I have a question on assigning a user to the multiple application roles and applying the object level security in web catalog.
lets say there is 3 subjects areas S1,S2,S3 and 3 dashboards D1,D2,D3 in catalog.
applicaiton role is created for 3 departments Dept 1 user ( added as memeber of existing BIConsumer Role ) , Dept 1 Writer ( added as a member of existing BIAuthor Role ) and like wise Dept 2 user , Dept 2 Writer so on.
A user A1 from Dept 1 is assigned 'Dept 1 user' role also this user has Dept 2 Writer role, so when this user logs in under My Account there are Authenticated User, BIAuthor, BIConsumer , Dept 1 user, Dept 2 Writer role.
2nd user A2 from Dept 2 has only Dept 2 user role
In the web catalog permissions I have defined Open ( Read , Traverse ) to D1 dashboard for Dept 1 user role and Dept 2 user role also Custom ( Read , Write and Delete) for BIAuthor Role and Open ( Read , Traverse ) for BIAuthor Role.
Similarly in D2 Dashboard I have defined Open ( Read , Traverse ) for Dept 2 user role and Dept 1 user role ,also Custom ( Read , Write and Delete) for BIAuthor Role and Open ( Read , Traverse ) for BIAuthor Role.
Whenever the user A1 logs in even though this user has Dept 1 user role assigned, the user is able to modify the reports in D1 dashboard.
How could I setup correct permissions so that A1 user cannot modify D1 dashboard but still requires BIAuthor Role since this user needs to be able to create and save reports in D2 dashboard .?
Thanks for the quick response, but in OBIEE administration Dashboard create are already granted for BIConsumer, Could you please elaborate on to what you mean by 'per case' basis.
I am assuming you wanted me to define Dashboard permissions to specific roles in the web catalog permisssions for these dashboards. But the issue/questions is if user like the above mentioned case where A1 user who has Dept 1 user role and Dept 2 Writer role , this user is getting BIAuthor , BIConsumer Roles but this user isnt supposed to write/delete anything for D1 Dept 1 dashboard which is still being able to.
I think your issue is being caused because you are mixing the out-of-the-box roles with your own custom ones. You can't easily restrict access at the dashboard level using BIConsumer if this role is given to multiple types of user in your company. I suggest you define custom roles and apply these to dashboard objects in the catalog.
I think creating new custom roles with custom policies is good idea, I will try to implement that. Currently I am explicitly denying access to those roles for the catalog objects where ever there are conflicts like this.
I will leave this thread open , to see if there are any other possibilities.