Manage Report ACL assessments
When you run the Report ACL (access control list) assessment scan, the result is a list of affected reports. The assessment details the users who have seen a report including the report creator. The assessment also includes the roles that the report is limited to and the groups that contain those roles.
Before you begin
Roles required: admin and security_admin.
About this task
For reports that are blocked by a table-level read ACL, the assessment displays the table that contains the blocking ACL and which users are blocked. The assessment application does not provide further management tools. For reports that are blocked because they don't have either a report_view ACL or a read ACL, the report is marked as affected, but doesn’t display the affected users.
Procedure
-
Select the info button (
) next to the report that you want to address and select Open record to see the options associated with the report.
This result shows the following information.- The users, roles, and groups that the report owner belongs to and has shared the report with. If the field Is global is checked, the report is shared with all users. Otherwise, Shared to users, Shared to roles, and/or Shared to groups are selected.
- The number of times users have viewed the report.
This field is empty if the property run_scan_based_on_report_execution_only is false.
- The field Is blocked by read ACL is selected when there are no report_view ACLs on the table the report is based on, but Read ACLs do block access.
- The table with Read ACLs that apply to the report.
- The field Is blocked without RVA or Read ACL is selected when the report is blocked for a non-ACL reason.
- Table ACLs (and column ACLs that apply to all columns on the table) that apply to the report
- Roles associated with blocking table ACLs
- Links to associated blocking table ACLs
- Column ACLs that apply to the report
- Roles associated with blocking column ACLs
- Links to the associated blocking column ACLs
- A real-time rendition of the report
-
Select Show Affected Users and then View Result.
The first several affected users appear in a related list below the report assessment. Affected users are users that the report owner has shared the report with but who can’t see the report based on report_view ACLs.
The default number of affected users shown is five. To show more, configure the property sn_report_acl.com.par_report_acl_assessment.max_affected_users. For more information, see Filter report assessment scans.
-
Add users to a group.
-
Select Assign to group from the list Actions on selected rows.
-
Choose a group and a role (if available) to add the selected users to and select Submit.
Move any users that you don't want to add to the same group into the Available column.
-
Select Assign to group from the list Actions on selected rows.
Result
Manage reports with ACLs on extended fields
Add a system property to identify reports affected by report_view ACLs on dot-walked fields.
Before you begin
Role required: admin and security_admin.
Procedure
Result
The Impacted Reports list has a new column, Dot walk fields. This column is visible only when an affected report is identified based on an ACL on a field on an extended table.
Other report remediation tasks
After you perform the report assessment, you can address affected users. You can change access control list (ACL) roles, change sharing options on reports, or add report users to a group to grant them blocking roles.
Edit ACL roles
Edit the report sharing options
- For reports created in the Classic environment, open the report in the Report Designer and change who the report is shared with. For more information, see Share a Core UI report.
- For reports created in a configurable workspace open the report in the Visualization Designer and change who the report is shared with. For more information, see Share a data visualization in the Visualization Designer.