Access to rights objects is granted through roles. Groups are assigned to these roles, and individual users are assigned to groups. If a user has access to a rights object, it is implied that this user is a member of a group that is assigned to a role with access rights to that rights object.
This rights chain is shown in the view of the following three cubes from the System database:
For more information, see Rights Objects in Jedox.
This cube establishes object rights. In the screenshot below, the rights objects are in range B7:B38 and the roles are in line 6. In this cube, empty cells have “N” rights.
With all rights objects, the role of “admin” has the highest access rights: “delete” or “splash”. The user “admin” is firmly anchored in the system and cannot be altered. That is, the user “admin” cannot be deleted and its rights are firmly predetermined.
The roles “designer”, “etl”, “poweruser”, “editor”, and “viewer” have standard predetermined rights at first, but they can be adapted. In addition, further roles can be created.
This cube establishes group roles. In the screenshot below, the roles are in range B7:B12 and the groups are in line 6.
A group is allocated to a role by putting “1” into the cell. The group “admin” belongs to the role “admin” and cannot be changed.
- A group should be allocated to only one role.
- If a user is a member of more than one group (see #_User_Group below), then all of those groups must have the same role.
This cube defines which group(s) a user belongs to. In the screenshot below, the groups are in range B7:B13 and the users in line 6.
A user is allocated to a group by putting “1” into the cell.
A few notes about the administrator:
- The user “admin” belongs to the group “admin” and cannot be changed.
- To be the administrator, a user must be in the “admin” group; the role “admin” alone is not enough.
- Only an administrator can assign the group “admin” and the role “admin”.
- Users who belong to the admin group can always see and edit cube data, even if appropriate rights for the group “admin” have been deleted.
Important note: a user can be a member of several groups. An operation like reading a cell value is allowed for a user if the user is in at least one group with the required access rights. Note that in regards to cell data access, several rights definitions are combined for reading or writing (e.g. the “DefaultRight”, the rights on dimension element data, or the rights on cell data, which are described in Level 3 Access Rights within Specific Databases). Here, the comparison of rights for the user’s multiple groups is made not object by object, but for the full rights sequence. For each of the user’s groups, there is one effective right for the cell data access in any specific case. Of these effective rights for each group, at least one has to be as high as the required right for the operation.