Tuesday, December 27, 2016

The BO security model: high level breakdown


In this blog series I will share insights I’ve gathered over the years on how to setup an effective security model: simple, structured, maintainable, flexible, expandable and easy to use. In the previous blog I concluded that a security model consists of CALs, user groups and folders.
In this second blog I will focus on the structure of the user groups from a high level.

·         This blog series is aimed at experienced BO administrators, which means there will be no how-to screenshots
·         This blog series can be used as a guideline, it cannot be used as a manual
·         This blog series only covers the internal BO stuff. No windows AD or SAP roles and no IAM software

I will divide the user groups into two parts:

  • The assignment part
    Underlying groups are only used to assign imported windows AD or SAP roles to.
  • The configuration part
    Underlying groups are used to config the system.

Configuration user groups

The configuration part holds all user groups used to configure access throughout the system. It is divided (for now) into these two:



  • The organisational part: who can see what
    This part consists of user groups which are modelled according to the organisational structure. Which folders a principal can see is determined here,
    it’s about access.


  • The user types part: who can do what
    This part covers the different user types. What a user
    type can do with the content is determined here,
    it’s about functionality.

Assignment user groups

The assignment part is not divided (for now). This part holds all the user groups that are used to assign business users to. You should create a group for every combination of the organisation and the user types that will be used:


The assignment groups all are members of the configuration groups. The group "HR - Attrition - Endusers" is a member of "HR - Attrition", which defines the folders and reports that can be used. And it is a member of "1 - Endusers"which defines what can be done with the reports.




The model now looks like this:






No comments:

Post a Comment