Access Rights Within Specific Databases (Level 3)
Restriction of rights in specific databases can be assigned for standard value cells and attribute value cells. Note: the default right for access to standard value cells is spelled "DefaultRight" (one word, no space).
Standard Value Cells
The cubes for rights restrictions in each database for standard value cells are:
- #_CONFIGURATION
- #_GROUP_CUBE_DATA
- #_GROUP_DIMENSION_DATA_<Name of the dimension>
- #_GROUP_CELL_DATA_< Name of the cube>
Important: these restrictions refer only to the cell data rights object.
The values D, W, R, und N can be entered in these cubes, or the cells can be left empty. If there is no entry in the following cubes for a particular group, then the entry for DefaultRight of the cube #_CONFIGURATION is level 3 access rights for that group.
- #_GROUP_CUBE_DATA
- #_GROUP_DIMENSION_DATA_<Name of the dimension> ( n cubes for n dimensions)
- #_GROUP_CELL_DATA_< Name of the cube>
If there is any entry in one of these cubes for a particular group, then the default value of the cube #_CONFIGURATION is no longer applied and the lowest of all access rights entries in these cubes for that group is level 3 access rights.
Additionally, the DefaultRight setting will no longer influence the visibility of elements. To hide an element, N has to be set for either the element itself or one of its ancestor elements, either via user input or rule.
To be able to splash, a user must have at least W rights on levels 2 and 3, and S rights on the cell data object in cube #_ROLE_RIGHT_OBJECT.
To perform drillthrough on a value cell, a user must have at least R rights on the cell data.
#_CONFIGURATION Cube
In this user rights cube, the default right for users can be set regarding elements and cells in the corresponding database:
DefaultRight is set to D by default. This gives users the permission to delete, if that right is not restricted from the system rights cubes. This setting can be changed to W, R, or N.
For example, if it is changed to R, all users in this database will only have Read permission. For certain groups, this R right could be extended, e.g. to W. For such a group, all the entries of cubes #_GROUP_CUBE_DATA, #_GROUP_CELL_DATA, and #_GROUP_DIMENSION_DATA_<dimension name>_ will have to be set to W.
Semi-Additive Measures use a Time dimension and a Measure dimension. One dimension uses the TimeAggregation attribute, the other one uses the AggregationType attribute. In this case, a user needs rights on #_GROUP_DIMENSION_DATA_<dimension name>_ from the dimensions used. Additionally, they also need rights on #_GROUP_DIMENSION_DATA_#_#_CUBE__, because it controls the access to the TimeDimension and MeasureDimension elements, contained in the #_#_CUBE__ dimension.
If HideElements is set to Y, elements that are explicitly denied access to a given group (that is, N is defined for this element or a parent element in cube #_GROUP_DIMENSION_DATA_<dimension name>) will be hidden in a newly created view, or any listing of this dimension. The DefaultRight setting, however, does not influence the visibility of elements themselves.
Note: if users are allowed to change element rights and HideElements is active, those users can lock themselves out by setting the N access right to their own group. After this, the elements will be hidden and the users will have no possibility to re-assign the access rights to themselves.
Users in the admin group do not have these restrictions. They can always see elements, even if this right was removed for the admin group.
#_GROUP_CUBE_DATA Cube
In this user rights cube, standard rights regarding cubes for individual groups can be restricted but not extended.
#_GROUP_DIMENSION_DATA_< Name of the dimension > Cube
In this user rights cube, standard rights regarding dimension elements for individual groups can be restricted but not extended.
The following rules apply:
- The right for a child element is the same as that for the parent element, unless a different right was assigned explicitly.
- If an element has more than one parent, the least restrictive of the parent rights applies.
#_GROUP_CELL_DATA_< Name of the cube > Cube
In this user rights cube, standard rights for individual groups regarding each single cell of a cube can be restricted but not extended. There is no inheritance here. Use Jedox rules to manage inheritance for cell-based rights.
Attribute Value Cells
The user rights cubes for rights restrictions for attribute value cells in individual databases are:
- #_GROUP_DIMENSION_DATA_#_< Dimension name>_
- #_CONFIGURATION
The restriction of rights for attribute value cells works in a similar way as for standard value cells. However, the rights cannot be edited down to each single cube cell, but only to the level of attribute elements.
The user rights cubes for rights restrictions for attribute dimensions are named _GROUP_DIMENSION_DATA_#_#_<attribute name>__. For example: For example: #_CUBE_ is a system dimension. Its attributes dimension is #_#_CUBE__. The access rights cube of this attribute dimension is #_GROUP_DIMENSION_DATA_#_#_CUBE__.
Related links:
- Administration of User Rights
- Rights Objects in Jedox
- Access Rights for Server-Wide Objects (Level 1)
- Access Rights for Databases (Level 2)
- Advanced Database Properties
- Dimension Overview
Updated June 5, 2023