Category Security (Release 5.3)

Effects of Category Security on various types of Users are as follows:

  • Administrators (Admins) have no restrictions as to Category functionality
  • Regular Users (RU’s)  have only View access to elements and Datasets assigned to the Category
  • Power Users (PU’s) have either View or Edit Access to Categories
  • Groups have either View or Edit Access to Categories

Overview

In Release 5.3.0, expanded Security functionality is applied to  PU's.  Previously, a PU could use any Category when creating an object.  When 5.3.0 is implemented, PU’s may only edit objects when they have access to their assigned Category and can only assign Categories to which they have Edit Access.

Category Security can be applied to:

  • Groups for inheritance by members of the Group
  • Individual RUs
  • Individual PU's

Security in 5.3.0  allows a customer to limit the Categories that a given PU can use when creating elements and other objects that fetch data or select content to be included, including:

  1. All types of Elements
  2. Datasets and User Maps
  3. Folder Content
  4. Burst Content
  5. Favorites Content
  6. Slide Show Content

Privileges

By default, all PU’s automatically have the implicit Privilege to Create Categories. There is only one explicit Category-related Privilege that can be granted to Groups or Individual PU's is “Allow Power Users to grant Category access to any User or Group.”  

Permissions

There are two types of Permissions that may be granted to Categories, one by one:

  • View Access to allow RU or PU to View objects assigned to the Category and include Category elements in Folders, Favorites and Bursts
  • Edit Access to allow PU’s to:
    • Edit objects assigned to the Category, subject to object-level Security
    • Edit the Category itself
    • Assign the Category to objects that PU creates or Edits

Permissions are granted on:

  1. Group Editor  > Elements tab > Categories section
  2. User Editor > Elements tab > Categories section
  3. Category Editor > Permissions button
Granting Privilege to a PU - from Group or User Editor

It can only be granted to Groups and/or Power Users.  It is independent of any other Privileges and applies only to PU's.

  1. A PU with only the default, implied Create Category Privilege can:
    1. Create a new Category
    2. Be granted View or Edit Access Permission to one or more specific Categories via the Group, User or Trigger Editor
    3. Assign Use or Edit access to Triggers that the PU creates or has been given/inherited Edit Access to:
      • Groups of which PU is a member
      • Groups to which PU has Edit Access
      • Other PU members of those Groups
  2. With the Extended Security Privilege, PU can assign View or Edit Access to Categories to any Groups or other PU's as long as the PU has created the Category or to which the PU has been given/inherited Edit Access
Granting Permissions - Content > Categories > select a Category > Open Category Editor using Name Link
  1. On the Category Editor, click the Permissions button to open the Categories Permissions pop-up
  2. On the Permissions pop-up, PU with Edit Access can grant View or Edit Access to:
    1. Groups and PU members of Groups to which PU belongs and Groups which PU can edit
    2. With the Extended Security Privilege, any Group or user
  3. If View Access is granted to a Group or individual RU or PU ("Grant conditional edit permission to PU = N"):
    1. RU or PU can View objects assigned to the Category
    2. If the object is a Composite; i.e., sourced from one or more elements or Datasets, except SQL Reports, the user must also have at least View access to the Component elements or source Dataset
    3. RU’s and PU’s  can open a Dataset's or User’s Map Viewer if the User has at least view access to its source
  4. If Edit Access is granted directly to a Power User (option is not available for RU’s), this Permission:
    1. Provides Edit Access to any child or “nested” Categories of the selected Category
    2. Allows PU to manage the Category from its Editor by:
      • Editing settings
      • Assigning Permissions
      • Deleting the Category
    3. Grants Use Access to configurable Data Sources used by elements within the Parent Category
    4. Allows PU to open the element or Dataset's Viewer if the User has at least View Access to any component elements or source Datasets
    5. Excludes (these must be granted explicitly to an individual PU to or Groups to which the PU belongs)
      • Permission to Use Configurable Data Sources used by Datasets or User Maps in the Category
      • Privileges to Create Content using the non-Configurable Data Sources used by elements, Datasets and User Maps within the Category
      • Expanded Security Privileges related to elements, Datasets and User Maps within the Category
      • Use Access to configurable Data Sources used by objects within any child or nested Category
      • Access to Dimensions used by the Category’s elements   (see Dimension Security 5.3.0 for more information)
      • View Access to component elements or source Datasets
  5. If  Edit Access is granted to a Group:
    1. Power User members receives all of the above capabilities except automatic Use of Configurable Data Sources used by the Category’s elements
      1. All exclusions listed above are applicable and must be manually granted
    2. Regular User members receive only View Access as described above and require Dimension and component View Access to have full View Access

Either type of Category Access may be granted to a Group from the Group Editor > Elements tab by:

  1. An Admin
  2. A Power User with Edit Access to the Group, limited to Categories to which the PU has Edit Access

ONLY Admins may use the User Editor > Elements tab to grant Category Access to individual users.  A PU may receive either Edit or View access.  A RU may only receive View Access.

Changes to a Category’s contents

If a new element with a new Configurable Data Source is added to the Category at some time after the Power User has been explicitly granted Category Edit Access, use of this  Data Source will NOT be automatically granted to the Power User.  

  • Access to the new configurable Data Source must be granted manually
  • All related "excluded" Privileges and Permissions must be granted manually

It is always possible to remove Category Access from the Power User and then re-grant it, thus allowing the Power User to gain use of additional configurable Data Sources.

Removal of Category Edit Access from a Power User

  • Use of its related configurable Data Sources is NOT taken away from that Power User
1. Category Editor (Admin > Categories)

1.1. Category List

  1. The grid only shows Categories to which the PU has full Edit Access
  2. If a PU has been given access to a child or grandchild Category explicitly; i.e., not through inheritance from the parent, he will not see the parent listed in the grid (only the nodes to which he has been given or has inherited Edit Access)
  3. If a PU has Edit Access to a parent Category, he will automatically see all children and grandchildren since access is inherited

PU’s always have the Categories option in their Content menu to allow access to [Add New Category] button

1.2. Category Editor

  1. PU's with Edit Access can access a specific Category's Editor from:
    1. Content menu > Categories > click on a Category name in the list box
    2. Category Editor > Edit icon to right of Category text box
  2. On the Editor, a PU can:
    1. Make changes to the settings
    2. Use the Permissions button to grant Category Access
    3. Delete the Category
    4. Add another Category

Impact on Other Editors:

2. Group Editor (Admin menu > Groups)

PU's with the Privilege to Create Groups or Permission to  edit a specific Group may grant access to Categories on the Group Editor > Elements tab:

  1. Select  the [+ Category  to Group] to open the Add Category to Group pop-up
  2. Select a Category from drop-down -  the PU will only see Categories  to which he has Edit Access
  3. Grant Access to be inherited by the Group's members
    • View Access to any member ("Grant conditional edit permission to Pu members = No")
    • Edit Access to only PU members
  4. Save
3. Element Editors accessed by PU's

3.1. Existing Element Editors

  1. PU can open an existing element’s Editor only with Edit Access to its currently assigned Category
    • If a PU attempts to access an existing Editor without Edit Access to its Category, a standard Error Page is presented to advise the PU to contact an Admin for access.
  2. Before a PU can access the Editor of an existing element, the user must also have:
    • At least View access to the Component elements or source Dataset, including each Multi-Metric’s charted Metrics
    • Permission View at least one Dimension Value for any Dimensioned object
    • Permission to Use the object’s configurable Data Source
    • Privilege to “Create content using” the object’s non-configurable Data Source:
      • CSV files
      • Datasets
      • Existing Datasets
      • Existing Metrics
      • Single Existing Report
      • Existing Reports
      • Exception:  User is not required to have View or Edit access to the source SQL Report
  3. The Category drop-down list is limited to Categories to which Power User has Edit Access.   Categories to which PU does not have Edit Access are not shown in the drop-down or chosen control list; i.e., are hidden from the list.

3.2. New Element creation

  1. PU can assign a Category to which he has Edit Access to any new element
  2. A PU may always create a new Category, even if the PU does not have Edit Access to any existing Category
  3. If the PU fails to select a Category for a Metric or Internal Report, the system automatically selects the first Category; i.e., selected from a list in alphabetical order,  to which the PU has Edit Access.  Exceptions:
    • Metrics and Dataset Reports created from the Dataset Viewer receive the Category of the source Dataset
    • Multi-Metrics, External Reports and External Content do not receive a default category; a Category must be selected before the element can be saved
    • When External Reports are being “bulk added”, PU must assign a Category before proceeding
4. Datasets

4.1. Prerequisites for Edit Access

If the Category contains Datasets and/or User Maps or elements sourced from Datasets, additional requirements for Power User Edit Access to these objects are described below:

  1. Privileges Power User must have:
    1. Create content using Datasets
    2. Create/Edit Datasets
  2. Permissions Power User must have:
    1. Configurable Data Source Use Access to the configurable Data Source (SQL / Plugin) used by the Dataset or User Map
    2. Non-configurable Data Source Privilege and Permission requirements
      • If there are Datasets or User Maps in the Category are sourced from one or more non-configurable Data Sources, the Power User must be granted:
        1. Privilege to create Content using each on the Non-Configurable Data Sources
        2. Source Dataset View Access

4.2. Editing or Creating Datasets (Content or New menu > Datasets)

  1. The Category drop-down list is limited to Categories to which Power User has Edit Access
  2. PU can edit any of the displayed Categories by clicking the Edit (gear) icon displayed next to the Category setting
  3. PU has the option to Create a New Category
5. Bursts (Content > Bursts > Add new Burst button

Both Regular and Power Users have the automatic Privilege to create Bursts and edit those that he/she created or to which user has been granted Edit Access.  

  1. Users can add any elements to which user has full View Access.   
    1. If the user is missing some Permissions to view elements, the element will not be listed
  2. Tiles may be filtered by either Favorite Folders or those Categories to which the User has Use Access (Tile Selection)
  3. User can select any Folder to which he has at least View Access (Folder Selection)

 
      

6. Folders (New menu > Folder)

6.1. Creating a New Folder

Both Regular and Power Users with the “Create Folders” Privilege can create a folder and associate elements to which user has at least full View Access.

All defined Categories are available for filtering, but only those elements that User has View Access to and any required Permissions will display on the left

6.2. Editing Existing Folders (Content menu > Folders)


 
      

On the Folder Editor > Sharing tab, Users or Groups may be granted Permission to Add/Remove Content. Users with this Permission can edit Folders other than those that they created.

  • For PU's, the list of Users/Groups available for sharing depends on whether or not the PU has the extended Folder Security Privilege.
  • PU's without the extended Folder Security and all RU's are limited to Groups to which the user is a member and other members of those Groups