Best practices on managing reports in client organizations

Eran Withana shared this question 1 year ago
Answered

Our use case is the following.

We have a common set of reports that are deployed to the parent organization. These reports by default are visible to all client organizations. And, we have a bunch of client organizations, each with their own admins and users. These admins are account admins and will not have access to the parent organization. Instead of each user in every organization getting access to all the reports in the parent org, we want to have a model where the account admins can control which user gets what in each account. We are ok for the admins to see all the reports but not for the users until the admin allows them?

What are the recommended ways of implementing this inside client organizations without the admins meddling with anything in the parent organizations?

Comments (9)

photo
1

Hi Eran,

I would suggest using user groups to do this.

So you keep the reports in the parent organization where they can only be edited by your team, but then allow a certain user group from each client org permissions to these reports (or the content folder with the reports). Since the user group will exist in the client organization, client administrators will be able to add and remove users from this group without touching the primary report.

Let me know if this makes sense.

Regards,

Nathan

photo
1

Thanks Nathan for the response.

Just to understand, are you suggesting to add the user groups in parent org and share the reports with those groups in parent orgs. Since these user groups are also visible in client orgs, make the admins in each client org to add/remove users to these groups as needed?

The issue with that is the following. What we share in each client org is very custom to each client org. IOW, we might share A, B and C with client org1 and reports A, C, D and E with client org2. Hence, we can not have a static set of user groups in parent org (unless we create n! groups in parent org where n is the number of reports - which is unmanageable)

Ideally, what we want is to create groups at client org level and pick and chose reports to add to them at the client org level. The admins in that account could be part of a group setup in parent org so that they will have access to all the reports. Is this doable?

Thanks,

Eran

photo
1

Hi Eran,

I was suggesting that you create these user groups within each client organization.

In this case I have a client organization (Client A), which contains a group called "A's Group". At the Default organization I have a content folder with restricted permissions. In the screen-shot I am adding "As group" to the permission settings for the default organization content folder.

75ef782079f2e4ba589824fb228c5c7b

Let me know if this makes sense!

Regards,

Nathan

photo
1

Ah yes - this is an option. But this require the client org admin or default org admins to get into parent org every time and do this change. As i mentioned in the original description, the client org admins will not have access to the parent org. And, the parent org should ideally be not aware of the client orgs (except for one time client org substitution setup)

Also, note that the list of reports we share with each client org can be different from each other. For the above suggestion to work, we will literally have to create one content folder for each report.

Thanks,

Eran

photo
1

Hi Eran,

"get into parent org every time and do this change" - Since the user group exists within the client organization, it only needs to be added once to the parent org's content folder. The client org admins can then add and remove individual users from this group as desired without ever touching the default org.

Say you have 5 accounts..

When you first create the client organization, you would add 5 user groups to that organization, one for each account. At the parent org level, you would allow each of the client org's user groups to access its corresponding content folder. This is the last time anything would need to be done at the parent org level.

When a new user comes in at the client org level, the client org admin would assign them to the user groups corresponding with what they can access.

08fbe8f0ab24f56ae8b171bf0ebe0145

Let me know If it would be easier to discuss this on a screen-share.

Nathan

photo
1

Hi Nathan

I think its easier to do this through a screen share if you have time. Please let me know a good time

Thanks,

Eran

photo
1

Hi Eran,

Unfortunately I am booked through the rest of the day, can we plan on early Monday morning? I can do any time after 8am MST.

Nathan

photo
1

No worries. Does 1.30pm MST on Monday work for you Nathan?

Thanks,Eran

photo
1

Sounds good I will send you an invitation now.

Nathan