on 09-07-2023 2:54 PM
Hello,
A user mistakenly sent reports (containing confidential data) to all BI accounts, which posed security issues.
Some users, check the «Everyone» box when selecting recipients and forget to delete the selection before sending (see attachment "Send BI report_part_1.png").
After searching the CMC, we did not find a parameter that could remove the check mark of «Everyone» so that the mishandling is not repeated.
However, users must be able to send a report to any BI account (see attachment "Send BI report_part_2.png").
Is it possible to remove the “Everyone” check mark when selecting the recipient? Or make it inactive?
Version : 4.3 SP 2 Patch 9.
Thanks for your help,
Blandine
It was a big mistake to explicitly deny the most powerful rights (the “View” right) to one of the essential top-level objects like the "Everyone" group.
Therefore, NEVER explicitly deny "View" rights for top-level objects such as (Groups, Users, User Folders, Universes, etc.).
The only way to fix the problem is to use the "CMS Server Console" to add the principal "Administrator" and give it "Full Control" rights to the "Everyone" group.
after that, logon on CMC with the User "Administrator" and correct the "View" rights.
To do this, see my answer
https://answers.sap.com/questions/13911208/top-level-security-on-personal-folders.html
(Note: Set "Everyone" ID instead of "User Folders" ID in Setrole)
....
I hope this solves your problem and helps.
... and as always said: DO NOT do it if you don't know exactly what you are doing......
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Ayman Salem!
The "Everyone" group has reappeared in the list of groups (for the "Administrator" account) using the link:
https://answers.sap.com/questions/13911208/top-level-security-on-personal-folders.html
For information, the command used is:
setrole 12 1 622
Hello,
Thank you for the different answers.
After solving the problem of the disappearance of the "Everyone" group, here are the steps taken to resolve the initial problem:
1. Log in to the CMC
2. Go to “Users and groups”
3. Right click on the “Everyone” group > “User Security”
4. “Add primary users/groups”
5. In the list of groups, select “ANG_REC”
6. Click on “Add and assign security”
7. In the “Advanced” tab > click on “Add/Remove rights”
8. Go to the “System” > “User group” section. For the “View objects” right, check “Replace general global rights” > check “Refused”
9. Click on “Apply”, then “OK”
10. Click “Apply” a second time, then “OK”
11. Click on “Close”
12. Log out of the CMC.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
In CMC, go to Users & Groups -> Group List, find the Everyone group. Right-click on it and hit User Security.
Check who has "View" rights -- that is the permission that enables users to see and pick "Everyone" as a recipient. If you remove the view right, then your users won't be able to pick "Everyone".
If users have view permissions on other groups, then those groups will be available.
The view access might be granted at the top level, so that all users can send reports to all users and all groups. If that's the case, it's set here: Users & Groups -> Manage -> Top Level Security -> All Groups.
To enable users to see other users, go to Users & Groups -> Manage -> Top Level Security -> All Groups, and grant View permissions there.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Joe Peters,
I did the steps below with my account (which is in the Administrator group)
- In CMC, go to Users & Groups -> Group List, find the "Everyone" group. Right-click on it and hit User Security.
- The "View Objects" right has been changed to "Denied".
In BI, the first test corresponds to the expected (you can no longer check "Everyone" in the recipients, but you can select a desired user).
But in the CMC, the "Everyone" group has disappeared (neither in the list of groups, nor in the group hierarchy, nor in the security of other groups/users). I can't find it anywhere, due to the fact that the "view" right was refused... I also tried with the Administrator user.
How do I go back and regain access to the "Everyone" group in the CMC?
Best Regards,
Blandine
Even with the "Administrator" account, the "Everyone" group no longer appears.
I imported a biar from a correct environment. Containing all the groups and for promotion I checked "promote object security".
A failure appears for the "Everyone" group: "Failure: Trying to create an object with duplicate name".
As the "Everyone" group is no longer accessible, I cannot delete it to re-import it.
Do you have another solution?
Thanks for your help
User | Count |
---|---|
83 | |
11 | |
10 | |
8 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.