Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 15 Oracle Analytics Lounge
- 208 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 76 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Manage Privileges - Silly Question
Quick specific question that I'm having a hard time finding an answer on searching around.
What is the difference, in the Manage Privileges screen between Denied and just not leaving the value blank for a role?
I've tested this scenario and both the Denied value and no value give the same behavior. For example for Subject Area A, Denied and no value will make the subject area not appear for a specific user with the role.
Can anyone just break it down for me a bit more? What circumstance would I use Denied instead of the default no value? The only answer I found is that with users with multiple roles, setting to Denied will lock them out regardless of other privs/roles.
Thanks All.
Answers
-
D Managing Security for Dashboards and Analyses
D.2.3.1 What Are Presentation Services Privileges?
Presentation Services privileges control the rights that users have to access the features and functionality of Presentation Services. Privileges are granted or denied to specific application roles, individual users, and Catalog groups using a privilege assignment table.
Like permissions, privileges are either explicitly set or are inherited through role or group membership. Explicitly denying a privilege takes precedence over any granted, inherited privilege. For example, if a user is explicitly denied access to the privilege to edit column formulas, but is a member of an application role that has inherited the privilege, then the user cannot edit column formulas.
0 -
What Thomas Dodds said!
In very simple terms, I think you could look at it like this...
John is a member of the Sales group.
You have given the Sales group permission to see the 'Commissions' subject area, but for whatever reason you don't want John to be able to see this subject area -- you DO however want all of the other members of the Sales group to see this subject area.
So...you grant permission for the Sales group to see the 'Commissions' subject area, but then Deny John.
Now everyone EXCEPT for John in the Sales group will be able to see the subject area.
I realize the scenario I described isn't very realistic in terms of business, but you get my point.
0 -
"Denied" wins. So when you grant and deny both (because you're part of 2 roles for exmaples) then you will be denied that functionality.
0 -
OK, that makes sense, so Denied wins everytime, and can specifically override inherited privs.
But I guess the thing to note is that in MOST CASES I don't need to specifically deny permission to a privilege (if the user or access role is not Granted they wont see it or have the functionality by default).
Is that statement correct?
Thanks to all who replied, not sure who to mark as correct as they all seem correct.
0 -
Eternalgradstudent2015-Oracle wrote:But I guess the thing to note is that in MOST CASES I don't need to specifically deny permission to a privilege (if the user or access role is not Granted they wont see it or have the functionality by default).
No I tend to not use "Denied" at all if I can prevent it. Makes life a lot easier because you can work a lot better with application role inheritance.
0 -
Thank you again. Appreciate it.
0