Rights Objects in Jedox
Jedox uses rights objects for granting access for general functionality to user roles. This article gives an overview of available rights objects and describes the default rights given to roles after a standard installation.
See Administration of User Rights for the chain of rights (right objects > roles > groups > users) used in Jedox.
See Specific Rights in Jedox Web for an explanation of how rights objects relate to actions in Jedox Web components Reports and Designer.
audit
Controls access to the component "Audit" of Jedox Web and to the "Audit data" in Jedox OLAP cells.
N: | Users have no access to this component. |
R: | Users are allowed to view the "Audit data" in Jedox OLAP cells. |
D [W]:1 | Users have full access to this component. Additionally to view the audit data in Jedox OLAP cells, they can define the audit settings for various cubes per databases (i.e. should audit be enabled for a given cube, and how far back should audit data go). |
cell data
Controls general access to the data cells in all cubes on the system. Some exceptions apply, e.g. for attribute cubes; see documentation of other rights objects.
N: | Users are not allowed to view any cell data in any cube. |
R: | Users are generally allowed to read cell data. |
W: | Users are allowed to edit base-level cell data. |
D: | Users are allowed to delete base-level cell data (i.e. write 0 as value into cells). Note that, if the User should also be able to clear complete cubes, he also needs "D" access on the "cube" right object. |
S: | Users are allowed to splash values on consolidated-level cells (including 0). |
Related rights objects: cube
cell data hold
Controls the ability for users to set a "hold" on a cell or cube slice. See Setting Holds and Using the Hold Manager for more information. Note that in addition to the rights set out in the cell data hold object, individual permissions on cells and cubes may affect a user's ability to use this feature. See Rights with Impact on Jedox Web for details.
N: | Users have no access to hold features or to the Hold Manager. |
R: | Users can view a list of holds via the Hold Manager, unless other access restrictions on the cell or cube prevent it. |
W: | Users can set and view holds. |
D: | Users can release, set, and view holds. |
cube
Controls general access to cubes in OLAP databases. Access to data in specific cubes can be restricted within databases.
N: | Users can not use any cubes at all. This prevents access to all data provided in cubes. |
R: | Users are allowed to see cubes, but not edit them. Note: This only concerns the cube objects themselves, not contents like cells etc. |
W: | Users are allowed to edit (rename) cubes. |
D: | Users are allowed to delete cubes. This right is also required if a user attempts to completely clear a cube. Users are allowed to convert cubes to run with Jedox OLAP Accelerator (GPU). |
database
Controls general access to databases in OLAP.
N: | Users are not allowed to see any databases. |
R: | Users are allowed to see databases, but not edit them. Note: This only concerns the database objects themselves, not contents like cubes etc. |
W: | Users are allowed to edit (rename) database. |
D: | Users are allowed to delete databases. |
dimension
Controls general access to dimensions in OLAP databases. Note: this only concerns the dimension objects themselves, not their contents (such as elements).
N: | Users are not allowed to see dimensions. |
R: | Users are allowed to see dimensions, but not edit them. Users are allowed to change attribute values on dimensions.* |
W: | Users are allowed to see, create and edit (rename) dimensions. |
D: | Users are allowed to see, create, edit (rename), and delete dimensions. |
*Editing attribute values also requires at least "R" access on the object "cube" and "W" access on "dimension element".
Related rights objects: cube, dimension element, cell data
dimension element
Controls general access to elements in database dimensions.
N: | Users are not allowed to see elements in dimensions. |
R: | Users are allowed to see elements in dimensions, but not allowed to edit them. |
W: | Users are allowed to see, create and edit (rename) elements in dimensions. Users are allowed to create attributes on dimensions, and to edit attribute values*. |
D: | Users are allowed to see, create, edit (rename), and delete elements in dimensions, as well as attributes.* |
*Creating and editing attributes also requires at least "R" access on the objects "cube" and "dimension". Editing attribute values also requires at least "R" access on the objects "cube" and "dimension".
You can also control the assignment of group rights in global connections through the dimension element right object.
Related rights objects: cube, dimension
drillthrough
Controls whether users are allowed to send Drillthrough requests via Supervision-Server.
N, R, W: | Users are not allowed to send Drillthrough requests. |
D: | Users are allowed to send Drillthrough requests. |
event processor
Controls usage of the "event processor" parameter in Writeback requests to the OLAP server. This parameter allows users to circumvent triggering Supervision Server (SVS) when changing cube data.
N [R, W]:1 | Users are not allowed to circumvent SVS events. |
D: | Users are allowed to circumvent SVS events. |
group
Controls the handling of groups in the OLAP server.
N: | Users have no access to #_GROUP_ dimension. |
R: | User can see "group" objects in the #_GROUP_ dimension of System DB (or any other DB), but cannot edit / delete them. |
W: | Users are allowed to change "group" objects (rename users) and create new groups. |
D: | Users are allowed to delete groups. |
Related rights objects: user, password, rights
list
Controls general access to lists in OLAP databases. Note: this only concerns the list objects themselves, not their contents (such as elements).
N: | Users are not allowed to see lists. |
R: | Users are allowed to see lists, but not edit them. |
W: | Users are allowed to see, create and edit (rename) lists. |
D: | Users are allowed to see, create, edit (rename) and delete lists. |
Note: When defining "Calculation" blocks in a list, the data retrieved in the calculation is governed by the access rights of the user who uses the list in a View. That is, if a calculation block retrieves data from some cube cell or slice to which the user does not have access, an error will be shown in the View using the list.
Related rights objects: cube, dimension, dimension element, cell data
password
Controls the handling of passwords on the OLAP server. Users are always allowed to change their own password.
Retrieval of passwords can be enabled by setting the palo.ini optionenable-password-retrieval. If set, users with R rights for the password object are able to retrieve passwords. Passwords are stored in hashed form, not in plain text.
N: | Users have no rights on passwords. They cannot see or edit them. |
R: | Users have no rights on passwords. They cannot see or edit them. |
W: | Users are allowed to read and change passwords for other users, but not delete them. |
D: | Users are allowed to delete and change passwords. |
Note: Further roles can also be created. The roles etl and designer have the default access right on password set to N.
Related right objects: user, group, cube, rights.
rights
N: | Users are not allowed to access rights-related structures. |
R: | Users are allowed to read rights-related structures. Users are allowed to see System database. |
W: | Users are allowed to edit rights-related structures, e.g. set database-specific rights in #_GROUP_DIMENSION_DATA cubes*. This includes ability to change settings for a users own group, or role. |
D: | Users are allowed to delete rights related structures. Users are allowed to view the "Security" dialog for objects (files, folder etc.) in Jedox Web and edit the security settings. |
*Editing data in those cubes requires at least "R" access on the rights objects "dimension" and "dimension element".
Note: when #_Rights cell property is checked in a View, calculated List items will be locked for non-admin users.
Related rights objects: user, group, password
rule
Controls the access to cube rules
N: | Users are not allowed to access list of rules on a cube Note: rules will still be used in calculations requested by this user. |
R: | Users are allowed to access list of rules on a cube, but can’t edit them. |
W: | Users are allowed to create and edit rules. |
D: | Users are allowed to delete rules. |
ste_analyzer
This rights object is obsolete as of Jedox 2020.3. It will be removed in a future version.
ste_conns2
Controls access to the Connection Manager component of Jedox Web.
N: | Users are not allowed to access Connection Manager. |
D [R, W]:1 | Users have full access to Connection Manager. |
Note:to work in Connection Manager, the user’s role also must have full access (D) on the objects "user", "group", "password" and "rights".
Related rights objects: user, password, group, rights
ste_etl2
Controls access to the component Integrator of Jedox Web.
N: |
Users can execute and monitor loads or jobs. They are not allowed to access the Integrator component. |
R: |
Users are allowed to display Jedox Integrator (ETL) projects or components. Furthermore they can execute and monitor loads or jobs. |
W: |
Users are allowed to create and edit Jedox Integrator (ETL) projects or components and to perform test and data preview. Furthermore they can execute and monitor loads or jobs. In order to create Jedox Integrator (ETL) Tasks additional authorization for the component Scheduler is required (right object ste_scheduler). |
D: |
Users have full access to the component Integrator. They are allowed to create, edit, and delete Jedox Integrator (ETL) projects or components and to perform test and data preview. Furthermore they can execute and monitor loads or jobs. In order to create Jedox Integrator (ETL) Tasks additional authorization for the component Scheduler is required (right object ste_scheduler). |
ste_files2
Controls visibility of the Designer component of Jedox Web. To set rights to access files indirectly (such as through Integrator functions that load files into Designer, or the Upload Action), you must also set the user role's rights in ste_storage.
N: | Users are not allowed to view the Designer component. |
D [R, W]:1 | Users can view Designer component. Access to files, either through Designer or other Jedox components, must be set in ste_storage. |
ste_licenses2
Controls access to the component "Licenses" of Jedox Web.
N: | Users have no access to this component. |
R: | Users are allowed to view the component "Licenses", but they are not allowed to add, activate, remove or assign licenses. |
D [W]:1 | Users have full access to this component. |
Related rights objects: system operations, ste_sessions.
ste_logs2
Controls access to the Logs component of Jedox Web.
N: | Users have no access this component. |
D [R, W]:1 | Users have full access to this component. |
ste_mobile2
Controls access to the Mobile Touch Interface of Jedox Web (used for Browsers on Tablets and handheld devices).
N: | Users have no access this component. |
D [R, W]:1 | Users are allowed to use the Mobile Touch interface. |
ste_packages2
Controls access to the component "My Models" of Jedox Web.
N: | Users have no access to this component. |
R: | Users are allowed to see the panel "My Models" and the list of installed models. They are able to check for updates, but they are not able to install, uninstall or modify models. |
D [W]:1 | Users have full access to this component. They are able to install, update and uninstall models. |
You can restrict RPC calls by using ste_files and ste_packages rights objects. It is possible to provide different access levels to packages, variables, script execution, and other aspects of models.
ste_palo2
Controls access to the component Modeler of Jedox Web.
N: | Users are not allowed to the component Modeler of Jedox Web. |
D [R, W]:1 | Users are allowed to access the component Modeler of Jedox Web with generally full capabilities (may be restricted on specific items). |
You need at least R rights on ste_palo (and, optionally, on ste_files) if you access the File Manager from the Modeler for tasks such as database scripts or backing up files. This allows you to restrict access to the Designer and Reports while still allowing access to the Modeler.
ste_perf2
Controls access to the component "Performance" of Jedox Web.
N: | Users have no access to this component. |
R: | Users are allowed to view results of the component "Performance". |
D [W]:1 | Users have full access to this component. Note that currently there are no specific capabilities for full access. |
ste_reports2
Controls access to the component Reports of Jedox Web.
As of Jedox Version 7.1, the read access ("R") and the write access ("W") have changed.
N: | Users are not allowed to see the component Reports. |
R: |
Users are allowed to access the component Reports in "user" mode. You can browse report groups and hierarchies, and open reports, but can’t modify Report group contents. As of Jedox Version 7.1, the options to export a report as WSS file, as XLSX OLAP snapshot, or to create batch XLSX tasks are now disabled. The option to export as XLSX snapshot is still available. Note: If a user only has access to the "Reports" module, and there only "R" access, end-user mode should be used. |
W: | As of Jedox Version 7.1, write access allows additionally the following options to the read access: to export a report as WSS file, as XLSX OLAP snapshot, or to create batch XLSX tasks. However, this user will still see the hierarchies in the Reports panel in read mode, meaning that report hierarchies cannot be changed, added, or new reports created. |
D: | Users are allowed to access the component Reports in "admin" mode. He can browse report groups and hierarchies, and open reports. Additionally, he can modify Report group contents. |
ste_repository2
Controls access to the component "Marketplace" of Jedox Web.
N: | Users have no access to this component. |
R: | Users are allowed to browse the Marketplace panel, but can’t install any of the available models. |
D [W]1 | Users have full access to this component. They are allowed to install models from the Marketplace. Note that if a model executes database scripts during installation, the user running the installation also must have all OLAP rights required for the commands in the scripts. This usually means that rights for creating databases, dimensions, cubes, elements, rules etc. will be required. |
ste_scheduler2
Controls access to the the component Scheduler of Jedox Web9).
N: | Users are not allowed to access the component Scheduler, and they are not allowed to create tasks in other components. |
R: | Users are allowed to access the the component Scheduler for reading, and they are allowed to execute tasks*. |
W: | Users are allowed to access the component Scheduler. They are allowed to execute tasks, and furthermore they are allowed to create and edit global tasks. |
D: | Users are allowed to access the component Scheduler. They are allowed to execute, create and edit tasks, and furthermore allowed to delete global tasks. |
*For more information on access rights in the component Scheduler of Jedox Web, see article "Specific Rights in Jedox Web".
Related rights objects: ste_reports, ste_etl
ste_sessions2
Controls access to the component "Sessions" of Jedox Web.
N: | Users have no access this component. |
R: | Users are allowed to view the component "Sessions", but they are not allowed to close sessions or to stop running jobs |
D: | Users have full access to this component. |
Related rights objects: system operations, ste_licenses
ste_settings2
Controls access to the component "Settings" of Jedox Web.
N: | Users have no access to this component. |
R: | Users are allowed to view the component "Settings", but they are not allowed to add, edit or remove settings. |
D [W]:1 | Users have full access to this component. |
ste_storage2
This object controls the user role's ability to access files in Designer indirectly, via other Jedox functionalities (such as Integrator projects that load files to Designer or Upload Actions). The existing rights object ste_files continues to control the visibility of Designer. An Upload Action now works in end-user mode.
The rights object ste_storage is automatically created when OLAP starts. When the object is created, it copies the rights from ste_files except when ste_files is set to N (no rights); in that case, ste_storage is set to R (read).
N: | Users are not allowed to access files. |
R: |
Users can view files accessed indirectly, but not write to or delete them. |
W: | Users can read and write to files accessed indirectly. |
D: | Users have full access to files accessed indirectly, including deleting them. |
ste_users2
Controls access to the User Manager, Group Manager, and Role Manager component of Jedox Web.
N: | Users are not allowed to access User / Group / Role Manager. |
D [R, W]:1 | Users are allowed to access User / Group / Role Manager with generally full capabilities (may be restricted on specific items). |
Note: To work in User Manager, the user’s role also must have full access (D) on the objects "user", "group", "password" and "rights".
Related rights objects: user, password, group, rights
sub-set view
Controls access to stored subsets, and stored views, on the OLAP server. If users have R rights or higher on "sub-set view", OLAP implicitly assigns R rights to the "user" and "group" rights objects.
Stored subsets and views are saved as elements in internal dimensions of the database. Thus, the user needs to have R rights on "dimension element" to access them. Higher rights (W or D) on "dimension element" are no longer required to create or modify stored subsets and views.
N: | Users are not allowed access to stored subsets and stored views. |
R: | Users are allowed to read stored subsets, both private and global subsets and views. |
W: | Users can create and edit private subsets and views. |
D: | Users can create, edit, and delete private and global subsets and views. |
Related rights objects: user, group, dimension element
system operations
Controls access to the following items on administrative level:
- #_CONFIGURATION cubes of databases
- System-related OLAP server operations
- Monitoring information (sessions, jobs)
N: | Users have no access to system operations*. |
R: | Users have read access to system operations, i.e. is allowed to retrieve system monitoring information. |
W: | Users are allowed to edit #_CONFIGURATION cubes. Users are allowed to execute the following OLAP API methods: /cube/save, /database/save, /server/save. Users are allowed to close sessions and to stop jobs. |
D: | Users are allowed to commit and to rollback changes on "Undo" areas, which have been defined by other users. Users are allowed to remove licenses. Users are allowed to execute following OLAP API methods: /server/shutdown, /svs/restart, /cube/load, /cube/unload, /database/load, /database/unload. |
*Exception: all users always can retrieve data from #_CONFIGURATION cubes, regardless of what is defined as access right.
Related rights objects: ste_licenses, ste_sessions
user
Controls access to the #_USER_ dimension in the system database, which is used to handle users in the OLAP server.
N: | Users have no access to #_USER_ dimension.* |
R: | Users can see "user" objects in the #_USER_ dimension of System DB (or any other DB), but cannot edit/delete them. |
W: | Users are allowed to change "user" objects (rename users) and create new users. |
D: | Users are allowed to delete users. |
* The #_USER dimension is also necessary for storing and reading so-called local subsets, i.e., subsets that are private to each user. If users have R rights or higher on "sub-set view" but N rights on "user", the OLAP server behaves as if the user had R rights for that subset. The user rights in this case do not have to be changed explicitly by the designer or administrator.
Related rights objects: password, group, rights, sub-set view
user info
Controls the access to objects (databases, dimensions, cubes) of type "user info". Access to any data in cubes of this type is governed by this rights object. This is normally not relevant in end-user scenarios.
N: | Users have no access to user info objects*. |
R: | Users have read access to user info objects. |
W: | Users have write access to user info objects. |
D: | Users have delete access to user info objects. |
*Even with N access, every user is still generally allowed to access user info objects created by Jedox Web (necessary for access to the components Reports and Designer and other Metadata).
1If a setting is noted in square brackets in the following list, it is possible to use it, but achieves the same setting as the one before the square brackets, which is recommended. For example: N [R, W]: in this case, N, R, W would have the same described effect, but it is recommended to only use N.
2Rights objects with the prefix "ste_" control access to various components of Jedox Web. For these objects, it is relevant what the license assigned to a user permits. For example, while the user might have sufficient access to an ste_ rights object to view its corresponding panel in Jedox Web, that user may still be prohibited from using that component based on the license that has been assigned. The same is true if a license grants access but the rights object access does not.
Updated June 5, 2023