Allow folder access on LDAP groups if configured

JeRoen shared this idea 7 months ago
Idea Logged

Hello,

See also https://community.yellowfinbi.com/ticket/15436

Working with YF 8.0.4 it is at the moment not possible to give access to folders based on LDAP groups. It is possible to add LDAP groups to usergroups but as usergroups are clientorg specific this would mean that when I have 100+ clientorg's I would create in each clientorg a usergroup for a specific folder with a certain LDAP group attached.

Ideally YF should look at all the groups a person is a member of and decide what access is allows without using usergroups as the grouping is done in LDAP. So direct access restrictions based on LDAP groups seems logical.

So for see for instance a report from "folder A" in clientorg "112" would only be possible when a user is in the LDAP group "folder A" and the LDAP group "112". There might be 100's of users in LDAP group "folder A" but for this client org there are just a few.

Other members of LDAP group "112" with different LDAP groups "folder B", "folder C" do not see that folder A report.

As it works now a lot of duplication needs to be done as we do already have the grouping in LDAP. So why the need to make usergroups in YellowFin also?

Regards,

JeRoen.

Comments (5)

photo
1

Hi JeRoen,


Thanks for reaching out with your suggestion. I've logged this as an Idea for an Enhancement Request. Before becoming a request, ideas will be reviewed by our Product Team and chosen for Enhancements based on feasibility, level of positive impact to the user experience, and votes from the community. This post will be updated with any future information relevant to this process.


Cheers,

Neal

photo
1

Hello Neal,

Thanks for looking into this and making an idea of it.

Positive impact would be huge as how it is now we need to create a 100 groups for every current group we have to limit access to reports. So that is checked off I think ... ;-)

Regards,

JeRoen

photo
1

Hi JeRoen,


I have some feedback from our developers on this with the following suggestion. If there was a Visible At Client Organisations flag, which would allow a group to include users from the Primary Org and Client Orgs, this would allow you to create one group that applies security to users everywhere.

Adding a LDAP group to the Yellowfin group, could include users from the multiple Client Orgs. When the group is used for category security at the Primary Org (or Client Org) it will only apply to users at the Org where the content is consumed.

We would need to determine how these Visible At Client Org groups work when nested within other Yellowfin groups.

Would this cater to your situation?

43037_GroupVisibleAtClientOrgs

Cheers,

Neal

photo
1

Hello Neal,

Thanks for the followup.

The suggestion you propose at first look seems something that might work. By adding group at the primary org level, adding LDAP groups (with endusers with access to different client orgs) and adding category security to folders with that group (in the primary org) would be fine.

It is nice that all security is applied only to the users in the client org the user is currently in. That would, at least in our configuration, greatly reduce management of usergroups with hundreds of clientorgs.

Regards,

JeRoen

photo
1

Hi JeRoen,


Thank you for confirming that. I have passed this onto the team and will keep you updated with any further progress.


Cheers,

Neal