Access Rights Within Specific Databases (Level 3)

image_pdfimage_print

Restriction of rights in specific databases can be assigned for standard value cells and attribute value cells. Note: the default right for access to standard value cells is spelled “DefaultRight” (one word, no space).

Standard Value Cells

The cubes for rights restrictions in each database for standard value cells are:

  • #_CONFIGURATION
  • #_GROUP_CUBE_DATA
  • #_GROUP_DIMENSION_DATA_<Name of the dimension>
  • #_GROUP_CELL_DATA_< Name of the cube>

Important: these restrictions refer only to the rights object “cell data”.

The values “D”, “W”, “R” und “N” can be entered in these cubes, or the cells can be left empty. If there is no entry in the following cubes for a particular group, then the entry “DefaultRight” of the cube #_CONFIGURATION is level 3 access rights for that group.

  • #_GROUP_CUBE_DATA
  • #_GROUP_DIMENSION_DATA_<Name of the dimension>   ( n cubes for n dimensions)
  • #_GROUP_CELL_DATA_< Name of the cube>

If there is any entry in one of these cubes for a particular group, then the default value of the cube #_CONFIGURATION is no longer applied and the lowest of all access rights entries in these cubes for that group is level 3 access rights.  

Additionally, the DefaultRight setting will no longer influence the visibility of elements. To hide an element, “N” has to be set for either the element itself or one of its “ancestor” elements, either via user input or rule.

In order to be able to “splash”, a user must have at least the “W” rights on level 2 and level 3 and the right “S” on the rights object “cell data” in cube #_ROLE_RIGHT_OBJECT.

#_CONFIGURATION Cube 

In this user rights cube, the default right for users can be set regarding elements and cells in the corresponding database:

“DefaultRight” is set to “D” by default. This gives users the permission to delete, if that right is not restricted from the system rights cubes. This setting can be changed into W, R, or N.

For example, if it is changed into R, all users in this database will only have read permission. For certain groups, this R right could be extended, e.g. to W. For such a group, all the entries of cubes #_GROUP_CUBE_DATA, #_GROUP_CELL_DATA, and #_GROUP_DIMENSION_DATA_<dimension name> will have to be set to “W”.

If HideElements is set to “Y”, elements where access is explicitly denied for a given group (that is, “N” is defined for this element or a parent element in cube #_GROUP_DIMENSION_DATA_<dimension name>) will be hidden in a newly created view, or any listing of this dimension. The DefaultRight setting, however, does not influence the visibility of elements themselves.

If users are allowed to change element rights and HideElements is active, those users can lock themselves out by setting the N access right to their own group. After this, the elements will be hidden and the users will have no possibility to re-assign the access rights to themselves.

Users in the “admin” group do not have these restrictions. They can always see elements, even if this right was removed for the admin group.

#_GROUP_CUBE_DATA Cube 

In this user rights cube, standard rights regarding cubes for individual groups can be restricted but not extended.

#_GROUP_DIMENSION_DATA_< Name of the dimension > Cube 

In this user rights cube standard rights regarding dimension elements for individual groups can be restricted but not extended.

The following rules apply:

  • The right for a child element is the same as that for the parent element, unless a different right was assigned explicitly.
  • If an element has more than one parent, the least restrictive of the parent rights applies.

#_GROUP_CELL_DATA_< Name of the cube > Cube 

In this user rights cube, standard rights for individual groups regarding each single cell of a cube can be restricted but not extended. There is no inheritance here. Use Jedox rules to manage inheritance for cell-based rights.

Attribute Value Cells

The user rights cubes for rights restrictions for attribute value cells in individual databases are:

  • #_GROUP_CUBE_DATA
  • #_GROUP_DIMENSION_DATA_#_< Dimension name>_
  • #_CONFIGURATION

The restriction of rights for attribute value cells works in a similar way as for standard value cells. However, the rights cannot be edited down to each single cube cell, but only to the level of attribute elements.

Related links: 
image_pdfimage_print
Was this post helpful?
NoYes (-2 rating, 2 votes)
Loading...