AX2580

How role settings are applied to users

Axiom Software supports role-based security. Each user can be assigned to one or more roles, and will inherit the security settings defined for those roles. This topic explains how role-level rights are inherited by individual users.

In general, role rights are additive. Users are granted the most permissive set of rights among their own personal security settings and any roles that they are assigned to. Roles are intended to grant permissions, not deny permissions.

Role inheritance works slightly differently for different areas of security, as detailed in the following sections. When configuring security settings for a user, be sure to check the Effective Permissions display available in most areas of the dialog. This section displays the user's effective permissions after taking into account all applicable factors, including role inheritance, subsystem restrictions, and administrator status.

NOTE: If subsystems are being used, then role inheritance works in the same way, but users' effective permissions are limited by the subsystem's maximum permissions. For more information, see Security subsystems.

Permissions

The Permissions tab of Security defines access rights for specific Axiom Software features. By default, users inherit security permissions from any roles that they are assigned to. However, you can override role inheritance for a user on a per permission basis.

If a permission is set to inherited, then the user is granted the most permissive set of rights among any roles the user is assigned to. For example, imagine the following settings for the Run AQs in Plan Files permission:

If the user was assigned to both Role1 and Role2, then the user would have rights to run Axiom queries in plan files.

If you select to Override a permission, then that permission is no longer inherited from roles, and the user is granted or denied the permission based on whether the permission box is checked for the user.

Startup documents

Users inherit startup task panes and "other" startup documents from roles in addition to their own individually assigned startup files.

Each user can have only one home page. If a user has an individually assigned home page, that file will be used and any role settings are ignored. Otherwise, the user will inherit the home page from a role. If no home page is assigned, the default home page is used.

For more information about startup file inheritance, see Assigning startup files (Startup tab).

File groups

The File Groups tab of Security defines access rights for plan files in file groups. For file groups, you can configure role inheritance to be handled in a variety of ways. You can specify that role settings are combined with user settings, or that role settings are inherited independently from user settings, or that role settings are ignored entirely and not inherited.

For more information and examples of how role file group permissions apply to users, see Understanding role inheritance options for file group permissions.

All other areas

For all other areas of Security, the user inherits the most permissive set of rights among their own personal security settings and any roles that they are assigned to. This applies to the Tables tab and the Files tab.

For example, imagine the following access level settings for a report folder:

If the user was assigned to both Role1 and Role2, then the user would have Read/Write access to that report folder, because that is the most permissive set of rights available to the user.

Each tab has an Effective Permissions area where you can view the rights that the user will be granted after taking into account role inheritance, administrator status, and folder inheritance (where applicable).