Best Practices for Permissions

  • Article

The following best practices are for the system administrator and business manager to implement.

  • Use the Business Desk security setting for the New Report button to control both the New Report and Save Report buttons in the dynamic reports.

    If you deny users permission to create a new report, they will not be able to save a report.

    New report permissions enable a Business Desk user to save SQL report queries to the Data Warehouse. These queries will be run by anyone who runs the report. Even if users creating a report do not have permissions to run the report query directly, they can still save the report to the Data Warehouse. Users with higher SQL permissions could run the query by running the report, without realizing that they could be running a potentially damaging query.

  • To secure access to data in Analysis reports, you must apply permissions to Analysis reports and to the List Manager module.

    If users have permission to use the Campaign Manager module, they can use Campaign Manager to export a report to List Manager, and then access user data in the list.

    To secure the user data in this scenario, explicitly deny users the ability to export reports to the List Manager module.

Ee784438.important(en-US,CS.20).gifImportant

  • A user can enter the Uniform Resource Locator (URL) for a completed report and then view it without having the appropriate Business Desk permissions. However, all the completed report names contain a GUID, and the user would have to know the exact name of the completed report to access it, because directory browsing is not allowed.

  • To secure catalog categories, use the Catalog Editor module.

    For instructions, see Editing a Category in a Base Catalog.

  • Assign permissions to allow or deny the ability to change catalog properties and create catalogs.

    Property security works across all catalogs. You cannot define property-level security on a per-catalog basis. For example, if users do not have permission to change the Description property, then they cannot change that property in any catalog, whether it is a virtual catalog or a base catalog.

    If users have permission to create a virtual catalog, then they have permission to add products to it.

    The security on categories and catalogs prevents users from editing a specific catalog or category (and the products that belong to it). It does not prevent users from including those items in a virtual catalog.

  • Review Windows accounts with Business Desk permissions before you pack a site.

    When a site is unpacked by using Commerce Server Site Packager, Windows accounts with Business Desk permissions are also unpacked.

    For example, suppose you have Commerce Server installed on one computer and you add local groups and accounts. If you pack the site and then unpack it on a different computer, the accounts will also be unpacked. When you open Business Desk, the permissions will be there.

Copyright © 2005 Microsoft Corporation.
All rights reserved.