AX2611

Understanding table permissions

This section explains how the table access settings in Security work.

Read access and write access

Each table and table type can have read access permissions and write access permissions.

  • Read access defines what data a user can query from a table—for example, via a GetData function or by running an Axiom query. For each table or table type, a user can have no read access, full read access, or filtered read access.

  • Write access defines what data a user can save to a table. For most users this means via a Save Type 1 process set up in a plan file or a report, but it also applies to Open Table in Spreadsheet (if the user has access to it). For each table or table type, a user can have no write access, full write access, or filtered write access.

    NOTE: Table write access does not apply to document reference tables (Save Type 3). Document reference tables can only be created and edited via a source document; therefore the ability to write data to the table is controlled by the user's access rights to the source document. Also, write access is ignored for import packages—if the user has execute rights to an import, then they can save the imported data to the specified destination table, regardless of their write access to that table.

By default, the write access for a table or table type is set to the same level as the read access. If that is the desired level of access, then you only need to configure the read access; the write access will be automatically set. You can see this inheritance for the write access in the Effective Permissions box after you set the read access.

However, if you want differing levels of read and write access for a table or table type, then you must select the Specify custom write access check box, and then configure the specific write access.

For example, imagine the following settings for the table GL2021:

If the read access is set to... And the write access is set to... The user's permission is...

Full Access

(Default)

Read: Full Access

Write: Full Access

Filter: DEPT.Region='North'

(Default)

Read: DEPT.Region='North'

Write: DEPT.Region='North'

Full Access

Specify custom write access:

Filter: DEPT.Region='North'

Read: Full Access

Write: DEPT.Region='North'

Full Access

Specify custom write access:

Filter: <Blank Filter>

Read: Full Access

Write: No Access

No Access

Specify custom write access:

Full Access

Read: No Access

Write: Full Access

NOTES:  

  • For reference tables, the read access settings are only applied when the reference table is queried directly—for example, when viewing the reference table using Open Table in Spreadsheet, or when the reference table is the primary table of an Axiom query. The read access settings defined on a reference table are not applied when queries are made against a data table that joins to the reference table.

    Therefore if you want to restrict access to data, the filter must be defined on the data table or its table type. For example, if you want to restrict a user to only viewing planning data for the North region, then you must define that filter on the data table or the table type, not on the DEPT reference table.

  • Read filters are not applied to data that already exists in a spreadsheet. For example, when the administrator runs the Process Plan Files utility to process Axiom queries in plan files, the plan files are populated with data according to the administrator's data rights. When individual users open these plan files, they see all of the data that was populated into the spreadsheet. The read filters of the individual users would only be applied if the users processed Axiom queries by using the Refresh feature. If you would like to limit data access in plan files, you can consider dynamically hiding sheets that you do not want particular users to access.

  • Keep in mind that just because a user has write access to a table, it does not mean that the user actually has the means to save any data. For example, in order for a user to save data to a table from a plan file, the user must have access rights to the plan file, and the permission to save data from the file, and the file must be configured to save data to the table. If a user does not have access to files and/or features that facilitate saving data to the database, then the user cannot save any data, regardless of his or her write access permissions.

How table type access and table access combine

Tables inherit any rights set at the table type level, and then combine that access with any rights set at the table level, resulting in the most permissive set of rights for the table.

  • If a table type is set to full or filtered access, then all tables in that table type inherit the full or filtered access. You cannot "override" the table type setting at the table level to deny access to a specific table in the table type. You can set individual tables to have more permissive access than the table type, but not less permissive.
  • If desired, you can leave the table type access unset, and instead configure access at the table level. The user will be granted whatever access is set at the table level.
  • If access filters are set at both the table type level and the table level, the filters are concatenated using OR (meaning the filters are combined to result in the most permissive set of rights for the table).

For example, imagine a table type of GL, which contains a table named GL2021:

If the table type GL is set to... And the table GL2021 is set to... The user's permission is...

Full Access

No Access (nothing is configured)

Full Access

Full Access

DEPT.Region='North'

Full Access

No Access (nothing is configured)

DEPT.Region='North'

DEPT.Region='North'

DEPT.Region='South'

Full Access

Full Access

DEPT.Region='South'

DEPT.Region='North'

(DEPT.Region='South') OR (DEPT.Region='North')

Tables that do not belong to a table type only have their individual table access rights.

Table visibility to users

If a user does not have any read access to a table, then that table will not display in lists of tables throughout the system, such as in the Sheet Assistant, or the Filter Wizard. Table Library folders and table types will only display if the user has read access to at least one table within the folder or the table type. (Exception: if the user has the Administer Tables permission, then that user will see all Table Library folders and table types for the purposes of creating new tables.)