Authorization
This section deals with authorizing access.
Workbook Security
Currently, workbook access is either granted or denied. If users have been granted access to a workbook, they can open, modify, and commit the workbook. No distinction is made between read-write-commit, read-write, and read-only access. Workbook access is automatically granted to the user who builds a workbook, and it can be shared by that user with other users in the system who are authorized to view that workbook and the data contained within it. The user who receives access to a workbook has access to all data and operations within the workbook without limit.
For guidance on assigning permissions to workbooks by role and group, see the Implementation Considerations chapter, section "Security," of each RPASCE Application's Implementation Guide. All recommendations in the guides are for the GA solution. If a customer chooses to customize permissions, keep in mind that the Principle of Least Privilege: only provides users with sufficient permissions to do their job and nothing more.
Note:
A user must have access to the workbook template in order to access the workbook, even if the workbook has world or group access rights.
Users with administrator status automatically have access to all workbook templates. By default, administrators have access to all workbooks that are saved with world access. If a workbook is saved with group access, administrators can only access the workbook if they are members of the default user group of the user who saved the workbook.
Another aspect of workbook security is the ability to set limits for the number of workbooks that a user can have saved at any given time. Limits can be set for a user per template, for a user group per template, or for a template for all users. The limits are evaluated in the above order, which means that a limit defined at user-template overrides any values defined at group-template or template. If the above limits are not defined, the default value is one billion.
The limits are checked when the workbook build process is initiated. When the limit is reached, an error message displays informing the user that the workbook build process cannot complete because the limit has been reached. The message also lets the user know what that limit is. The wizard process then terminates.
Administrative users have full access to all workbook templates, regardless of the access rights that other administrative users may assign to them in the Security workbook. The administrative user can build the Security workbook to change the access right back, so the nominal assignment does not matter for administrative users.
Non-administrative users do not have access to the Security template and User Administration template groups even if the administrator inadvertently assigns them access rights.
Position Level Security
Position Level Security allows access control for dimensions on a position-by-position basis. This capability is completely optional. If position level security is not explicitly defined and configured, all users in a application have access to all positions in all hierarchies. After the position level security is defined, access to a position can be granted or denied for individual users, users in a group, or for all users.
Position level security can be defined at levels at or above base (such as class in the product dimension) in any dimension other than calendar. As positions are added at a level lower in the dimension than where the position level security is maintained, access to those positions is automatically granted if a user has access to the parent position.
For example, if security is maintained at the subclass level, users are automatically granted access to all the SKUs in a given subclass if they have access to that subclass. This includes those that were added after security was established.
Exactly one level in each dimension can be defined as the security level for the dimension. If a security level is defined for the dimension, all levels in the dimension have position level security enabled, but position security is set at or above the designated level. For example, if the class level is designated as the security level, an administrator can maintain access to positions in the class level or at any level above class.
To specify the security level for a dimension, the application designer must update the configuration and either rebuild or patch the application. After a security level is defined for a dimension, all users in the application default to having access to all positions in any level in the dimension. Additionally, users automatically have access to newly added positions. Views in the Security Administration workbook are used to control position access for individual users, user groups, or all users (referred to as world or default access). Three views are provided in this workbook for each dimension with a defined security level. The default view controls access to positions for all users (for instance, Prod Security Default); one view controls access to positions by user group (for instance, Prod Security Group); and the last view controls access to positions by individual users (for instance, Prod Security User).
Access must be granted at all levels for a user to have access to a position. This means that a position must have a value of true at the levels default/world, group, and user. Table 4-1 demonstrates how access is granted or denied based on all combinations of settings.
Note:
A user can belong to multiple user groups (primary and other groups of the user). The user is granted on the user group level as long as one of the groups is granted.Table 4-1 Granting Access
| User | User Group | World | Resulting Access |
|---|---|---|---|
|
Denied |
Denied |
Denied |
Denied |
|
Denied |
Denied |
Granted |
Denied |
|
Denied |
Granted |
Denied |
Denied |
|
Granted |
Denied |
Denied |
Denied |
|
Denied |
Granted |
Granted |
Denied |
|
Granted |
Denied |
Granted |
Denied |
|
Granted |
Granted |
Denied |
Denied |
|
Granted |
Granted |
Granted |
Granted |
Position-level security is used when a user selects positions in the wizard process before building a workbook. Only positions to which a user has access are available for selection in the 2-tree, which are then included in the build of the workbook.