To prevent functions from providing secure information to unauthorized users, functions must have Read Data permissions on their source category data.
For example, if a function calculates the Total Expenses by adding the R&D expenses and the marketing expenses, the function needs Read Data permission for both the R&D Expenses and Marketing Expenses categories.
To set function permissions when you create a function, assign a user from one of the existing users in the system to the function. The function will have the same permissions to access data as the selected user.
By default, the function has the same permissions as the user who originally defined the function on the data source. The following are examples of when the permissions of the user who created the category should be changed:
- The user who defined the function might have permissions that can be used to expose sensitive data in the system. In such a case, the definer of the function will purposefully use a known or a made up user who has a more restricted set of permissions.
- The user who defined the function might have limited permissions that are not enough to access the needed sources. For example, a programmer from the IT department may define a category using a function that calculates the Marketing department's budget. It is likely that the programmer doesn't have Read permission on the budget's components of the Marketing department's items. Therefore, the Marketing department personnel, who are authorized to view the budget, need to assign the budget category's function permissions. They do so by using the name and password of a user who has the appropriate permissions.
To make changes to a function's permissions, you need Admin permissions on the category.