Scenario 1: Limited access to the Public Queries folder
This scenario illustrates how different groups with the Public Folder Administrator privilege manage sections of the Public Queries folder.
In this scenario, diverse groups within an organization access a common HCL Compass user database. Although they all have access to the data, each group has specific queries and charts that it wants to share amongst its members, while being protected from other groups modifying these workspace items. At the same time, each group wants to see the workspace items in the folders of the other groups.
The Security Administrator performs the following steps:
- Creates Compass groups that correspond to the organizational groups and assigns users accordingly.
- Grants Read-Only permission to the Everyone group on the Public Queries folder.
- Creates a folder for each group under the Public Queries folder.
- Grants Read-Write permission to each group on their corresponding folder.
Result: Members of each group can use their group folder as a shared folder, where each group member has permission to modify its contents. All users have Read-Only access to all other group folders.
Scenario 1a: Limited cross-group visibility
In this alternate workflow, a group wants a private folder to store workspace items that no other group can see.
The Security Administrator performs the following additional steps:
- Creates a subfolder within the group folder, for example, Private.
- Grants No-Access permission to the Everyone group on the Private folder.
- Grants Read-Write permission to the owning group on the Private folder.
Result: The Security Administrator or any member of the owning group can create the Private folder in Step 1, but only the Security Administrator can set workspace folder permissions on this folder.
Scenario 1b: Limited visibility
In this alternate workflow, a group is only given access to part of the contents of the Public Queries folder. This may be desired to control access to sensitive data, or to simplify the interface by reducing the scope of user visibility.
This scenario would likely incorporate the alternate workflow described in Scenario 1a to limit cross-group visibility. In addition, the Security Administrator restricts access to non-group folders within the Public Queries folder by performing the following additional steps:
- Grants No-Access permission to the Everyone group on the appropriate non-group folders.
- Grants Read-Only permission to select groups on the appropriate non-group folders.
This scenario would likely involve creating additional Compass groups to manage the visibility of the non-group folders, because the appropriate policies would likely cut across group boundaries. For example, all group managers may have Read-Write access to certain folders that non-managers do not.
Scenario 1c: Hiding the visibility of other group folders
In this alternate workflow, the Security Administrator hides the existence of other group folders within the Public Queries folder so that users only see the folders that correspond to the groups of which they are a member.
The Security Administrator performs the following additional steps:
- In the primary workflow in Scenario 1, grants Read-Limited permission, instead of Read-Only permission, to the Everyone group on the Public Queries folder.
Result: Because each group is granted Read-Write permission on their group folder, members only see their group folder inside the Public Queries folder. This step also removes the visibility of workspace items in the root of the Public Queries folder for all users.