AX2600
Configuring file access (Files tab)
On the Files tab of the Security Management dialog, you can control access to files in the Axiom file system. The following areas can be controlled:
- The Reports Library
- The Data Diagrams Library
- The Filter Library
- The Imports Library and the Exports Library
- The Process Definitions Library
- The Scheduler Jobs Library
- The Task Panes Library
- The Ribbon Tabs Library
- Certain supporting files for file groups: Templates, Drivers, Utilities, and Process Definitions
NOTES:
- File permissions do not apply to users with administrator rights. Administrators always have full access to all files.
- File permissions must be defined within the Security Management dialog. The bulk editing tool Open Security in Spreadsheet does not support configuring file and folder permissions.
- If you are defining file permissions for a subsystem, see Defining maximum permissions for subsystems.
Configuring file permissions
The left-hand side of the Files tab displays the available folders and files. When you select a folder or a file in the list, you can define the security settings for the user or role within the Configured Permissions section in the right-hand side of the tab.
Example Files tab
File permissions can be set at the folder level and at the file level. By default, all sub-folders and files underneath a parent folder inherit the rights of the parent folder, unless rights are explicitly set for the sub-folder or file.
You can set permissions at the library level and then override those permissions for specific sub-folders and files as needed, or you can set permissions for specific sub-folders and files only.
By default, each user or role has no access to any files or folders on this tab. You must define file permissions for each user or role.
To configure permissions to a file or folder:
-
Select the file or folder in the treeview, and then select Configured Permissions.
If this check box is selected for a sub-folder or a specific file, the sub-folder or file will no longer inherit any permissions set for the parent folder. You can clear the check box, and the sub-folder or file will once again inherit permissions from the parent folder.
-
Select the applicable permission options as desired.
Each type of file (reports, import, etc.) has slightly different security settings that can be defined on this tab. For more information on the file-specific options, see the detailed sections.
If a new folder or file is added to any library, a user will have access to it if the folder or file is placed underneath an existing parent folder that the user has rights to. For example, if a user has rights to the entire Reports Library, that user will have access to any new folders and files added to the Reports Library. If a user only has rights to a specific sub-folder in the Reports Library, that user will have access to new folders and files added to that sub-folder.
The Effective Permissions section displays the full permissions of the user, taking into account any inherited role rights, and other settings such as administrator rights. This section also takes into account rights that are inherited from a parent folder.
NOTE: Because file permissions can be set at any point in the treeview, it can be difficult to later tell which items have been configured. To change the view to only show items with configured permissions, select the check box for Show configured items only. If the treeview is blank after selecting this check box, this means that the user or role has no configured permissions.
Reports Library
The following permissions can be set for files in the Reports Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. For example, you might clear this check box for the target report of a custom drill. The user only needs to be able to access this report when performing a custom drill on the source file. Displaying the file in the Reports Library would just clutter the list of files because the user never needs to open the file from that location. NOTE: The Reports Library dialog (accessible from Reports > All Reports) does not honor this permission. If a user has at least read-only access to a report, it will show in this dialog, regardless of the Show in Explorer permission. |
|
Allow Save Data |
Select this check box if you want the user or role to be able to save data to the database for the folder or file. If a report is set up to use Save Type 1, 3, or 4, the user will be able to save data to the database. If this check box is not selected, then the user cannot save data to the database from the report. NOTE: If a user has Read Only access and Allow Save Data, then the user will be able to save data to the database but not save changes to the file. Note that users with this combination of rights can save data from the file at any time, regardless of whether the file is locked to another user. |
|
Allow Unprotect |
Select this check box if you want the user or role to be able to remove workbook and/or worksheet protection for this folder or file. Users with this permission can use the Advanced > Protect options on the ribbon to remove workbook or worksheet protection from Axiom files. IMPORTANT: If you enable this permission at the folder level, then the user will be able to unprotect any file that they save to the folder (assuming that the user has read/write access to the folder). NOTE: This setting is ignored for users with the Remove Protection permission on the Permissions tab; those users can remove protection for any file. |
|
Allow Sheet Assistant |
Select this check box if you want the user or role to see the Sheet Assistant. Generally, you should only expose the Sheet Assistant if the user is expected to edit file settings, including Axiom query settings. Enabling this permission also has the following impacts:
If this check box is not selected, then the user cannot see the Sheet Assistant or the other related items as described above. |
|
Allow File Processing |
Select this check box if you want the user or role to be able to perform file processing on the file. If selected, then the user has access to file processing features, including the File Processing button on the menu and the File Processing task pane. The related control sheets will also be visible to the user. If this check box is not selected, then the user cannot perform file processing actions and cannot see the related menu items, task panes, or control sheets. |
NOTE: If a user does not have access to any report files or folders, then the Reports menu item does not display on the menu, and the user cannot create reports.
Filter Library
The following permissions can be set for files in the Filter Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. |
Scheduler Jobs Library
NOTE: Users must also have the Scheduled Jobs User permission (on the Permissions tab) in order to access any files in the Scheduler Jobs Library.
IMPORTANT: Users do not have to have any file permissions to a Scheduler job in order to execute that job via an event handler (such as when using Run Event or Raise Event).
The following permissions can be set for files in the Scheduler Jobs Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. For example, you might clear this check box if a user needs to be able to open a Scheduler job from a shortcut in a task pane, but otherwise the user does not need to be able to browse to it in the Scheduler Jobs Library. |
Exports Library
The following permissions can be set for files in the Exports Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
| Execute |
Select this check box to give the user execute permissions to the folder or file. Users with execute permissions can run the export. NOTE: Table read permissions are honored for export packages. When the user executes the export, the user's permission to the table will determine the eligible data to export. If the user does not have access to the table at all, then no data will be exported. |
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. For example, you might clear this check box if a user needs to be able to execute an export from a shortcut in a task pane, but otherwise the user does not need to be able to browse to it in the Exports Library. NOTE: If a user has Execute permissions but No Access to the export file, then you should select this check box if you want the export to display in the Export Library. When using this configuration, the user can double-click the file to open the Execute dialog only. If, however, the user will only execute the export from links in a task pane or other predefined links, then you can leave this option cleared. |
NOTE: The export access permission and the execute permission are independent. A user can have no access to an export file but still be given execute permissions. Similarly, a user can have read/write access to the export settings, but not be able to execute it.
Imports Library
The following permissions can be set for files in the Imports Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
| Execute |
Select this check box to give the user execute permissions to the folder or file. Users with execute permissions can run the import. NOTE: Table write permissions are ignored for import packages. If a user has execute rights to an import, then the imported data will be saved to the configured destination table, regardless of the user's write access to that table. |
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. NOTE: If a user has Execute permissions but No Access to the import file, then you should select this check box if you want the import to display in the Import Library. When using this configuration, the user can double-click the file to open the Execute dialog only. If, however, the user will only execute the import from links in a task pane or other predefined links, then you can leave this option cleared. |
NOTES:
-
The import access permission and the execute permission are independent. A user can have no access to an import file but still be given execute permissions. Similarly, a user can have read/write access to the import settings, but not be able to execute it.
-
The Import Errors folder is system-maintained and therefore does not display in this dialog. You cannot manually grant or deny access to this folder or the error files within it; access is automatically granted based on access to the import that generated the error.
-
If an import uses an Axiom database as its source, then non-administrators cannot view or edit that import regardless of their access rights granted here. However, non-administrators can execute the import if they have that permission.
Task Panes Library
The following permissions can be set for files in the Task Panes Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. For example, you might clear this check box if a user needs to be able to open an associated task pane for a file, but otherwise the user does not need to be able to open the task pane from the Task Panes Library. |
NOTES:
-
Task panes can contain shortcuts to various files and system features. The ability of a user to open a file or use a feature from the task pane depends on the user's permission for that file or feature.
-
Users do not need to have access permission to a task pane in order to open it at startup. If a user is assigned a task pane on the Startup tab of security, it will always open as read-only at startup, regardless of the user's access permission.
-
By default, the Axiom ribbon tab does not contain any command to open task panes. If a user has rights to a file in the Task Panes Library, then in order to see and open this file manually the user must have access to either the Explorer task pane or the Axiom Explorer dialog, or you must include access to the task pane within another custom task pane or ribbon tab file that is assigned as a startup file to the user. For example, you might create a custom task pane that includes a link to the Task Panes Library, and if a user has file access rights to any task panes they could be launched from this location. Users only gain access to the Manage > Task Panes menu item if they have the Administer Task Panes security permission.
Ribbon Tabs Library
The following permissions can be set for files in the Ribbon Tabs Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. This setting does not have much use for ribbon tab files because ribbon tabs are typically configured as startup files for end users, and end users do not need access permission to be able to open the file at startup. |
NOTES:
-
Users do not need to have access permission to a ribbon tab in order to open it at startup. If a user is assigned a ribbon tab on the Startup tab of security, it will always open as read-only at startup, regardless of the user's access permission.
-
In general, there is no need to grant end users access to the Ribbon Tabs Library unless the user needs to be able to create and edit ribbon tabs. If a user opens a ribbon tab file directly from the Ribbon Tabs Library, it will always open in the editor, not in the application ribbon. There is no way to open a ribbon tab file on demand and have it display in the application ribbon.
Process Definition Library
The following permissions can be set for files in the Process Definition Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. For example, you might clear this check box if a user needs to be able to open a process definition from a shortcut in a task pane, but otherwise the user does not need to be able to browse to it in the Process Definition Library. |
Data Diagrams Library
The following permissions can be set for files in the Data Diagrams Library:
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. For example, you might clear this check box if a user needs to be able to open a data diagram from a shortcut in a task pane, but otherwise the user does not need to be able to browse to it in the Data Diagrams Library. |
File Groups
The following permissions can be set for certain files and folders in file groups. Each file group is listed separately in this section, with sub-folders for Templates, Drivers, Utilities, and Process Definitions.
NOTE: Permissions cannot be set at the file group level and inherited by the folders. Each folder must be configured separately.
| Option | Description |
|---|---|
| Access |
Select one of the following:
|
|
Show in Explorer |
Select this check box if you want the file to display in the Explorer task pane and other "Explorer views" of the file library (such as Axiom Explorer, libraries displayed on the ribbon menu, and libraries displayed when saving files). This check box becomes selected by default when you assign an access level of Read Only or higher. If this check box is cleared, and the user has Read Only access or higher, then the file does not display in Explorer views but the user can still open the file if the user has access to a feature that indirectly opens the file. This includes features such as custom drilling, GetDocument functions, and file shortcuts in task panes and ribbon tabs. The idea is that the user never needs to directly open the file from a folder structure, but the user needs access to the file in order to use these other features. If the user's access level is No Access, then this setting is ignored. For example, you might clear this check box if a user needs to be able to open the file from a shortcut in a task pane, but otherwise the user does not need to be able to browse to it in the Explorer task pane. |
|
Allow Save Data |
Select this check box if you want the user or role to be able to save data to the database for the folder or file. If a file is set up to use Save Type 1, 3, or 4, the user will be able to save data to the database. If this check box is not selected, then the user cannot save data to the database from the report. NOTES:
|
|
Allow Unprotect |
Select this check box if you want the user or role to be able to remove workbook and/or worksheet protection for this folder or file. Users with this permission can use the Advanced > Protect options on the ribbon to remove workbook or worksheet protection from Axiom files. IMPORTANT: If you enable this permission at the folder level, then the user will be able to unprotect any file that they save to the folder (assuming that the user has read/write access to the folder). NOTES:
|
|
Allow Sheet Assistant |
Select this check box if you want the user or role to see the Sheet Assistant. Generally, you should only expose the Sheet Assistant if the user is expected to edit file settings, including Axiom query settings. Enabling this permission also has the following impacts:
If this check box is not selected, then the user cannot see the Sheet Assistant or the other related items as described above. NOTE: This setting does not apply to process definitions. Also, control sheets are not hidden in template files. |
|
Allow File Processing |
Select this check box if you want the user or role to be able to perform file processing on the file. If selected, then the user has access to file processing features, including the File Processing button on the menu and the File Processing task pane. The related control sheets will also be visible to the user. If this check box is not selected, then the user cannot perform file processing actions and cannot see the related menu items, task panes, or control sheets. NOTE: This setting does not apply to process definitions. |
File permission examples
The following examples use the Reports Library, but the concept of folder inheritance applies to all files on the Files tab.
If a user has read/write access to the Reports Library, that user can access and save files anywhere in the library, unless a different level of access is explicitly set for a sub-folder or a file. For example:
Sub-folders and files inherit the rights defined for the parent folder, unless permissions are explicitly set for the sub-folder or file. When you select a sub-folder or file in the folder tree, you can tell if it is inheriting permissions by whether the Configured permission check box is selected. If this check box is not selected, then the folder or file is inheriting permissions, and you can view the inherited permissions in the Effective Permissions section.
NOTE: The effective permissions also take into account role inheritance and administrator rights (if applicable). Therefore, the sub-folder or file might show a different level of permissions than its parent folder, if it is inheriting from a role.
If rights are set at the library level, but you want to set a different level of rights for a specific folder or file, select Configured permission for that folder or file and define the desired level of rights. In the following example, the user has read/write access to the Reports Library, but no access to the Utilities sub-folder.
Note that if the user was assigned to a role that had access to the Utilities folder, then the user would be granted that level of access even though the folder is explicitly hidden for the user. Users are granted the highest level of file permissions allowed by their user rights and assigned roles. You cannot override role inheritance for report file access.
It is also possible to grant a user access to a file or folder, but hide that file/folder in the user's Explorer task pane and other "Explorer views." In the following example, the Drilling sub-folder contains drill target files. The user needs read-only access to the files in order to perform the drill, but otherwise the user never needs to open the files directly or see the files in their Reports Library. By clearing the Show in Explorer option, this folder and its files will not display to the user.
