By Rick Epstein
Ideally, you will want to plan your
security architecture and design a bulletproof security model. However,
sometimes assessment will uncover gaping holes in your current architecture,
and you will want to close those holes as quickly as possible to reduce risk to
your organization.
Here are the broad strokes for assessment
and remediation. Keep in mind the best practices discussed in the previous post
as you proceed through each of these steps:
- Inventory groups and group members (users)
- Look at each granular inherited & explicit permission for each principal for each content folder, universe folder, category folder, connection (connection folders in BI 4.x)
- Are there any permissions set specifically on content within these folders?
- Create groups for each application and apply the No Access to the Everyone group for each group on its respective application
- Create groups for every content folder, universe folder, category folder, connection (connection folders in BI 4.x)
- Apply the same security to each group on each folder
- Create generic groups for specific grants or denials of rights
- From your inventory of groups and users and permissions set for each, assign users to these new groups
- Remove users from the old groups
- Store the old groups in another group called something like "zzzToBeDeleted"
As I said, these are the broad strokes.
They are a good start, but there remain traps for the unwary, and great potential
for unintended consequences. If it reminds you of old mariners' charts with
captions such as "There be dragons here," that may be a good thing.
Next in the security blogging series: Why companies
don't update their security model.