed from the original code displayed the & sign as & in the URL itself.
Next to that, whenever I try to add something to the e-mail, the validation link becomes not clickable anymore.
As the login problem concerns, encrypting indeed did the trick.
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=sha1($_POST['password']);
Putting the $_POST['password'] between brackets, adding sha1 in front of it. It works just fine now.
Hopefully no further problems on this anymore! Thanks a lot for your insights!
EDIT: I can't mark this thread as answered anymore?

Access level in lookup table

I'm using Dreamweaver CS4. It seems that access levels can
only be applied (at least through Server Behaviors) to a field
within the same table that host the users and their associated
passwords. I have adopted a database which contains a table which
contains the users and their passwords but the access levels are
stored in a lookup table. Aside from hand coding this or changing
the table structure to include access levels, users and passwords
in the same table, can anyone provide some insight as to how to
handle this?

OK i have successfully achieved the JOIN...I think. I clicked
"Test" on the Recordset dialog and I can see records from the table
but not the JOIN table.
Here is the SQL statement I used:
SELECT authuser_id, firstname, lastname, uname, passwd
FROM authuser INNER JOIN user_access ON
authuser.authuser_id=user_access.userID
So once this is done, I'm not sure how to proceed. I added
the "Log In User" server behavior but the JOIN field is not
displayed under the "Restrict access based on:".
I obviously have a lot to learn about how Dreamweaver helps
streamline this process. Any help (detailed as possible) would be
much appreciated.

Problem with Restrict Access to Page with access level using ASP

I'm using Dreamweaver CS3 with ASP-VBScript and an Access
database. The pages were created from scratch for this project,
using those tools all the way through.
I've created a login page, an admin homepage, and add, edit,
and list records pages for three tables. The login page uses the
Server Behavior "Log in User", all other pages use the Server
Behavior "Restrict Access to Page". All of these are based on an
Access Level.
Login seems to work correctly, and redirects to the admin
homepage. From the admin homepage, I can open any other page as
expected, and they initially display correctly. On the add and edit
pages, however,
submitting the form often results in getting logged out, but
not always.
Once this happens, I can log back in, but other problems will
sometimes occur during that second login session. Sometimes,
logouts will occur on pages that worked fine during the first login
session. Sometimes, another session variable that I've setup
manually will change when it shouldn't...as if there were two
values stored for my session variable, and reloading the page
changes to the other value.
This
post seems closest to my experience, but it doesn't look like
there was really an answer beyond "I had to fight with it for a bit
to get it to work":
I suspected that there is some problem with session settings
on the server. We have an almost identical tool on the same server
that was developed with an older version of DW that works more
reliably; it sometimes has problems with the initial login, but
never has a problem after that.
Has anyone experienced problems like this? Any suggestions
for what to check? I'm really pulling my hair out since it's so
unreliable...the kind of problem that goes away when you try to
show someone and comes back when they leave.

Hello,
I was thinking that all I would need would be the username, although username and paswsword would be more secure. There are about 50 users and no groups or levels. They are all equal ... same level.
The website is private and there is a general content area for all users and then there will be private areas for each user where proprietary documents will be held. I need to be able to ensure that user 'A' can only see the user 'A' pages, user 'B' can only see user 'B', etc.
I don't really understand what the Dreamweaver script is doing, but the overview sounded like it was the right tool to accomplish what I'm trying to do.
Any assistance greatly appreciated.
thanks.

Custom Access Level/User groups in BOBJ XI

Experts,
We are currently implementing BOBJ XI 3.1. Up on go-live, it will be handled by the Operations team from BOBJ CMC. We do not want to give administrator group for the operations users in CMC. Instead, we want to create custom groups with custom access levels.
Ex. one for basis who will set up authentication, licenses etc
one for the functional folks to maintain universes, export universes and set up security.
Is there a way to set up user groups like this. We were able to successfully restrrict access just to folders, universes by creating a custom access level. But we were not able to do it on other items listed in CMC. Has anyone done this level of access before for the operations or even with in the development team instead of using administrator group>
Appreciate your response
Thanks
Kee

Hi,
We can assign different rights to a group by creating custom access levels.
Create a new group ,and also create custom access level and assign it to the new group.
you can provide access to different objects to the group by adding rights to the access level.
Under the access level > click Included Rights > Add and Remove Rights > Under the Rights Collection > click on System.
You could find all the CMC object access rights can be assigned.
Regards,
Rameez

Incorrect functionality in edit access level

We are assigning the Instructor credential with the Edit Access Level permissions. However when an Instructor authenticates, they do not have the EDIT ACCESS permission in their course.
In the iTunes U admin guide, it state:
Users with Edit access to a Course page can also use the Access pop-up menu in the Access area within a Course page to define group-level access for the page. The user can assign group-level access for other users of the Course page, but cannot change his or her own access. iTunes U displays the current user’s credential and Edit access as read-only in the Access pop-up menu
within the Course page.
Any ideas?

I haven't looked at the admin documentation but having Edit permissions on the album doesn't let you have the Edit Access option. What we do for instructors is create the course album for them and set Group Access Labels, as described, up for them for each other credential that has access (student credentials only in our case but I suppose you could do it for instructors, TAs, etc.). Folks with Edit level access to the album (Instructors in this case) can then Edit Page, edit the tabs and use the GALs to change permissions for other users to the tabs in the album.

Access Level Management for Lync2013

In Microsoft Communicator 2007, there was an option to set the 'Access Level Management' as a global setting. Is this feature still available in Lync 2013 apart from setting the 'Access Levels' for each contact individually.
Since we migrated from Microsoft Communicator 2007 to Lync2013 and we needed to change some 'Access Levels', I wasn't able to do so. So would like to check if this feature can be enabled or disabled at the global level.
Thanks. Any suggestions would be highly appreciated.
BR,
Frieda

Hi,
In Lync 2013, you can view the contact in turn of Relationship as following:
You can modify the relationship of the contact by right click the contact, and choose "Change Privacy Relationship", then you can choose the relationship you want such as Workgroup, Blocked Contacts.
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support

Access Levels to change Universe

Similar Messages

Maybe you are looking for