Rights Objects in Jedox

image_pdfimage_print

This is an overview of rights objects in Jedox. It shows the default rights given to default roles after an installation with default values:

You can see the rights objects in range B7:B38 and the roles in line 6.

In Administration of User Rights you will find the chain of rights (right objects – roles – groups – users) used in Jedox.

For rights objects prefixed with “ste_”, which control access to various components of Jedox Web, it is also relevant what the license assigned to a user permits. For example, while the user might have sufficient access to an ste_* rights object to view its corresponding panel in Jedox Web, that user may still be prohibited from using that component based on the license that has been assigned. The same is true if a license grants access but the rights object access does not.

If a setting is noted in square brackets in the following list, it is possible to use it, but achieves the same setting as the one before the square brackets, which is recommended.

Example:  N [R, W]:       
In this case, N, R, W would have the same described effect, but it is recommended to only use N.

Please see the article Specific Rights in Jedox Web for an explanation of how rights objects relate to actions in Jedox Web components Reports and Report Designer.

user

Controls access to the #_USER_ dimension in the system database, which is used to handle users in the OLAP server.

N: Users have no access to #_USER_ dimension1).
R: Users can see “user” objects in the #_USER_ dimension of System DB (or any other DB), but cannot edit/delete them.
W: Users are allowed to change “user” objects (rename users) and create new users.
D: Users are allowed to delete users.
 1) Note: The #_USER_ dimension is also necessary for storing and reading so-called “local” subsets, i.e. subsets that are private to each user. Because of that, if a user has at least “R” access on the “sub-set view”, he also has “R” access to the #_USER_ dimension.

Related rights objects: password, group, rights, sub-set view

password

Controls the handling of passwords on the OLAP server.
Note: Users are always allowed to change their own password.

N: Users have no rights on passwords. They cannot see or edit them.
R: Users can read passwords in the System Database, but they cannot change them.
Note: as of Jedox 4, passwords are stored in encrypted form in System DB if users change them themselves.
W: Users are allowed to read and change passwords for other users, but not delete them.
D: Users are allowed to delete, read, and change passwords.

Related right objects: user, group, cube, rights

group

Controls the handling of groups in the OLAP server.

N: Users have no access to #_GROUP_ dimension.
R: User can see “group” objects in the #_GROUP_ dimension of System DB (or any other DB), but cannot edit / delete them.
W: Users are allowed to change “group” objects (rename users) and create new groups.
D: Users are allowed to delete groups.

Related rights objects: user, password, rights

database

Controls general access to databases in OLAP.

N: Users are not allowed to see any databases.
R: Users are allowed to see databases, but not edit them.
Note: This only concerns the database objects themselves, not contents like cubes etc.
W: Users are allowed to edit (rename) database.
D: Users are allowed to delete databases.
cube

Controls general access to cubes in OLAP databases. Access to data in specific cubes can be restricted within databases.

N: Users can not use any cubes at all. This prevents access to all data provided in cubes.
R: Users are allowed to see cubes, but not edit them. Note: This only concerns the cube objects themselves, not contents like cells etc.
W: Users are allowed to edit (rename) cubes.
D: Users are allowed to delete cubes. This right is also required if a user attempts to completely clear a cube.
Users are allowed to convert cubes to run with Jedox OLAP Accelerator (GPU).
dimension

Controls general access to dimensions in OLAP databases. Note: this only concerns the dimension objects themselves, not contents like elements.

N: Users are not allowed to see dimensions.
R: Users are allowed to see dimension, but not edit them. Users are allowed to change attribute values on dimensions. 2)
W: Users are allowed to edit (rename) dimensions
D: Users are allowed to delete dimensions.
  2) Editing attribute values also requires at least “R” access on the object “cube” and “W” access on “dimension element”.

Related rights objects: cube, dimension element, cell data

dimension element

Controls general access to elements in database dimensions.

N: Users are not allowed to see elements in dimensions.
R: Users are allowed to see elements in dimensions, but not allowed to edit them.
W: Users are allowed to see, create and edit (rename) elements in dimensions. Users are allowed to create attributes on dimensions, and to edit attribute values3).
D: Users are allowed to see, create, edit (rename), and delete elements in dimensions, as well as attributes.
  3) Creating and editing attributes also requires at least “R” access on the objects “cube” and “dimension”. Editing attribute values also requires at least “R” access on the objects “cube” and “dimension”.

Related rights objects: cube, dimension

cell data

Controls general access to the data cells in all cubes on the system. Some exceptions apply, e.g. for attribute cubes; see documentation of other rights objects.

N: Users are not allowed to view any cell data in any cube.
R: Users are generally allowed to read cell data.
W: Users are allowed to edit base-level cell data.
D: Users are allowed to delete base-level cell data (i.e. write 0 as value into cells). Note that, if the User should also be able to clear complete cubes, he also needs “D” access on the “cube” right object.
S: Users are allowed to splash values on consolidated-level cells (including 0).

Related rights objects: cube

rights

Controls access to user rights structures, on a system as well as database level, i.e. access to System Database, access to user-right related, database-specific cubes, and access to Security settings on Jedox Web objects (Files, Folders etc.).

N: Users are not allowed to access rights-related structures.
R: Users are allowed to read rights-related structures. Users are allowed to see System database.
W: Users are allowed to edit rights-related structures, e.g. set database-specific rights in #_GROUP_DIMENSION_DATA cubes4). This includes ability to change settings for a users own group, or role.
D: Users are allowed to delete rights related structures. Users are allowed to view the “Security” dialog for objects (files, folder etc.) in Jedox Web and edit the security settings.
  4) Editing data in those cubes requires at least “R” access on the rights objects “dimension” and
“dimension element”.

Related rights objects: user, group, password

system operations

Controls various aspects on administrative level:

1) Access to the #_CONFIGURATION cubes of databases.

2) Access to system related OLAP server operations

3) Access to monitoring information (sessions, jobs).

N: Users have no access to system operations5).
R: Users have read access to system operations, i.e. is allowed to retrieve system monitoring information.
W: Users are allowed to edit #_CONFIGURATION cubes. Users are allowed to execute the following OLAP API methods: /cube/save, /database/save, /server/save. Users are allowed to close sessions and to stop jobs.
D: Users are allowed to commit and to rollback changes on “Undo” areas in cubes.
Users are allowed to remove licenses. Users are allowed to execute following OLAP API methods: /server/shutdown, /svs/restart, /cube/load, /cube/unload, /database/load, /database/unload.
  5) Exception: all users always can retrieve data from #_CONFIGURATION cubes, regardless of what is defined as access right.

Related rights objects: ste_licenses, ste_sessions

event processor

Controls usage of the “event processor” parameter in Writeback requests to the OLAP server. This parameter allows users to circumvent triggering Supervision-Server when changing cube data.

N [R, W]: Users are not allowed to circumvent SVS events.
D: Users are allowed to circumvent SVS events.
sub-set view

Controls access to stored subsets on the OLAP server. If users have R rights or higher on “subset view”, they have also automatically “R” rights to the “user” and “group” rights objects.

N: Users are not allowed access to stored subsets.
R: Users are allowed to read stored subsets, both local (private) and global subsets.
W: Users are allowed to store and edit local (private) subsets on the OLAP server.
D: Users are allowed to store and edit global subsets.

Related rights objects: user, group

user info

Controls the access to objects (databases, dimensions, cubes) of type “user info”. This is normally not relevant in end-user scenarios.

N: Users have no access to user info objects6).
R: Users have read access to user info objects.
W: Users have write access to user info objects.
D: Users have delete access to user info objects.
  6) Even with N access, every user is still generally allowed to access user info objects created by Jedox Web (necessary for access to the components Report and Report Designer and other Metadata).
rule

Controls the access to cube rules

N: Users are not allowed to access list of rules on a cube
Note: rules will still be used in calculations requested by this user.
R: Users are allowed to access list of rules on a cube, but can’t edit them.
W: Users are allowed to create and edit rules.
D: Users are allowed to delete rules.
ste_reports

Controls access to the component Reports of Jedox Web.

N: Users are not allowed to see the component Reports.
R: Users are allowed to access the component Reports in “user” mode. He can browse report groups and hierarchies, and open reports, but can’t modify Report group contents.
D [W]: Users are allowed to access the component Reports in “admin” mode. He can browse report groups and hierarchies, and open reports. Additionally, he can modify Report group contents.
ste_files

Controls access to the Report Designer component of Jedox Web.

N: Users are not allowed to access Report Designer.
D [R, W]: Users are allowed to access Report Designer with generally full capabilities (may be restricted on specific items).
ste_palo

Controls access to the component Modeler of Jedox Web.

N: Users are not allowed to the component Modeler of Jedox Web.
D [R, W]: Users are allowed to access the component Modeler of Jedox Web with generally full capabilities (may be restricted on specific items).
ste_users

Controls access to the User Manager, Group Manager, and Role Manager component of Jedox Web.

N: Users are not allowed to access User / Group / Role Manager.
D [R, W]: Users are allowed to access User / Group / Role Manager with generally full capabilities (may be restricted on specific items).
  Note: To work in User Manager, the user’s role also must have full access (D) on the objects “user”, “group”, “password” and “rights”.

Related rights objects: user, password, group, rights

ste_etl

Controls access to the component Integrator of Jedox Web.

N:

Users are not allowed to access the component Integrator.

R:

Users are allowed to display Jedox Integrator (ETL) projects or components. Furthermore they can execute and monitor loads or jobs.

W:

Users are allowed to create and edit Jedox Integrator (ETL) projects or components and to perform test and data preview. Furthermore they can execute and monitor loads or jobs. In order to create Jedox Integrator (ETL) Tasks additional authorization for the component Scheduler is required (right object ste_scheduler).

D:

Users have full access to the component Integrator. They are allowed to create, edit, and delete Jedox Integrator (ETL) projects or components and to perform test and data preview. Furthermore they can execute and monitor loads or jobs. In order to create Jedox Integrator (ETL) Tasks additional authorization for the component Scheduler is required (right object ste_scheduler).

ste_conns

Controls access to the Connection Manager component of Jedox Web.

N: Users are not allowed to access Connection Manager.
D [R, W]: Users have full access to Connection Manager.
  Note: To work in Connection Manager, the user’s role also must have full access (D) on the objects “user”, “group”, “password” and “rights”.

Related rights objects: user, password, group, rights

drillthrough

Controls whether users are allowed to send Drillthrough requests via Supervision-Server.

N, R, W: Users are not allowed to send Drillthrough requests.
D: Users are allowed to send Drillthrough requests.
ste_scheduler

Controls access to the the component Scheduler of Jedox Web9).

N: Users are not allowed to access the component Scheduler, and they are not allowed to create tasks in other components.
R: Users are allowed to access the the component Scheduler for reading, and they are allowed to execute private and global tasks10).
W: Users are allowed to access the component Scheduler. They are allowed to execute tasks, and furthermore they are allowed to create and edit tasks.
D: Users are allowed to access the component Scheduler. They are allowed to execute, create and edit tasks, and furthermore allowed to delete both private and global tasks.
  9) For more information on access rights in the component Scheduler of Jedox Web, see article “Specific Rights in Jedox Web“.

Related rights objects: ste_reports, ste_etl

ste_logs

Controls access to the Logs component of Jedox Web.

N: Users have no access this component.
D [R, W]: Users have full access to this component.
ste_licenses

Controls access to the component “Licenses” of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to view the component “Licenses”, but they are not allowed to add, activate, remove or assign licenses.
D [W]: Users have full access to this component.

Related rights objects: system operations, ste_sessions.

ste_mobile

Controls access to the Mobile Touch Interface of Jedox Web (used for Browsers on Tablets and handheld devices).

N: Users have no access this component.
D [R, W]: Users are allowed to use the Mobile Touch interface.
ste_analyzer

Controls the general access to Analyzer Reports in Jedox Web.

N: Users have full access to this component.
D [R, W]: Users are generally allowed to use Analyzer Reports.
ste_sessions

Controls access to the component “Sessions” of Jedox Web.

N: Users have no access this component.
R: Users are allowed to view the component “Sessions”, but they are not allowed to close sessions or to stop running jobs
D [W]: Users have full access to this component.

Related rights objects: system operations, ste_licenses

ste_settings

Controls access to the component “Settings” of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to view the component “Settings”, but they are not allowed to add, edit or remove settings.
D [W]: Users have full access to this component.
audit

Controls access to the component “Audit” of Jedox Web and to the “Audit data” in Jedox OLAP cells.

N: Users have no access to this component.
R: Users are allowed to view the “Audit data” in Jedox OLAP cells.
D [W]: Users have full access to this component. Additionally to view the audit data in Jedox OLAP cells, they can define the audit settings for various cubes per databases (i.e. should audit be enabled for a given cube, and how far back should audit data go).
ste_perf

Controls access to the component “Performance” of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to view results of the component “Performance”.
D [W]: Users have full access to this component. Note that currently there are no specific capabilities for full access.
ste_packages

Controls access to the component “My Models” of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to see the panel “My Models” and the list of installed models. They are able to check for updates, but they are not able to install, uninstall or modify models.
D [W]: Users have full access to this component. They are able to install, update and uninstall models.
ste_repository

Controls access to the component “Marketplace” of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to browse the Marketplace panel, but can’t install any of the available models.
D [W]: Users have full access to this component. They are allowed to install models from the Marketplace. Note that if a model executes database scripts during installation, the user running the installation also must have all OLAP rights required for the commands in the scripts. This usually means that rights for creating databases, dimensions, cubes, elements, rules etc. will be required.

 

image_pdfimage_print
Was this post helpful?
NoYes (+1 rating, 3 votes)
Loading...