Rights with Impact on Jedox Web
Jedox Web is tightly connected with the Jedox In-Memory DB Server, which it uses for storing meta information, such as folder/file hierarchies, or scheduled tasks. As a result, administration of rights in Jedox In-Memory DB Server has direct influence on the behavior of Jedox Web. This article describes the implications of basic rights that are specific to Jedox Web. The basic rights are described in detail the article Administration of User Rights.
The rights for the ste_xxxx objects are mostly treated as on/off switches. They determine only whether a user can see the given Jedox Web component, e.g. Designer, Modeler, etc. Exceptions are the ste_reports object (for the Reports component) and the ste_scheduler object (for the Scheduler component).
In the following section, a distinction is made between Jedox rights objects and Jedox Web objects. Jedox Web objects, for example, are folder groups, root folders, folders, files, tasks, connections, etc. In terms of rights objects, a folder group corresponds to a database, a root folder to a dimension, a folder to a consolidated element and a file to a base element.
Required access rights for controlling Jedox Web objects
In order to control the access to Jedox Web objects for other users, a user must have a certain access level. The required rights are as follows:
- Only users with the entry W on the dimension element rights object can see and have access to Jedox Web object properties.
- Only users with the entry D on the rights rights object have access to the Security tab of the object properties.
- Only users with the entry R for the group rights object can see the available groups in the Security tab.
- Only users with the entry D in the rights rights object can change group rights of an object.
Impact of Jedox rights settings on Jedox Web objects
There are two levels on which Jedox rights settings impact the ability of a user to interact with Jedox Web objects: 1) a general level that is determined by a user's role and, based on that role, access to Jedox rights objects; and 2) a specific level for each given Jedox Web object that is determined by a users group and based on that group's access to the given Jedox Web object.
These are the rights for databases, cubes, dimensions and dimension elements, assigned on the role level. They can be assigned or changed in the Role Manager with the appropriate permissions. The following rules apply:
- Only users with at least the entry R on the rights objects database, cube, dimension, and dimension element have permission to see elements. A user with entry R has permission to open, modify, and export workbooks, but not to save changes, create, copy, move, or delete workbooks.
- Only users with at least the W entry in the rights objects dimension and dimension element are allowed to change root directories, folders, or workbooks. Such users have permission to create, rename, and copy workbooks, but not to move or delete them.
- Only users with the D entry in the dimension rights object have permission to move and delete root folders, normal folders, and workbooks.
- Only users with at least the entry W in the database rights object can create and rename folder groups.
- Only users with the entry D in the database rights object can move or delete folder groups.
Note: you can also control the assignment of group rights in global connections through the "dimension element" right object.
These are the rights for Jedox Web objects. With the appropriate authorization, they can be assigned or changed for folders and files in the Designer by right-clicking on the object and selecting Properties→Security tab. The following settings are available in the Properties dialog:
- Full Control
The following rules apply:
- User-specific rights cannot be assigned on items if the user's general rights do not permit it. For example, a user with only Read rights to the dimension and dimension element objects cannot be granted Write rights on a specific item in those objects.
- The highest item level in file hierarchies is the folder group. The rights that can be granted on a specific folder group are restricted by the user’s rights to the database rights object. A user with only Read rights to the database rights object cannot explicitly be granted Delete rights (i.e., full access) to some specific folder group. Note: the rights to items within folder groups are NOT restricted by a user's general rights to the database object.
- The next highest objects are the root folders. The rights that can be granted on a specific folder group are restricted by the user’s rights to the dimension rights object. A user with only Read rights to this object cannot explicitly be granted Delete rights (i.e., full access) to some specific folder group.
- Rights on specific items generally are inherited to those items' children. A user with Read rights on a specific folder group implicitly has read access to all items within this folder group.
- Rights set on specific items can be increased on these items' descendants. A user with Read rights on a specific folder group can be granted Write rights for the root folder within this folder group. The user would then be able to create and modify items within this root folder, but not within other root folders in the same folder group. A user with only Read rights on a folder group could still be granted Delete rights to a sub-folder.
Please note that the general rights for a role apply here.
The access rights in the component Scheduler can be controlled just like in other components of Jedox Web. The entry in the ste_scheduler rights object (can be found in the Administration component on assigned rights for roles) determines which activities are allowed in the component Scheduler and whether tasks may be created.
Note: as of Jedox 7.1, the use of private tasks is no longer supported.
- Users/Groups in roles with N (None) access rights for ste_scheduler are not allowed to see the Scheduler component and are not allowed to create tasks.
- Users/Groups in roles with R (Read) access rights for ste_scheduler are allowed to see and execute tasks.
- Users/Groups in roles with W (Write) access rights for ste_scheduler are allowed to see, execute, update tasks, and are allowed to add new tasks.
- Users/Groups in roles with D (Delete) access rights for ste_scheduler are allowed to see, execute, update, and delete tasks, and are allowed to add new tasks.
Tasks are internally stored in a data cube, so a user viewing or updating tasks needs to have at least some basic rights for objects like dimensions, dimension elements, as well as cell data. For reading, R is sufficient; for adding and updating, W is needed; and deletion requires D.
You can also define task access rights (similar to access rights for workbooks, etc.). Each task in the Scheduler component has a Security tab, where you can define access to that task. If the setting on an individual task (e.g. read) conflicts with the given rights for ste_scheduler (e.g. write), the lower rights level takes precedence.
Updated January 31, 2022