We have users who have the Professional License, with the ability to read + access + modify to a root folder and all subfolders.
Folder A
- Subfolder A
- Subfolder B
User has a report file in Subfolder A and wants to copy it into Subfolder B
Since we are not granting users Library Administrator rights (where they would be able to see the entire server), the only way they can do so is open the file, then save in the new folder. Given they have the rights to both, is it possible for them to have some sort of copy function that can support this (without a library administrator rights/or a new type of library administrator that is valid only for specific folders)
Current workflow for user to open and save files takes at least 30 minutes due to report size.
Even 3 similar ideas [ https://ideas.tibco.com/ideas/TS-I-8317 / https://ideas.tibco.com/ideas/TS-I-6123 / https://ideas.tibco.com/ideas/TS-I-5413 ] and my new one [ https://ideas.tibco.com/ideas/TS-I-8937 ].
Fully agree as well!
Found 2 similar ideas [ https://ideas.tibco.com/ideas/TS-I-6123 / https://ideas.tibco.com/ideas/TS-I-5413 ] and created a new one [ https://ideas.tibco.com/ideas/TS-I-8937 ] to give this requirements some more attention and ask TIBCO (users) if it's maybe already possible with new user groups in existing Licenses.
Apart from this they also have read access to the other team's folder? In that case a user in one of the teams may of course open a file from the other team's folder and save it in his or her own team folder but that can be done regardless of whether they have the Library Administration license or not.
What is the purpose of giving the users read access in the folders of other teams if not to allow them to open those files?
Yes, you are correct in this assessment. The issue we run into is the overlapping use of a Web User (Consumer) vs Analyst (Professional). Our current framework design on managing users and folders looks like this:
Groups and License
Spotfire Project A
- Project A Developers - Spotfire Professional License
- LDAP AD GROUP A Developer
- Project A Read Only - Spotfire Enterprise Player/Web Player License
- LDAP AD GROUP A Read Only
- LDAP AD GROUP B Developer
- LDAP AD GROUP B Read Only
Spotfire Project B
- Project B Developers - Spotfire Professional License
- LDAP AD GROUP B Developer
- Project B Read Only - Spotfire Enterprise Player/Web Player License
- LDAP AD GROUP A Developer
- LDAP AD GROUP A Read Only
- LDAP AD GROUP B Read Only
Library Folders:
Folder A
- Project A Developers - Access + Read + Modify
- Project A Read Only - Access + Read
Folder B
- Project B Developers - Access + Read + Modify
- Project B Read Only - Access + Read
So with this setup, and with the assumption that users who are using just a web browser (Read Only) will be able to open the file, but will not be able to save. However, you can see that Developers, leveraging their license in professional, can open reports they don't own, and be able to view AND edit AND save to their own folder. As mentioned, we had reviewed this case with Tibco for a related issue, and they have suggested the solutions I had listed previously.
At the same time, as you append Library Administrator License with the Developer group, the same thing can happen: the overlap of user rights for folders and what permissions
One could have some kind of execute permission (that allows files to be opened/viewed/executed but not re-saved) but since the Analyst client is a desktop application (that a potential attacker has full control over) there's no way for the system to enforce that the analysis isn't saved. In a pure-web solution that would be possible however. Similarly the "access" option that is available for Information Models work since the the Information Model elements (information links, columns etc) are used server-side and doesn't have to reach the Analyst client (other then when editing them).
Absolutely correct, and this was the assessment provided by Tibco as well.
I can see that there may be needs for more fine-grained access control in various ways (a delicate balance not to make it overly complex though) but unfortunately I fail to fully understand your use case.
You have two (or more) teams (with corresponding groups in the user directory perhaps) and each team has a folder in which they have read and write access. Apart from this they also have read access to the other team's folder? In that case a user in one of the teams may of course open a file from the other team's folder and save it in his or her own team folder but that can be done regardless of whether they have the Library Administration license or not.
What is the purpose of giving the users read access in the folders of other teams if not to allow them to open those files?
One could have some kind of execute permission (that allows files to be opened/viewed/executed but not re-saved) but since the Analyst client is a desktop application (that a potential attacker has full control over) there's no way for the system to enforce that the analysis isn't saved. In a pure-web solution that would be possible however. Similarly the "access" option that is available for Information Models work since the the Information Model elements (information links, columns etc) are used server-side and doesn't have to reach the Analyst client (other then when editing them).
The problem with this (and this may branch into a different topic with Folder Permissions, is that Library giving full permission to the Library is in fact already an overkill.
In a sample environment, we have 3 distinct, highly sensitive groups (let's call A, B and C) with two separate folders (A and B). We want each team to have the ability to closely administer their own folders. All have developers have users who can write into their own folders, but A and B can also read into each other's folders. - Notice all of this driven by Permission for now.
In this case, I cannot grant any of these developers Library Administrator license, because suddenly this opens up the ability of read from a folder they don't have write access to (so A developer opens a B file, and then saves it to A folder).
This example case was raised recently as an escalated SR by our team, and the conclusion that was arrived was to in order to satisfy the license issue and maintain permission rights and restrict access, either
a) Spotfire needs a more fine-grain folder permission similar to most storage systems (where Read+execute isn't the same as Read Only)
b) Separate out a full SDLC box away from this box (where having overlapping rights and folder access) so that the Library Administrator license would not conflict with the overlaps of permissions.
The Library Administrator license only controls access to the Library Administrator tool - it does not grant any additional library permissions (so anything the user can see in the tool he or she can also access through other means, such as the Open from... library dialog). Membership in the Library Administrator group does however give full permissions to the library.
So, I would suggest assigning the Library Administrator license to your users (if you feel that they thereby can see too much you likely need to review the permissions of your library folders).