Configuring Data Access

For users with Participant permission, data access enables you to specify which actions they can take and which properties they can view or edit for specific data chain objects.

You can specify access to data in two ways:

  • Allowed Actions: You can specify the actions that can be performed on a data chain object in a request.
  • Property Access: You can specify which properties are displayed or hidden, and which properties are able to be edited for a data chain object.

By default, when you assign the Participant permission to a user or group, their data access is set to Read. This means that their allowed actions on the data chain object are set to None, and their property access is set to Display only. If you grant the participant any allowed action or Edit access on at least one property, their data access changes to Write for that data chain object.

The following table lists the data access for allowed actions and property access that you can set on each data chain object for users with Participant permission.

Table 20-2 Data Access on Data Chain Objects

Data Chain Object Allowed Actions Property Access
Application
  • None
  • All
  • Display All
  • Edit All
Dimension
  • None
  • All
  • Display All
  • Edit All
Hierarchy Set
  • None
  • All
  • Specified
    • Insert
    • Move
    • Remove
    • Reorder

Not applicable

Note:

You cannot set access to properties at the hierarchy set level. Use one of the other data chain objects, such as node type, to control access to properties.
Node Type
  • None
  • All
  • Specified
    • Add
    • Delete
  • Display All
  • Edit All
  • Specified
    • Display
    • Edit
    • Hide

Considerations

  • Data access can be configured for users with Participant permission only. Users with Owner or Data Manager permission on a data chain object are automatically granted All access to all actions and properties on that data chain object. For example, Owners and Data Managers are always able to see properties that are set to Hidden.
  • For applications and dimensions, you can specify only All or None for the allowed actions and Display All or Edit All for the property access. If you want to specify more granular actions or property access, such as allowing only adds and deletes or displaying only certain properties, you must specify those at the hierarchy set or node type level.

    Note:

    This means, for example, that a property cannot be hidden at the application or dimension level. You hide properties at the node type level only.
  • You cannot assign Edit access to properties that are never editable (for example, those in the Core namespace other than Core.Name or Core.Description, or any properties in the CoreStats namespace). You also can't set the Core.Name property to Hide.

Data Access Cascading

Just as with permissions, data access cascades from higher to lower level data chain objects (for example, if a user has an allowed action of Add in a dimension, they can add in the hierarchy sets and node types in that dimension.) See Permission Inclusion and Cascading.

For allowed actions and editable properties, the least restrictive setting is used. For example, if a user has no allowed actions at the dimension level but an allowed action of Add at the node type level, that user can perform add actions for that node type.

For hidden properties, the most restrictive setting is used. If a property is hidden on a node type, that setting overrides any other permission. For example, if a user with Participant permission has Display All on an application's properties but the Cost Center property is hidden at the node type, that user is unable to see that property in a viewpoint.

Configuring Data Access

  1. Inspect the data chain object that you want to configure data access for:
  2. On the Permissions tab, click Edit.
  3. Perform an action:
    • To edit a permission:
      1. For the permission that you want to modify, perform either one of these actions to display the data access panel:
        • In the Data Access column, click the permission level (Read or Write)
        • In the Actions column, click actions and select Edit Actions.
      2. In the Data Access for Participants panel, select the Allowed Actions and Displayed Properties settings for the user or group. See the Table 20-2 table, above, for details on what settings can be applied for each data chain object.
      3. Click Apply, and then click Save.
    • To remove a permission: In the Actions column, click Action menu, and then select Remove.

As an example, the following screenshot shows a Participant permission configured with Add as an allowed action, the CoreStats.Parent and Core.Description properties set to Display, the PLN.Alias:Default property set to Hide, and the PLN.Data Storage set to Edit.

screenshot shows the Data Access panel with the settings described above