Hi everyone,

I have a dilemma that I'm hoping I could get some help with.

Current structure:
We have multiple dev teams that develop content for various domains. Each of these teams has the ability to create and modify metadata. In addition, each of these teams has access to different data sources, based on their departments.
So I have user and group profiles setup, each one containing the required adapter connections and application access. This works fine as long as each group develops within their own sectors.

The challenge:
TEAM B needs to have access to data (a specific set) which only TEAM A has the adaptor for. TEAM B cannot be given the adaptor because it would open access to content they are not allowed to view.

The proposed solution:
TEAM A needs to create the metadata for TEAM B, then drop the content into a new application folder which TEAM B will then own (Read Only).

The problem:
It is my understanding that in order for TEAM B to use the master files created by TEAM A, they need access to the adapter used by the master files, otherwise no data is returned.
I can’t give access because the users from TEAM B can then create metadata in a different application folder using that adapter, basically bypassing everything done by TEAM A.

One way I can do this is to create a second adapter and have our DBA create a new user account with a restricted view.
I was curious however if it was possible to enable the use of an adapter at the application level rather than user/group level. This would allow for collaboration among developer teams without the need to create multiple accounts/adapters.

This is also true from cross-domain development.

I hope this makes sense.

I would appreciate any insight on this topic

This message has been edited. Last edited by: Yazster,

Have you looked into the security options on the WebFOCUS Server ?


The options are under "Access Control" tab and you can set levels of access to app directories according to users or the groups they belong to.

My application folder security is setup and I have the necessary access levels assigned to users/groups. This isn't where my issue is. It's one thing to grant access to master files in an application folder, what I'm wondering is can someone have this access without the required adapter access to pull back data.

From what I'm seeing, the adapter needs to be declared in all user/group profiles where it's being used or the master files will produce errors. This of course makes sense, but in doing that, when a user goes to create a new master file, this adapter now shows in the list of sources, I don't want this to be the case.

I want a user to be able to access an adapter if it's already being used in the application, but not be able to create new content with it.

Make sense?

Hi

You could try to specify the connect string on a fex level in the site profile or maybe it works also if you specify it in the MFD_PROFILE on the master file level. I think that in this case you will not see the connection in the WFRS console so they will not be able to create new master files.

Yours

Eran

Hi Eran,

I haven't tried to add it in the MFD_PROFILE, that does sound promising though

I'll give it a try and post the results.

Thanks for your help!

Joe

Placing the connection string in the MFD_PROFILE did the trick!

Thanks again Eran,
Joe