Setting Permissions for Presentation Layer Objects

You can apply access control to restrict which individual users or application roles (groups) can access particular presentation layer objects.

For example, you can provide read-only access to a set of presentation tables for a particular application role, read-write access for a second application role, and no access for a third application role. See Granting Permissions To Users Using Groups and Application Roles .

You can also use the Identity Manager to set up privileges and permissions. The Identity Manager is useful for setting permissions for individual application roles to many objects at once, unlike permissions in the Presentation layer, which you can only set for one object at a time. See Setting Up Object Permissions and Applying Data Access Security to Repository Objects.

You can control what level of privilege is granted by default to the AuthenticatedUser application role, which is the default application role associated with new repository objects. To do this, set the DEFAULT_PRIVILEGES parameter in the NQSConfig.INI file.

To set permissions for presentation layer objects:

  1. In the Presentation layer, double-click a presentation object, such as a subject area, table, column, or hierarchy.
  2. In the General tab, click Permissions.
  3. In the Permissions dialog, any users or application roles with the Default permission do not appear in the User/Application Roles list. Select Show all users/application roles to see users and application roles with the Default permission.

    In online mode only, by default, no users are retrieved, even when Show all users/application roles is selected. Click Set online user filter to specify the set of users you want to retrieve.

    The filter is empty by default, which means that no users are retrieved. Enter * to retrieve all users, or enter a combination of characters for a specific set of users, such as A* to retrieve all users whose names begin with the letter A. The filter is not case-sensitive.

  4. For each user and application role, you can allow or disallow access privileges for this presentation object by selecting one of the following options:
    • Read. Only allows read access to this object.

    • Read/Write. Provides both read and write access to this object.

    • No Access. Explicitly denies all access to this object.

    • Default. The permission is inherited from the parent object. For subject areas, because they are a top-level object, Default is equivalent to the permission granted to the AuthenticatedUser application role.

  5. Click OK.
  6. Click OK in the Properties dialog for this presentation object.

Generating a Permission Report for Presentation Layer Objects

You can generate a permission report for individual presentation layer objects to see a summary of how permissions have been applied for that object.

To do this, right-click any presentation object and select Permission Report. The Permission Report dialog displays the name and a description of the presentation object, along with a list of users/application roles and their permissions.

Sorting Columns in the Permissions Dialog

There are six ways that you can sort the types and User/Application Role names in the Permissions dialog.

To change the sort, click the heading of the first or second column. The first column has no heading and contains an icon that represents the type of user or application role. The second column contains the name of the User/Application Role object.


You cannot sort on the columns for individual object permissions such as Read, and Read/Write.

There are three ways to sort by type, and two ways to sort the list of user and application role names. This results in a total of six possible sort results (3 x 2 = 6). The following list shows the sort results available by clicking the type column:

  • AuthenticatedUser, Application Roles, Users, ascending by name of type

  • Users, Application Roles, AuthenticatedUser, descending by name of type

  • Type column is in no particular order. The Type value is ignored, as all names in User/Application Role column are sorted in ascending order by value in User/Application Role column.

The following list shows the sort results available by clicking the User/Application Role column:

  • Ascending within the type

  • Descending within the type