Clarity

In a scenario where a set of users need to be made read only in CA PPM and users have many instance rights and part of many groups inheriting privileges like edit/create etc . In some cases all the users part of a specific group are required to be made read only. So, the action can be taken at group level and/or at user level depending on the case.Please share your thoughts.

I understand that you would like to have a way to restrict a certain group or user by "removing" certain edit level rights, is this correct?

Rights work by "addition", not substraction. If a user has an edit right you would like to restrict, you will need to remove the right by either removing at instance/obs/global level, or by removing the group that is granting the right.

Hi Marc, Thank you.

As we have many users to act on, working on case to case will be hard

For global rights - thinking of deactivating the groups from which the users are inheriting the rights where ever possible.

For Instance rights of users - Is there a easy way other than going into each users and removing their instance rights?

Really depends on how complicated (i.e. how granular) your security model is!

If you only grant access rights based on GROUPS (and then users inherit the rights via group membership) then this is perhaps not a very complicated thing to do ; inactivate groups and replace them with "read only" versions of the group ; can do a lot of the low level work for this using XOG.

To an extent  access rights inherited through OBS membership could also be relatively simple - similar problem to GROUPS (but conceivably more complications) ; but again could be using XOG to do a lot of the hard work.

However if you have a lot of access rights given out at USER (i.e. INSTANCE to INSTANCE) level ; then you have potentially a lot of data to look at ; I think some developed SQL statements would help you work out whats you need to do.

(there are some old discussions on here about how to pull access right information via SQL - its complicated but predictable - for example Clarity rights Query )

I think you have a complicated task whatever though - good luck.

Thanks for the valuable inputs. Our case could be simple, we have a set of users identified and all of their instance rights can be removed and read access will be managed through a preexisting group (Global rights)

Can this be achieved through XOG or a database update?

I second Dave_3.0 inputs on Group granted rights and OBS Unit rights. Make sure that you have captured any instance rights that have been granted as a result of selecting a resource as an investment manager or resource manager - and then the void you leave by removing these users from those roles.

Lalitharjun wrote:

 

Can this be achieved through XOG or a database update?

Yes - the trick though is that you do not issue a "delete user from group" command through XOG, you issue a "this is what the group should look like when the user is removed" command.

i.e. you read the group out (including all its permissions and users), remove the users that you want to and then XOG it back in with the complete="true" flag set (that flag is the important bit).

--

Christopher makes a very important point that I had not mentioned - there are automatic rights that a user would get to edit objects if they are the named manager of the object instance (i.e. investment/project manager, resource manager) - you would need to investigate/remove these too. Not much you can do apart from replace/remove the user from the relevant manager role.

Is it a good idea to backup user related tables before removing the access rights? like the following.

CMN_SEC_ASSGND_OBJ_PERM

CMN_SEC_USERS

cmn_sec_groups

cmn_sec_user_groups

You need to use XOG to read (backup) the users and  groups impacted by your changes. You could then revert easily if needed.

If you are unsure in any way at all, I highly recommend engaging an experienced consultant to fix this for you and design a suitable longer term model.

This can be particularly complex to get correct

Thank you, Impact analysis has been done and we know which groups and users are impacted. Certainly XOG read is the best option.