Ideally, you will want to plan your security architecture and design a bulletproof security model. However, sometimes assessment will uncover gaping holes in your current architecture, and you will want to close those holes as quickly as possible to reduce risk to your organization.
Here are the broad strokes for assessment and remediation. Keep in mind the best practices discussed in the previous post as you proceed through each of these steps:
- Inventory groups and group members (users)
- Look at each granular inherited & explicit permission for each principal for each content folder, universe folder, category folder, connection (connection folders in BI 4.x)
- Are there any permissions set specifically on content within these folders?
- Create groups for each application and apply the No Access to the Everyone group for each group on its respective application
- Create groups for every content folder, universe folder, category folder, connection (connection folders in BI 4.x)
- Apply the same security to each group on each folder
- Create generic groups for specific grants or denials of rights
- From your inventory of groups and users and permissions set for each, assign users to these new groups
- Remove users from the old groups
- Store the old groups in another group called something like "zzzToBeDeleted"
As I said, these are the broad strokes. They are a good start, but there remain traps for the unwary, and great potential for unintended consequences. If it reminds you of old mariners' charts with captions such as "There be dragons here," that may be a good thing.
Next in the security blogging series: Why companies don't update their security model.