Enterprise data management has slightly different security settings comparing with other EPM cloud solutions. There are 3 levels of role access. We will take a look at these levels in this post.
First Level Role – Service Roles from My Services
The first level role is set up on the My Services page. When you add a user, you will specify a user name, email, and so forth. You will also have the ability to define the user’s roles for particular services. You can assign the identity domain administrator role to a user, so that the user can add other users, remove users, change user roles, etc.
After that, you set up the service level roles. When you provision someone with a service administrator role, you’re provisioning them by instance.
Add users to an identity domain with roles:
- Service Administrator
- User
Being a Service Administrator, you have the full control of the EDM application. If you’re not a service administrator for a particular instance, then by definition, you’re just a regular user.
Second Level Role – Provisioning Roles in EDM
The second level is provisioning users with additional roles in a particular instance of EDM.
Click Access Control. Select the Assign Application Roles tab.
Users that have been added to the identity domain and have been provisioned with a global role, either a service administrator or a user, are now available in this access control module. You can provision them with three additional roles.
- Application Creator: When you go through the registration process for an application, the Register button is only available to users with the application creator role or a service administrator.
- Auditor: This role enables you to view changes made to data in all applications. However, it does not grant the ability to make any changes to data.
- View Creator: With this role, the Create View button is available, allowing you to create views.
Third Level Role – Data Object Roles in EDM
The third level of provisioning is specific to particular data objects. You can assign four permission levels. You assign these permissions on applications, dimensions, hierarchy sets, and node types.
Permissions secure access to data objects and data using the following levels:
- Owner: Application, Dimension, View
- Data Manager: Application, Dimension
- Submitter: Application, Dimension, Hierarchy Set, Node Type
- Browse: Application, Dimension, Hierarchy Set, Node Type
The owner permission for an application lets users reregister the application, manage its data objects, and assign permissions for the application’s data objects to other groups and users.
The data manager permission for an application gives users the rights to import, export, and update data for all dimensions in the application.
The submitter permission for an application lets users create a new request or act as a request assignee for any dimension in an application.
The browser permission gives users the right to browse a viewpoint that contains data for any dimension in the application.
For example, set up permissions at the Application level.
set up permissions at the Dimension level.
Set up permissions at the View level.
You can only assign the owner permission for a view which enables the assigned user or group to configure the view, and to assign the owner permission to other users and groups for that view. Save the assigned permissions for the view, and close the View Inspector.
Set up permissions at the Hierarchy Set level.
Set up permissions at the Node Type level.
Permission Cascading
Permissions cascade from higher to lower levels. When you assign a permission level on a data object to a user, that user is also granted all of the lower permission levels on that data object.
For example, granting a user the data manager permission on a dimension will also grant submitter and browser permissions on that dimension.
Permissions also cascade from applications to dimensions, and then to hierarchy sets and node types.
For example, if you assign a user submitter permission on a dimension, that user will have submitter permission on both hierarchy set and node type.
Hope you have learned some ideas on how to provision users and groups with roles, assign permissions to objects. Till next time.