Permission Inclusion and Cascading

When you grant a permission at a higher level, such as Owner, it includes all of the permissions at lower levels, such as Participant. Additionally, permissions cascade from higher level data chain objects, such as applications and dimensions, to the hierarchy sets and nodes types that they contain.

Best Practice

A best practice is to assign permissions at the most general level first (for example, at the application or dimension level), and then to assign permissions at more specific levels (such as hierarchy sets or node types) only if there are specific business requirements that must be met.

Permission Inclusion

There are three permission levels that you can assign to data objects:

  • Owner
  • Data Manager
  • Participant

    Note:

    The Participant permission automatically grants Read data access to a data chain object. You can modify the permission to grant Write data access to data chain objects by selecting the allowed actions and property access for that object. See Configuring Data Access.

When you assign a higher level permission (such as Owner) to a user or group, that grant includes all of the lower level permissions (Data Manager, Participant (Write), and Participant (Read)). You do not need to assign a user or group multiple permissions on the same data object.

To illustrate this concept, think of permission levels as a set of concentric circles, where each circle has its own set of permissions, plus the permissions of all of the circles included within it, as follows:

  • Participant (Read): Grants the ability to Read nodes and properties
  • Participant (Write): Includes Read access, and adds the ability to Write to nodes and properties
  • Data Manager: Includes Read and Write access, and adds Data Synchronization features such as importing, exporting, and configuring subscriptions.
  • Owner: Includes Read, Write, and Data Synchronization, and adds the ability to Configure the data model and Assign permissions.
digram shows concentric circles with Participant (Read), Participant (Write), Data Manager, and Owner

Applications and dimensions support all permission levels, while hierarchy sets and node types support the Participant permissions only. You can further refine the Participant permission by specifying data access to a hierarchy set or node type. See Configuring Data Access.

Permission Cascading and Data Objects

Permissions also cascade from applications to dimensions, and then to hierarchy sets and node types.

  • Permissions assigned to an application will be applied to all dimensions in that application. For example, in the following image, if you assign Data Manager permission to a user on the application, that user will have Data Manager permission on Dimension A and Dimension B as well.
  • Permissions assigned to a dimension will be applied to all node types and hierarchy sets in that dimension. For example, in the following image, if you assign a user Participant (Write) permission on Dimension A, that user will have Participant (Write) permission on both Hierarchy Set 1 and Node Type 1.

The following diagram illustrates these concepts:


graphic illustrates the cascading permissions as described in the above list

Note:

You can also assign the Owner permission to a view. However, data access is controlled at the data object (application, dimension, hierarchy set, and node type) level. The Owner permission on a view enables a user to configure the view and to assign the Owner permission to other users and groups for that view, but it does not grant access to the data objects in that view.