September 27, 2012
By Peter Narloch
There are 3 basic categories that a ViewPoint user can be placed in.
Designers have permission to use the ViewPoint Designer environment to create views and modify views that they have access to.
Administrators have permission to use the ViewPoint Designer environment to create and modify views. The subtle difference from the Designers is that they have access to all views regardless of whether they are part of the View OwnedBy group or not. In general, I do not recommend using this category for enabling your designers. If a designer needs access to a particular view make sure they are in the OwnedBy group for the view.
End-Users do not have permission to use the ViewPoint Designer environment. They are only
allowed to see views which are in ViewPoint Spaces which they have access to.
Where the Designers and Administators roles are defined
The sysconfig.xml file in the LBI Framework Services conf directory contains two properties which hold the name of the LDAP groups used to determine who is a designer or administrator.
Default location of this file:
<property name="AnalyticsDesignerRole" value="ViewPointDesigners" />
<property name="AnalyticsAdministratorRole" value="ViewPointAdministrators" />
I suggest creating an LDAP group called ViewPointDesigners and use this group for your AnalyticDesignersRole element which defines who is considered a designer when using ViewPoint.
Note: In the latest LBI 10.1 fixpack these fields can be set with in the Tools > System Settings in Framework Services.
ViewPoint View Security
When a ViewPoint designer saves a view they are prompted to specify who the OwnedBy group is for the view that is being saved. All users who are members of this LDAP group and are also members of the group which has been defined as the ViewPoint designers group will be able to edit this view.
At this point the newly saved view is not accessible by ViewPoint end users. End users will be
able to see this view once the view is added to a ViewPoint Space and the end user is in an LDAP group which has access to the ViewPoint Space.
One additional note about View Security, there is a security section within View Settings area (Edit > View Settings) for a particular view but I don’t recommend that you use this security area unless you have special requirements that you are trying to address. Basically, setting security at the view level
will override the space access settings and will add complexity to your view management. The better way to manage who can see a view is by adding the view to a ViewPoint Space and then configuring
the security section of the ViewPoint Space.
Creating a ViewPoint Space
When a new ViewPoint Space is created and saved the designer is prompted for a Name, Description and an OwnedBy group. It makes sense to set the OwnedBy group to be your designer group which might be ViewPointDesigners for example. The users in the group specifed for the OwnedBy group will have permission to edit this space definition in the future which will include adding views to the space and editing the Security section to add end user groups which will be able to access this ViewPoint Space.
We will come back to the Security section of a space in a moment. One other input prompt worth
noting is the picture icon. The picture referenced here will be shown when the end user opens ViewPoint as a label for the various ViewPoint Spaces. A jpg or png file can be referenced via the Browse button and will be saved into the definition of the ViewPoint Space. It is recommended that the size
of the picture file be under 1 MB in size.
After the designer is satified with the creation of the space and has added some views to the space they can come back and edit the Security settings for the space (Admin > Manage Spaces .. Edit).
Adding Views to a ViewPoint Space
To add a view to a space you need to be in the ViewPoint Designer, navigate to the list of spaces via Admin > Manage Spaces and select the space you are working with. By clicking on the Add button, ViewPoint views can be added to the space. Once a view has been added to a space it can be selected (highlighted) and marked as Visible or Hidden using the buttons. Just to be clear all the views in the Space are accessible to those end users who have access to the ViewPoint Space as defined in the Security section of the space. Marking a view as Visible or Hidden only controls whether the end user can see the view listed when they open the space. Hiding a view is most often used to hide a view which is linked to by another view which is visible. The hidden view would commonly be a supporting detail view and not necessarily a view that an end user would go to directly. Another use of hiding a view would be for a designer to leave the view in a hidden state in the space until they are ready for the end users to see and use the view.
One curious note about marking a view as Visible or Hidden, since views can be added to multiple ViewPoint Spaces the setting of Visible attribute will apply to all instances of the view in various spaces. For starters it makes the most sense to only add a view to one space to avoid confusion.
Prior to the ViewPoint 10.1 SP2 release the Visible and Hidden buttons were called Publish and Unpublish. They were updated to more accurately reflect their function.
ViewPoint Space Security
Once we have a ViewPoint Space set up and we have some views added to the space we are ready to give access to some end users to see the views. We need to head back to the Security section of the space definition by navigating to and selecting our space Admin > Manage Spaces ..
Edit (button). Expand the Security section and select the LDAP group which should be allowed to access the views in this space. You can select more than one group if so desired. There is also an area to add individuals but the use of group tends to be a preferred method and is often more manageable. It probably makes sense to define a specific LDAP group to be used with each space that is created.
The values in the user and group lists come from your LBI server which is typically synchronized with your LDAP system on a regular basis.
Final Security Note
It is important to understand that ViewPoint security focuses on the security of ViewPoint views themselves. The security of the analytical data presented within ViewPoint views is dictated by the security set up within SQL Analysis Services.