AX3530

Bulk edit of security

You can manage users, roles, and subsystems in bulk by using the Open Security in Spreadsheet feature. You can edit, add, and delete multiple users, roles, and subsystems simultaneously within a spreadsheet interface.

Only users with access to security can use this feature: administrators, users with the Administer Security permission, and subsystem administrators. The spreadsheet is limited as appropriate depending on the user's rights.

The following items cannot be edited in the spreadsheet interface; you must use the Security Management dialog for these items:

File and folder access to any Axiom library (settings defined in the Files tab)
Startup documents (settings defined in the Startup tab)

NOTE: Open Security in Spreadsheet is a system-controlled environment that is intended for one-time edits to security. If you need to automate the process of ongoing security updates (such as based on imported data or on calculations performed in a spreadsheet), then you may be able to customize a Save Type 4 report to meet your needs. See Managing users in Axiom Security using Save Type 4.

Opening security in a spreadsheet

To manage security in a spreadsheet:

On the Axiom tab, in the Administration group, click Security > Open in Spreadsheet.

NOTE: In systems with installed products, this feature may be located on the Admin tab. In the System Management group, click Security > Open in Spreadsheet.

The Open Security in Spreadsheet dialog opens.
At the top of the dialog, specify how you want users and roles presented in the spreadsheet:
- Horizontally (default): Users, roles, and subsystems are displayed horizontally across columns. The security settings are displayed in rows.
- Vertically: Users, roles, and subsystems are displayed vertically down rows. The security settings are displayed in columns.
Optional. If you want to limit the security settings that display in the spreadsheet, modify the check boxes in the Select items to include section.

For example, you might only want to work with a particular file group or table type. General user and role properties (such as name, email, etc.) are always included in the spreadsheet.

Clear the check boxes for any items that you do not want to display in the spreadsheet. You can select or clear items by major category (File Groups, Tables, etc.), or you can expand the major categories to select or clear the individual items (such as individual file groups).

Optional. If you want to filter the users that display in the spreadsheet, select the Filter users check box. By default, the spreadsheet displays all users, roles, and subsystems for the current system.

If Filter users is checked, you can specify the following options to filter users:

Item	Description
Include users who are	Select the following options to include those users in the spreadsheet: Enabled users Disabled users By default, both options are selected, which means that both enabled and disabled users will be included in the spreadsheet. If both options are cleared, then only roles (and subsystems, if applicable) will be included in the spreadsheet.
Include users in these roles	If you want to only view users that belong to specific roles, select the check boxes for those roles. You can also choose to view users who do not belong to any roles. You can use the Select All and Clear All links to select or clear all roles. This selection also limits the role records that will be included in the spreadsheet.
Include users from these subsystems	If you want to only view users that belong to specific subsystems, select the check boxes for those subsystems. You can also choose to view users who do not belong to any subsystems. You can use the Select All and Clear All links to select or clear all roles. This also limits the subsystem records that will be included in the spreadsheet. This option only displays if subsystems are enabled for your system.

Item

Description

Include users who are

Select the following options to include those users in the spreadsheet:

Enabled users
Disabled users

By default, both options are selected, which means that both enabled and disabled users will be included in the spreadsheet.

If both options are cleared, then only roles (and subsystems, if applicable) will be included in the spreadsheet.

Include users in these roles

If you want to only view users that belong to specific roles, select the check boxes for those roles. You can also choose to view users who do not belong to any roles. You can use the Select All and Clear All links to select or clear all roles.

This selection also limits the role records that will be included in the spreadsheet.

Include users from these subsystems

If you want to only view users that belong to specific subsystems, select the check boxes for those subsystems. You can also choose to view users who do not belong to any subsystems. You can use the Select All and Clear All links to select or clear all roles.

This also limits the subsystem records that will be included in the spreadsheet.

This option only displays if subsystems are enabled for your system.

Selections from multiple categories will be combined. For example, if you select role Finance and subsystem 5, then the spreadsheet will contain all users that are in either the Finance role or subsystem 5 (not users who only belong to subsystem 5 and the Finance role).

Click OK.

The spreadsheet opens with the selected security options.

Editing existing records

To edit the settings for a user, role, or subsystem, make changes directly in the spreadsheet. See the following section Security settings in the spreadsheet interface for more information on editing settings within the spreadsheet interface.

NOTE: You cannot edit user login names or role and subsystem names within the spreadsheet interface. If the name is changed, it will be saved as a new record, and the existing record will be unchanged.

For subsystem administrators, only users and roles that belong to their assigned subsystems are brought into the spreadsheet. Subsystem settings are not brought into the spreadsheet.

Adding new records

You can add new users, roles, and subsystems within the spreadsheet interface.

To add a new user, type the new user's login name in an empty cell in row 1 or column A (depending on the spreadsheet orientation), and then complete the desired security settings for that user. Note the following:

Last name, first name, and email address are required for new users. If these items are blank, a save error will result. Other user properties such as license type and authentication type will use the same default values as when adding a new user in the Security Management dialog.
You can type a password or leave the password blank. If left blank, the user will be assigned a randomly generated password.

To add a new role, type the role name in an empty cell in row 1 or column A (depending on the spreadsheet orientation), prefixed by "role:". For example, type role:MyRole. If the name is not prefixed by "role:", then it will be interpreted as a user login name. Note the following:

No other settings are required to save a role.
To assign users to the new role within the spreadsheet interface, you must add the role name to each individual user. There is no option to add users directly to the role record, like you can within the Security Management dialog.

NOTE: Adding subsystems works the same way as adding roles, except the subsystem name must be prefixed by "subsystem:". For example, subsystem:MySubsystem.

When adding new users, roles, or subsystems to the spreadsheet, all settings must be typed (or copied and pasted from other records). Drop-down lists are only available when editing existing records. For more information on the valid inputs for the settings, see the following section Security settings in the spreadsheet interface.

Users who are subsystem administrators can only create new users and roles. The new users and roles must be assigned to their subsystem.

Deleting records

You can delete users, roles, and subsystems within the spreadsheet interface. To delete a user or role, set Delete to Yes.

NOTE: When editing security in a spreadsheet, you can delete a role or a subsystem regardless of whether any users are assigned to it. The users will be updated to remove the assignment.

Users who are subsystem administrators can only delete users and roles that belong to their subsystem.

Saving changes

To save changes made in the spreadsheet:

On the Axiom tab, in the File Options group, click Save.

A confirmation prompt lists the number of users, roles, and subsystems that you are about to update, create, or delete.

Settings are validated before the save occurs. If errors are found, they are displayed in the Save Errors pane. Any errors must be resolved before the save can occur.

After a successful save, you will be prompted to refresh the spreadsheet to bring in the most recent data.

IMPORTANT: If you have changed many filters (plan file filters or table/table type filters), then you may want to run the Validate Security Filters utility after saving. For performance reasons, only a small number of filters are validated when saving from spreadsheet. This utility can be run using the Run QA Diagnostics command. For more information, see Using file diagnostics for troubleshooting and optimization.

Security settings in the spreadsheet interface

The following is a reference for completing or editing security settings via the spreadsheet interface.

NOTES:

If an item is not explicitly discussed here, its input is the same as in the Security Management dialog. This section only discusses items that are completed differently than in the Security Management dialog.
Most check boxes in the Security Management dialog correspond to TRUE (checked) and FALSE (unchecked) in the spreadsheet interface. Any deviations are noted in the following table.

For more information on the purpose of each security setting, see Configuring security settings.

Item	Description
Login, role, or subsystem	The user's login name, the role's name, or the subsystem's name. Role names must be prefixed by `role:`. Subsystem names must be prefixed by `subsystem:`. For example, to create a role named Finance, type `role:Finance`. If users have been imported from Active Directory, those user names are prefixed with the Active Directory domain. For example: Corporate\JDoe. NOTE: You cannot rename existing records using the spreadsheet interface. If a name is changed, it is interpreted as a new record.
Delete	Select Yes if you want to delete the record. Otherwise, leave the default of No.
General	This section works the same way as the Security Management dialog, with the following exceptions: Role assignments: For users, you can view and edit the list of roles that the user is assigned to. Each role name is separated by a semicolon. (The same thing applies to subsystem assignments if subsystems are enabled.) User assignments: For roles, you cannot view or edit the list of assigned users in this interface. If you want to view all users assigned to a role or edit this list from the role perspective, then you must use the Security Management dialog. NOTE: The password display is always blank. You can change a user’s password by entering a new password. When you save and then refresh the spreadsheet, the password field will return to blank.
Permissions	For users, specify one of the following: Inherit: The user will inherit the permission from any role assignments. True: The user is explicitly granted this permission; role inheritance is ignored. False: The user is explicitly denied this permission; role inheritance is ignored. For roles and subsystems, specify either True or False.
File Groups	This section works the same way as the Security Management dialog, with the following exceptions: FGName [calc method permission]: This item combines the Allow Calc Method Insert and Allow Calc Method Change options from the Security Management dialog. Valid entries are Insert, Change, or Insert/Change. FGName [create new records]: This item is listed for all file groups, but only applies to on-demand file groups. A save error will result if this item is set to TRUE for a standard file group. If a user has multiple permission sets, only the first set can be edited within the spreadsheet interface.
Tables and Table Types	All table types are listed first, followed by all individual tables. If [write filter enabled] is False for a table or table type, this means that the user or role's write access permissions are the same as their read permissions. In this case, the other write access permissions in the spreadsheet can be ignored, because they do not apply. For example, the following user has full read and write access to the GL table type, because [full read access] is True and [write filter enabled] is False. Even though [full write access] displays False, it does not matter because the setting does not apply. If [write filter enabled] is True, then the [full write access] permission and the [write filter] permission determine the user's level of write permissions.