Security System

Users are allowed to perform an operation on an object when they:

• belong to a User Group that is assigned to that object, either directly or indirectly by inheritance
• are assigned to a Role within the User Group that allows the requested operation on the requested object subtype

Objects inherit the User Group assignments of their containing objects, unless the User Group is explicitly unassigned from a particular object. If you assign a User Group to a Domain, that User Group also has access to everyDomain and Application Area in the Domain and every object definition in every Domain and Application Area, including every Work Area, and every object instance in every Work Area. However, users can perform only the operations defined by their Role(s) in the User Group.

You can unassign a User Group from an object at any level, in which case any objects it contains are also no longer assigned that User Group.

Outputs—reports, report sets, data marts, and visualizations—inherit their User Group assignments from the object instance that generates them (Programs, Report Sets, Data Marts, and Business Areas, respectively). Object instances inherit their User Group assignments from their containing Work Area. Therefore you can grant Consumers (end users) access to outputs by assigning them to a User Group that is assigned to the Production Work Area of the appropriate Application Area.

See Designing a Security System for further information.