IBM Support

User's Data Entry Company security settings are overruled by their Group membership's security settings

Troubleshooting


Problem

User ID has limitations configured, so that their ‘Company Group’ has a security limitation. The ‘Companies’ Security Group has been configured so that the relevant company (e.g. 10000) has been set to ‘read only’ (“R”): However, the user is also a member of a user group. This user group has a ‘limitation’ defined on ‘Company group’ so that the same company (e.g. 10000) set to ‘Read / Write’ (W) access.   When the user opens a Data Entry form relating to that company (e.g. 10000), they find that they can (incorrectly / erroneously) type data into the form (white cells).

Symptom

To summarise:

  • The restrictions of the user group override those of the individual users
  • The restrictions are NOT cumulative (most restrictive).

Cause

Code production problem (defect APAR PI12161) in Controller.

Environment

Individual user is a member of a Company Group limitation:

However, they belong to a user group that also has a Company Group limitation configured.

Resolving The Problem

Fix:

Upgrade to Controller 10.2 or later.

Workaround:


There are several methods:
  • Method #1 – Move the ‘bad’ user into a different user group (one without any limitations assigned):
  • Method #2 – Modify the existing user group (e.g. ‘GROUP1’) so it does not have a limitation assigned (so that the end user’s limitation will be active)
  • Method #3 – Modify the existing user group (e.g. ‘GROUP1’) so its limitation is the correct one that you wish the end users to have.
    • NOTE: This means that users inside the same group will get exactly the same limitations (no individual variations).
  • Method #4 – Create a new subgroup (e.g. called 'SUBGROUP2') which is a child (located below) the bad user group (e.g. 'GROUP).
    • Then modify the properties of this subgroup (e.g. 'SUBGROUP2') so that it does not have any security limitations applied to it (i.e. the menu tab 'limitations' has the relevant entries set to clear/blank.
    • Finally, ensure that each individual user (who is a member of 'SUBGROUP2') has the correct limitations applied to their user ID/account.

[{"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Controller","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.1.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
15 June 2018

UID

swg21663765