AX2599
Understanding role inheritance options for file group permissions
Role inheritance for file group permissions is handled differently than in other areas of Security. For each set of permissions defined for a user on the File Groups tab, you can specify whether role permissions are inherited and how they are inherited.
File group permissions have three different role inheritance options:
- None
- Combine
- Independent
By default, if no file group permissions are configured for a user, the role inheritance is set to independent. This means that users will inherit file group settings from all roles that they are assigned to, but those inherited settings will be applied independently instead of merged.
The following sections explain how each role inheritance option works.
No inheritance
The None option means that no role inheritance applies. Role settings are ignored for this particular permission set. If the user only has one permission set, then role settings are ignored entirely (for settings on the File Groups tab).
The following is an example of how file group settings are treated with no inheritance, assuming that the user belongs to the role:
| File Group Settings | User Configured Settings | Role Configured Settings | User Effective Permissions |
|---|---|---|---|
|
File Access Level |
Read Only |
Read/Write |
Read Only |
|
Allow Save Data |
Unchecked |
Checked |
Unchecked |
|
Allow Calc Method Insert |
Checked |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Checked |
Unchecked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: DEPT.Region='South' |
Filtered Plan Files: DEPT.Region='North' |
In this example, the role settings are ignored, and the user has only his or her configured permissions.
Combine inheritance
The Combine option means that the user's permissions are combined with role permissions. The user is granted the most permissive rights as defined for either the user or the role, on a per permission basis.
The following is an example of how file group settings are treated with combine inheritance, assuming that the user belongs to the role:
| File Group Settings | User Configured Settings | Role Configured Settings | User Effective Permissions |
|---|---|---|---|
|
File Access Level |
Read Only |
Read/Write |
Read/Write |
|
Allow Save Data |
Unchecked |
Checked |
Checked |
|
Allow Calc Method Insert |
Checked |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Checked |
Checked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: DEPT.Region='South' |
Filtered Plan Files: (DEPT.Region='North') OR (DEPT.Region='South') |
In this example, the user and role permissions are combined, and the user is granted the most permissive set of rights available for each individual setting.
When you select combine inheritance, you can choose to combine with all roles that the user is assigned to, or to combine with a specific role. For example, imagine that the user belongs to role A and role B, and the permissions are as follows:
| File Group Settings | User Configured Settings | Role A Configured Settings | Role B Configured Settings |
|---|---|---|---|
|
File Access Level |
Read Only |
Read/Write |
Read Only |
|
Allow Save Data |
Unchecked |
Checked |
Unchecked |
|
Allow Calc Method Insert |
Checked |
Checked |
Unchecked |
|
Allow Calc Method Change |
Unchecked |
Checked |
Unchecked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: DEPT.Region='South' |
Filtered Plan Files: DEPT.Country='France' |
In this case, the effective permissions of the user depend on whether the combine inheritance is set to all roles, or to a specific role:
| File Group Settings | Combine: All Roles | Combine: Role A | Combine: Role B |
|---|---|---|---|
|
File Access Level |
Read/Write |
Read/Write |
Read Only |
|
Allow Save Data |
Checked |
Checked |
Unchecked |
|
Allow Calc Method Insert |
Checked |
Checked |
Checked |
|
Allow Calc Method Change |
Checked |
Checked |
Unchecked |
|
Apply settings to |
Filtered Plan Files: (DEPT.Region='North') OR (DEPT.Region='South') OR (DEPT.Country='France') |
Filtered Plan Files: (DEPT.Region='North') OR (DEPT.Region='South') |
Filtered Plan Files: (DEPT.Region='North') OR (DEPT.Country='France') |
When combined with all roles, the user is granted the most permissive set of rights across all of the roles. When combined with only one of the roles, the second role is effectively ignored. Unless the user has another set of permissions that allows inheritance from the second role, the user will not inherit any file group settings from the second role.
Independent inheritance
The Independent option means that the user inherits permissions from roles, but the role permissions are applied independently from the user's configured permissions. The user and role permissions are not merged, as they are when using the combine option. The user effectively has two sets of permissions: one set based on the user's configured permissions, and one set based on the role's inherited permission. Additionally, if the user belongs to multiple roles, each role's permissions are inherited independently from each other (assuming that the independent inheritance is set to apply to "all roles").
The following is an example of how file group settings are treated with independent inheritance, assuming that the user belongs to the role:
| File Group Settings | User Configured Settings | Role Configured Settings |
|---|---|---|
|
File Access Level |
Read Only |
Read/Write |
|
Allow Save Data |
Unchecked |
Checked |
|
Allow Calc Method Insert |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Checked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: DEPT.Region='South' |
In this example, the user's effective permissions are the same as the user configured permissions and the role configured permission, except applied separately. When the user accesses a plan file that belongs to the North region, it will be read only, and the user will not be able to change calc methods. When the user accesses a plan file that belongs to the South region, it will be read/write, and the user has all of the other plan file permissions as defined for the role.
If there is any overlap between the two independent permissions, then the user will be granted the most permissive set of rights for the area of overlap only. In the above example the filters cannot overlap, but imagine that the user and role filters were instead something like the following:
| User Filter: | DEPT >= 5000 and DEPT < 6000 |
| Role Filters: | DEPT >= 4000 and DEPT < 6000 |
In this case, the role permissions alone would apply to any departments from 4000 up to 4999. Where the permissions overlap, for departments 5000 to 5999, the user and role permissions would be combined.
NOTE: If you use independent inheritance with a specific role instead of all roles, that configuration blocks inheritance from all other roles unless the user has another permission set that allows the inheritance from the other roles.
Multiple permission sets
For each file group, a user can have multiple sets of permissions that apply to the plan files in that file group. This allows you to define different permissions for different subsets of files. For example, you might want to give a user full read/write access to plan files belonging to the North region, but only read access to plan files belonging to the South region. In this case, you can create two sets of permissions for the user.
If a user has multiple permission sets, each permission set has its own role inheritance settings. For example, you may want to define filters at the user level, but define other access rights at the role level, as shown in the following example:
| File Group Settings | User Configured Settings (Set 1) | Role A Configured Settings | User Effective Permissions (Combine: Role A) |
|---|---|---|---|
|
File Access Level |
None |
Read/Write |
Read/Write |
|
Allow Save Data |
Unchecked |
Checked |
Checked |
|
Allow Calc Method Insert |
Unchecked |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Checked |
Checked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: <Blank Filter> |
Filtered Plan Files: DEPT.Region='North' |
| File Group Settings | User Configured Settings (Set 2) | Role B Configured Settings | User Effective Permissions (Combine: Role B) |
|---|---|---|---|
|
File Access Level |
None |
Read Only |
Read Only |
|
Allow Save Data |
Unchecked |
Unchecked |
Unchecked |
|
Allow Calc Method Insert |
Unchecked |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Unchecked |
Unchecked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='South' |
Filtered Plan Files: <Blank Filter> |
Filtered Plan Files: DEPT.Region='South' |
The ability to define multiple permission sets with separate inheritance settings is a very flexible feature, able to meet a wide variety of security needs. When using multiple permission sets, keep in mind that it is possible to configure settings that cancel out or contradict the settings of another set.
For example, if you configure one permission set with no role inheritance, and then you configure a second permission set with independent inheritance, then the no inheritance setting on the first set is pointless (since you are already independently inheriting all role settings from the second set). On the other hand, it can be meaningful to have no inheritance on the first permission set, and then combine inheritance on the second permission set (for either all roles or a specific role). Make sure that you understand the purpose of each permission set, and check the effective permissions section for the user to ensure that permissions are being inherited as intended.
