Allow folder access on LDAP groups if configured
Hello,
See also https://community.yellowfinbi.com/ticket/15436
Working with YF 8.0.4 it is at the moment not possible to give access to folders based on LDAP groups. It is possible to add LDAP groups to usergroups but as usergroups are clientorg specific this would mean that when I have 100+ clientorg's I would create in each clientorg a usergroup for a specific folder with a certain LDAP group attached.
Ideally YF should look at all the groups a person is a member of and decide what access is allows without using usergroups as the grouping is done in LDAP. So direct access restrictions based on LDAP groups seems logical.
So for see for instance a report from "folder A" in clientorg "112" would only be possible when a user is in the LDAP group "folder A" and the LDAP group "112". There might be 100's of users in LDAP group "folder A" but for this client org there are just a few.
Other members of LDAP group "112" with different LDAP groups "folder B", "folder C" do not see that folder A report.
As it works now a lot of duplication needs to be done as we do already have the grouping in LDAP. So why the need to make usergroups in YellowFin also?
Regards,
JeRoen.
Hi JeRoen,
Thanks for reaching out with your suggestion. I've logged this as an Idea for an Enhancement Request. Before becoming a request, ideas will be reviewed by our Product Team and chosen for Enhancements based on feasibility, level of positive impact to the user experience, and votes from the community. This post will be updated with any future information relevant to this process.
Cheers,
Neal
Hi JeRoen,
Thanks for reaching out with your suggestion. I've logged this as an Idea for an Enhancement Request. Before becoming a request, ideas will be reviewed by our Product Team and chosen for Enhancements based on feasibility, level of positive impact to the user experience, and votes from the community. This post will be updated with any future information relevant to this process.
Cheers,
Neal
Hello Neal,
Thanks for looking into this and making an idea of it.
Positive impact would be huge as how it is now we need to create a 100 groups for every current group we have to limit access to reports. So that is checked off I think ... ;-)
Regards,
JeRoen
Hello Neal,
Thanks for looking into this and making an idea of it.
Positive impact would be huge as how it is now we need to create a 100 groups for every current group we have to limit access to reports. So that is checked off I think ... ;-)
Regards,
JeRoen
Hi JeRoen,
I have some feedback from our developers on this with the following suggestion. If there was a Visible At Client Organisations flag, which would allow a group to include users from the Primary Org and Client Orgs, this would allow you to create one group that applies security to users everywhere.
Adding a LDAP group to the Yellowfin group, could include users from the multiple Client Orgs. When the group is used for category security at the Primary Org (or Client Org) it will only apply to users at the Org where the content is consumed.
We would need to determine how these Visible At Client Org groups work when nested within other Yellowfin groups.
Would this cater to your situation?
Cheers,
Neal
Hi JeRoen,
I have some feedback from our developers on this with the following suggestion. If there was a Visible At Client Organisations flag, which would allow a group to include users from the Primary Org and Client Orgs, this would allow you to create one group that applies security to users everywhere.
Adding a LDAP group to the Yellowfin group, could include users from the multiple Client Orgs. When the group is used for category security at the Primary Org (or Client Org) it will only apply to users at the Org where the content is consumed.
We would need to determine how these Visible At Client Org groups work when nested within other Yellowfin groups.
Would this cater to your situation?
Cheers,
Neal
Hello Neal,
Thanks for the followup.
The suggestion you propose at first look seems something that might work. By adding group at the primary org level, adding LDAP groups (with endusers with access to different client orgs) and adding category security to folders with that group (in the primary org) would be fine.
It is nice that all security is applied only to the users in the client org the user is currently in. That would, at least in our configuration, greatly reduce management of usergroups with hundreds of clientorgs.
Regards,
JeRoen
Hello Neal,
Thanks for the followup.
The suggestion you propose at first look seems something that might work. By adding group at the primary org level, adding LDAP groups (with endusers with access to different client orgs) and adding category security to folders with that group (in the primary org) would be fine.
It is nice that all security is applied only to the users in the client org the user is currently in. That would, at least in our configuration, greatly reduce management of usergroups with hundreds of clientorgs.
Regards,
JeRoen
Hi JeRoen,
Thank you for confirming that. I have passed this onto the team and will keep you updated with any further progress.
Cheers,
Neal
Hi JeRoen,
Thank you for confirming that. I have passed this onto the team and will keep you updated with any further progress.
Cheers,
Neal
Hi JeRoen,
Just wanted to let you know that this task has now been completed based off the Visable At Client Organisations flag option, and included in the latest 9.4 release, as well as 8.0.8 which should be out by Monday.
Would love to get confirmation your issue has been resolved with the latest release, so please let me know how it all goes post update, and of course reach out if you have any questions on this.
Cheers,
Neal
Hi JeRoen,
Just wanted to let you know that this task has now been completed based off the Visable At Client Organisations flag option, and included in the latest 9.4 release, as well as 8.0.8 which should be out by Monday.
Would love to get confirmation your issue has been resolved with the latest release, so please let me know how it all goes post update, and of course reach out if you have any questions on this.
Cheers,
Neal
Replies have been locked on this page!