Access permissions are assigned to a security role to determine access to scorecards, initiatives, and measures. Restrictions and permissions are cumulative, meaning the total of all restrictions and permissions are used. After the results for all permissions are evaluated, an authorization and priority level is generated. A high overwrites a low level. For example, if a security role has Grant All and Deny All access, the user can see all scorecards because Grant All has a higher priority level than Deny All.
Because you can apply multiple, sometimes conflicting, permissions and restrictions to a security role, authorization rules apply, based on the permission result. See:
Table 1. Scorecard Access Permissions
Permission | Result if condition satisfied | Result if condition not satisfied |
|---|---|---|
No permission | 6 — Deny All | — |
Grant access to all scorecards | 5 — Grant All | — |
Grant access to all Strategy elements scorecards only | 3 — Grant Group | 4 — Deny Group |
Grant access to all scorecards in Domain | 3 — Grant Group | 6 — Deny All |
Grant access to this scorecard | 1 — Grant Single | 6 — Deny All |
Deny access to this scorecard |
| 6 — Deny All |
Deny access to all scorecards in Domains | 4 — Deny Group | 6 — Deny All |
Deny access to all scorecards | 2 — Deny Single (if no associated employee, else see below: | 4 — Deny Group |
Unless the scorecard is the user's primary scorecard | 3 — Grant Group | – |
Unless the scorecard is an Accountability element scorecard owned by the user | 3 — Grant Group | – |
Unless the scorecard is a child of an Accountability element scorecard to which the user has access | 3 — Grant Group | – |
Unless the scorecard is a parent of an Accountability element scorecard to which the user has access | 3 — Grant Group | – |
Unless the scorecard is an Accountability element scorecard and the user is a member of that element | 3 — Grant Group | – |
Unless the scorecard is a Strategy element scorecard to which the user belongs | 3 — Grant Group | – |
Unless the scorecard is a child of a Strategy element scorecard to which the user has access | 3 — Grant Group | – |
Unless the scorecard is a parent of a Strategy element scorecard to which the user has access | 3 — Grant Group | – |
Unless the scorecard is an employee scorecard for which the user is the manager | 3 — Grant Group | – |
Table 2. Measure Access Permissions
Permission | Result if condition satisfied | Result if condition not satisfied |
|---|---|---|
No permission | 6 — Deny All | – |
Implicit: Grant access if user is result collector of the measure | 1 — Grant Single | — |
Implicit: Grant access if user is target setter of the measure | 1 — Grant Single | – |
Grant access to all Measures | 5 — Grant All | – |
Grant access to all Measures in Domain | 3 — Grant Group | 6 — Deny All |
Grant access to this measure | 5 — Grant All | 6 — Deny All |
Deny access to this measure | 1 — Grant Single | 6 — Deny All |
Deny access to all measures in Domain | 3 — Deny Group | 6 — Deny All |
Deny access to all measures | 2 — Deny Single — if no associated employee, else see below: | 4 — Deny Group |
Unless measure owner | 3 — Grant Group | – |
Unless measure is from an accessible scorecard | 3 — Grant Group | – |