Access Rights for Server-Wide Objects (Level 1)

image_pdfimage_print

Access to right objects is granted through roles. Groups are assigned to these roles, and individual users are assigned to groups. If a user has access to a rights object, it is implied that this user is a member of a group that is assigned to a role with access rights to that rights object.

This rights chain is shown in the view of the following three cubes from the System database:

  • #_ROLE_RIGHT_OBJECT
  • #_GROUP_ROLE
  • #_USER_GROUP

For more information, see Rights Objects in Jedox.

#_ROLE_RIGHT_OBJECT Cube

This cube establishes object rights. In the screenshot below, the rights objects are in range B7:B38 and the roles are in line 6. In this cube, empty cells have “N” rights.

With all rights objects, the role of “admin” has the highest access rights: “delete” or “splash”. The user “admin” is firmly anchored in the system and cannot be altered. That is, the user “admin” cannot be deleted and its rights are firmly predetermined.

The roles “designer”, “etl”, “poweruser”, “editor”, and “viewer” have standard predetermined rights at first, but they can be adapted. In addition, further roles can be created.

#_GROUP_ROLE Cube

This cube establishes group roles. In the screenshot below, the roles are in range B7:B12 and the groups are in line 6. 

A group is allocated to a role by putting “1” into the cell. The group “admin” belongs to the role “admin” and cannot be changed. A group should be allocated to only one role.

#_USER_GROUP Cube

This cube defines which group(s) a user belongs to. In the screenshot below, the groups are in range B7:B13 and the users in line 6.

A user is allocated to a group by putting “1” into the cell. 

A few notes about the administrator:

  • The user “admin” belongs to the group “admin” and cannot be changed.
  • To be the administrator, a user must be in the “admin” group; the role “admin” alone is not enough. 
  • Only an administrator can assign the group “admin” and the role “admin”.
  • Users who belong to the admin group can always see and edit cube data, even if appropriate rights for the group “admin” have been deleted.

Important note: a user can be a member of several groups. An operation like reading a cell value is allowed for a user if the user is in at least one group with the required access rights. Note that in regards to cell data access, several rights definitions are combined for reading or writing (e.g. the “DefaultRight”, the rights on dimension element data, or the rights on cell data, which are described in Level 3 Access Rights within Specific Databases). Here, the comparison of rights for the user’s multiple groups is made not object by object, but for the full rights sequence. For each of the user’s groups, there is one effective right for the cell data access in any specific case. Of these effective rights for each group, at least one has to be as high as the required right for the operation.

Related links: 
image_pdfimage_print
Was this post helpful?
NoYes (0 rating, 2 votes)
Loading...