[Group Access] Checklist for Granting Edit Access to a Category
In Release 6.2.3, the constraint that required Category access in order to view or edit an individual Element or Dataset/User map has been removed.
Category security can still be granted to Groups or to individual Users and works as it always have: Individual Users and Group members inherit the selected access to all Elements and Datasets in the Category. If the Category is directly assigned to a Power User, that user also receives Use Access to all Data Sources used by Elements within the Category.
The difference is that Category access is not longer required if Group or User access is granted to an individual Element or Dataset/User Map.
A Category may include a mix of associated Elements, Datasets, and/or User Maps, each which requires specific Permissions and Privileges before Group Power User members can actually edit the objects and Regular User members to View them (no Edit Access provided to Regular Users). Categories may include:
- Undimensioned and Dimensioned Elements sourced from:
- Configurable Data Sources (SQL/Plug-in)
- Non-Configurable Data Sources (CSV, Existing Metrics, Existing Reports, Single Existing Reports)
- Aggregate Metric
- Datasets sourced from Configurable or Non-Configurable Data Sources
- User Maps sourced from Configurable or Non-Configurable Data Sources
In order to effect a Group's Edit Access to a Category, the Admin must ensure that Users within this Group have the required Privileges and Permissions. Reference the following sections covering Data Source and Dimensioned Elements requirements:
- Permissions that are granted automatically
- Permission for Use Access configurable Data Sources used by Elements, Datasets, or User Maps within the Category or any of its sub-Categories
- Dataset-related Privileges and Permissions
- Create content Privileges and Permissions required to edit Elements sourced from non-configurable Data Sources and/or Element or Dataset access to components of Composite Elements
- Privilege to Create Content using CSV file
- Privilege to Create Content using Existing Metrics and Single Existing Reports as well as access to the source Element(s)
- Privilege to Create Content using Existing Reports
- Access to the Dimension and at least one Dimension Value to any Category Elements are Dimensioned
1. Automatic Permissions Granted to Group (and inherited by Group Members)
Each of these permissions is automatic, but CONDITIONAL. Permissions are dependent upon the Group or its individual users being granted additional Permissions and Privileges as described in the sections that follow:
- Category elements: Edit Access to Power Users and only View Access to Regular Users
- Datasets and User Maps in the Category: Edit Access to Power Users and only View Access to Regular Users
- Ability for Group Power Users to Edit the Category itself and assign access to Groups to which the Power Users is a member and to members of those Groups
Members must inherit or be granted the additional Privileges and Permissions as discussed in the sections that follow.
No automatic Use Access Permissions to configurable Data Sources (SQL/Plugin) used by Category Elements, Datasets or User Maps are granted automatically to the Group members. An Admin must grant these Permissions manually to the Group or to its individual members.
2. Use Access Permission for configurable Data Sources used by Elements, Datasets or User Maps within the Category and its Sub-Categories
For a Group member Power User to receive the ability to edit a Elements, Datasets, and User Maps in the Category, either the Group or the individual member Power User(s) must be given at least Use Access Permissions to one or more configurable Data Sources (SQL / Plugins) used by these objects.
To grant Use Access Permission to a Dataset's or Element's configurable Data Source:
- Access Dataset or Report/Metric Editor > Data tab
- In the Data Source field, click the Gear icon. You are redirected to the Data Source Editor.
- At the top right corner of the screen, click Permissions. In the opened pop-up, click [+ New Group to Data Source] and select the Group from the drop-down list.
3. Dataset Privileges and Permissions
If the Category contains Datasets and/or User Maps, as well as elements sourced from Datasets, additional Privileges and Permissions are required by Group Members. For more details, see below:
3.1. Dataset-Related Privileges
Group Power Users must have the following Privileges:
- Create content using Datasets
- Create Dataset
To assign these privileges to the Group:
- Open the Group Editor > Info tab
- In the Privileges section click [+ Privilege to Group]. The pop-up opens.
- Select required Privileges from the list
[Save]
3.2. Category Elements Sourced from Datasets
Although Group Power User members are automatically granted Edit Access to Datasets and User Maps in the Category, they are not granted access to Datasets from which Category elements are sourced (unless those Datasets are also in the same Category). For elements sourced from other Datasets not in the Category, the Admin must grant the Group or individual Group Members at View Access to the Dataset from which Category elements' are sourced:
- Access the Group Editor > Datasets tab
- Click [+ Dataset access to Group]. The Add Dataset Access to Group pop-up opens.
- Choose the required Dataset from the Name field
- Typically set Group members can edit dataset it to 'no', since only View Access is required; at the discretion of the Admin, Edit Access may be assigned.
[Save]
Note: Regular Users also need View Access to source Datasets in order to View Category Elements, Datasets or User Maps sourced from other Datasets.
3.3. Category Datasets with User Map
Group Members do not automatically receive an entry in a User Map associated with a Category Dataset or with another Datasets used as a source for a Category element.
This requirement is relevant only if a User Map is applied to a Category Dataset or element sourced from a Dataset with a User Map:
Group members must have either:
- Power User members only. Edit Access to the Dataset (inherited from the Group or granted independently), thus receiving access to all Dataset's Data
- All members with Dataset View Access. At least one entry in any related User Map should be applied to each Group member, both Regular and Power Users
For more details refer to: Create a User Map and Apply a User Map to a Dataset.
4. Non-configurable Data Source requirements
If elements, Datasets or User Maps in the Category are sourced from one or more non-configuable Data Sources, the Group or individual member Power Users must be granted the respective Privileges and/or Permissions to make it possible to edit the related object.
To learn about the nature of non-configurable Data Sources, refer to: Understanding Data Sources.
4.1. CSV file
Group or individual Power Users must have the following Privileges:
- Create content using CSV files
To assign this privilege to a Group:
- Open the Group Editor > Info tab
- In the Privileges section click [+ Privilege to Group]. The pop-up opens.
- Select the required Privilege from the list
[Save]
4.2. Composite Elements and Datasets/User Maps Sourced from Non-Configurable Data Sources
Category contents may be sourced from one or more of the following Non-Configurable Data Sources; if so, associated Privileges and Permissions are required as described below for the Group or its individual Power User members.
Existing Metrics
- Privilege granted on the Group Editor: Create content using Existing Metrics
- Each member of the Group must have View access to the source Metric(s) given at Group Editor > Elements tab > [+ Element access to Group].
Existing Reports:
- Privilege granted on the Group Editor: Create content using Existing Reports
- Group members are NOT to required to have View access to the source Report(s). This is an exception to the source element rules.
Single Existing Report:
- Privilege granted on the Group Editor: Create content using Single Report
- Each member of the Group must have View access to the source Report given at Group Editor > Elements tab > [+ Element access to Group].
Aggregate Metric
- No Privilege is required; this is automatically granted to each Power User.
- Each member must have View Access to the source Metric from which it is aggregated.
Multi-Metrics
- No Privilege is required.
- May not be used as a source for Datasets or User Maps.
- Each member of the Group must have Permission to View source elements of any Multi-Metrics and Composite elements in this Category, including Metrics that have been aggregated
5. Dimensioned Elements
If elements within the Category are dimensioned, each member of this Group must be granted access to at least one Dimension Value of the Dimensions associated with elements from the Category or to the whole Dimension in order to View or, for Power Users, edit the element.
This can be done at one of the following places:
- User Editor > Dimensions tab > [Dimension access to User]
- Dimension Editor > Access > Permissions > [New User access to Dimension]
For more details, refer to: Dimension Security