1. Security Guide
  2. Retail Predictive Application Server Cloud Edition Security Features
  3. Compute Tier Security
  4. Authorization
  5. Workbook Template Security

Workbook Template Security

Workbook template access can be granted as Full Access or Read-Only. Full Access enables the user to build, open, modify, and commit the workbook. Read-Only access allows the user to open and view the workbook only. Workbook access is automatically granted to the user who builds a workbook, and the workbook can be shared by that user with other users in the system who are authorized to view that workbook and the data contained within it. The user who receives access to a shared workbook has the same access granted to the user on the workbook template. That is, Full Access users can modify and commit the shared workbook while Read-Only users can only view the workbook.

For guidance on assigning permissions to workbooks by role and group, see the Implementation Considerations chapter, section "Security," of each RPASCE Application's Implementation Guide. All recommendations in the guides are for the GA solution. If a customer chooses to customize permissions, keep in mind that the Principle of Least Privilege: only provide users with sufficient permissions to do their job and nothing more.

Note:

A user must have access to the workbook template in order to access the workbook, even if the workbook has world or group access rights.

A user’s workbook template access rights can be inherited from the user’s groups. If any group a user belongs to has Full Access to a workbook template, the user also has Full Access. If one or more of the user’s groups have Read-Only access and the others have no access, the user inherits the Read-Only access which is then combined with their own access rights to become the final access rights. That is, if the user themselves has no access rights, the heritance grants Read-Only rights. If the user themselves already has Read-Only or Full Access rights, the heritance has no effects.

By default, the group template rights inheritance is enabled. It can be turned on/off on a user-by-user basis through the “Manage Users” OAT task.

Users with administrator status automatically have access to all workbook templates. By default, administrators have access to all workbooks that are saved with world access. If a workbook is saved with group access, administrators can only access the workbook if they are members of the default user group of the user who saved the workbook.

Another aspect of workbook security is the ability to set limits for the number of workbooks that a user can have saved at any given time. Limits can be set for a user per template, for a user group per template, or for a template for all users. The limits are evaluated in the above order, which means that a limit defined at user-template overrides any values defined at group-template or template. If the above limits are not defined, the default value is one billion.

The limits are checked when the workbook build process is initiated. When the limit is reached, an error message displays informing the user that the workbook build process cannot complete because the limit has been reached. The message also lets the user know what that limit is. The wizard process then terminates.

Administrative users have full access to all workbook templates, regardless of the access rights that other administrative users may assign to them in the Security workbook. The administrative user can build the Security workbook to change the access right back, so the nominal assignment does not matter for administrative users.

Non-administrative users do not have access to the Security template and User Administration template groups even if the administrator inadvertently assigns them access rights.