4 Replies Latest reply on Sep 25, 2013 4:21 AM by Birger.steelandt

    reporting Privileges


      A crystal report I find quite useful when analyzing privilliges issues.


      What I have found out is that if a privilege is set by the wizard att the top level of an object and You erase all old ones it will erase all privileges records and produce ine at the "top" wilt 31 ( read, writ , execute,,,




      I run a wizard för analyst to incident all privilege at the top level: This produce 1 record at the top with the value of 31.

      I create another role with no privileges. Except that this one has a Read only on Note  in incidents.

      I create a user that has both this roles: ( Analyst, analyst2)

      Because that the role Analyst 2 has a restriction AND the Analyst role has a top level of RWE ( ReadWrite Exexcute on topp level) nothing is set on the individual  Note object)  the sum of the isolated privilege Notes in incident will be Read only.


      Running the report will reveal these "hidden" privileges and show what the actual privileges will be.


      So my way is to se that the prime basic privilege is really set att each object. And erase everything on the add on privilege roles totally first ( with the wizard). And then set the individual to the enhanced privilege. Run the report to confirm the cross tabs of roles and object.


      Nice to hear if there are more clever ways to take control of and document the privilege settings.




        • 1. Re: reporting Privileges
          elizabethcombrink Expert

          Hi Goran - excellent work.


          I've updated your version so us english speakers can make sense of it too :-)

          • 2. Re: reporting Privileges

            Thanks Elizabeth!


            Sorry for the swedish words. Just did not notice it!



            • 3. Re: reporting Privileges

              I've written a privilege report (in isolation to the report previously written)... It's not complete! I'll be posting a completed report as soon as I have the time to think.

              In order that this report can be run a database view is required.

              This report has two views 'console' and 'overview'.


              Overview = will list all of the actions and the privileges that each group/role has against that action.


              Console = a list of all privileges based on the role or group you specify.




              Create view gnr
              (select  tps_name, tps_title, tps_guid, tps_privilege_collection_guid, 'role' as source from tps_role
              UNION ALL
              select  tps_name, tps_title, tps_guid, tps_privilege_collection_guid, 'group' as source from tps_group)


              Known issues:
              report is not showing the correct privileges where actions related to a object exist.

              Future enhancements:


              Mirror exactly what is seen in the console. Lifecycle branch is missing.


              Colin Hinks.

              • 4. Re: reporting Privileges
                Birger.steelandt Apprentice

                Does anyone know if there has been made progress on this?

                We'd like to create an overview of all roles/privileges but doing this by hand (and maintaining it) seems a bit hard...