Jedox Web is tightly connected with the Jedox OLAP Server, which it uses for storing meta information, such as folder/file hierarchies, or scheduled tasks. As a result, administration of rights in Jedox OLAP Server has direct influence on the behavior of Jedox Web. This article describes the implications of basic rights that are specific to Jedox Web. The basic rights are described in detail the article Administration of User Rights.
The rights for the “ste_xxxx” objects are mostly treated as “on/off” switches. They determine only whether a user can see the given Jedox Web component, e.g. Report Designer, Modeler, etc. Exceptions are the ste_reports object (for the Reports component) and the ste_scheduler object (for the Scheduler component).
In the following section, a distinction is made between Jedox rights objects and Jedox Web objects. Jedox Web objects, for example, are folder groups, root folders, folders, files, tasks, connections, etc. In terms of rights objects, a folder group corresponds to a database, a root folder to a dimension, a folder to a consolidated element and a file to a base element.
Required access rights for controlling Jedox Web objects
In order to control the access to Jedox Web objects for other users, a user must have a certain access level. The required rights are as follows:
- Only users with the entry “W” on the rights object “dimension element” can see and have access to Jedox Web object properties.
- Only users with the entry “D” on the right object “rights” have access to the “Security” tab of the object properties.
- Only users with the entry “R” for the rights object “group” can see the available groups in the Security tab.
- Only users with the entry “D” in the right object “rights” can change group rights of an object.
Impact of Jedox rights settings on Jedox Web objects
There are two levels on which Jedox rights settings impact the ability of a user to interact with Jedox Web objects: 1) a general level that is determined by a user’s role and, based on that role, access to Jedox rights objects; and 2) a specific level for each given Jedox Web object that is determined by a users group and based on that group’s access to the given Jedox Web object.
These are the rights for databases, cubes, dimensions and dimension elements, assigned on the role level. They can be assigned or changed in the Role Manager with the appropriate permissions. The following rules apply:
- Only users with at least the entry “R” on the rights objects “database”, “cube” “dimension”, and “dimension element” have the permission to see elements. A user with entry “R” has permission to open, modify, and export workbooks, but not to save changes, create, copy, move, or delete workbooks.
- Only users with at least the “W” entry in the rights objects “dimension” and “dimension element” are allowed to change root directories, folders, or workbooks. Such users have permission to create, rename, and copy workbooks, but not to move or delete them.
- Only users with the “D” entry in the rights object “dimension” have permission to move and delete root folders, normal folders, and workbooks.
- Only users with at least the entry “W” in the rights object “database” can create and rename folder groups.
- Only users with the entry “D” in the rights object “database” can move or delete folder groups.
These are the rights for Jedox Web objects. With the appropriate authorization, they can be assigned or changed for folders and files in the Report Designer by right-clicking on the object and selecting Properties→Security tab. The following settings are available in the Properties dialog:
- Full Control
The following rules apply:
- User-specific rights cannot be assigned on items if the user’s general rights do not permit it. For example, a user with only “Read” rights to the “dimension” and “dimension element” objects cannot be granted “Write” rights on a specific item in those objects.
- The highest item level in file hierarchies is the folder group. The rights that can be granted on a specific folder group are restricted by the user’s rights to the “database” rights object. A user with only “Read” rights to the database rights object cannot explicitly be granted “Delete” rights (i.e., full access) to some specific folder group. Note: the rights to items within folder groups are NOT restricted by a user’s general rights to the “database” object.
- The next highest objects are the root folders. The rights that can be granted on a specific folder group are restricted by the user’s rights to the “dimension” rights object. A user with only “Read” rights to this object cannot explicitly be granted “Delete” rights (i.e., full access) to some specific folder group.
- Rights on specific items generally are inherited to those items’ children. A user with “Read” rights on a specific folder group implicitly has read access to all items within this folder group.
- Rights set on specific items can be increased on these items’ descendants. A user with “Read” rights on a specific folder group can be granted “Write” rights for the root folder within this folder group. The user would then be able to create and modify items within this root folder, but not within other root folders in the same folder group. A user with only “Read” rights on a folder group could still be granted “Delete” rights to a sub-folder.
Please note that the general rights for a role apply here.
Jedox Analyzer Reports
In order to be able to use Jedox Analyzer reports at all, the user must have a license assigned that includes the “Jedox Analyzer” feature, and the user’s role must have at least “R access” to the rights object “ste_analyzer” in the Jedox OLAP System database.
For Jedox Analyzer reports, the rights settings are applied slightly differently:
- A user with “No Access” on an Analyzer report will not see the report listed.
- A user with “Read access” on the report can open it, change it, and also save those changes as a so-called private view. This private view will not influence the views of other users.
- A user with at least “Write access” on an Analyzer report can save changes in the view of this Analyzer report as a template. This change then clears the private views for all other users, who will as of that point get the new template when opening. They can then save new private copies.
Please note that the rights are applied separately for Analyzer reports in the Report Designer component and for Analyzer reports drawn on reports folder in the Reports component.
The access rights in the component Scheduler can be controlled just like in other components of Jedox Web.
The entry in the right object ste_scheduler (can be found in the component Administration on assigned rights for roles) determines which activities are allowed in the component Scheduler and whether tasks may be created.
There are two kinds of tasks: Private tasks that are only accessible by a given user, and global tasks that are accessible for everyone.
- Users/Groups in Roles with “N” (None) access right for ste_scheduler are not allowed to see the component Scheduler, and are not allowed to create tasks.
- Users/Groups in Roles with “R” (Read) access right for ste_scheduler are allowed to see and execute private tasks and global tasks.
- Users/Groups in Roles with “W” (Write) access right for ste_scheduler are allowed to see, execute, update private and global tasks, and are allowed to add new tasks.
- Users/Groups in Roles with “D” (Delete) access right for ste_scheduler are allowed to see, execute, update, and delete their own tasks and global tasks, and are allowed to add new tasks.
Tasks are internally stored in an OLAP cube, so a user viewing or updating tasks needs to have at least some basic rights for OLAP rights objects like “dimension”, “dimension element”, and “cell data” as well. For reading, “R” is sufficient; for adding and updating, “W” is needed; and deletion requires “D”.
For global tasks, you can also define task access rights (similar to access rights for workbooks, etc.). Each global task in the Scheduler component has a “Security” tab where you can define access to it. If the setting on an individual global task (e.g. “Read”) conflicts with the given rights for ste_scheduler (e.g. “Write”), the lower right “wins”.
Additionally, there is a set of rights that allows a user/group with a certain role to view other users’ private tasks. This set of rights is “D” for the right objects “user”, “database”, “cube”, “dimension”, “dimension element”, and “cell data”. The level of access (view, update, delete) that the user has to others’ private tasks is then again ruled by the given rights for ste_scheduler.