AX2597

File group permissions

The settings on the File Group tab define permissions for each file group. The left-hand side lists the available file groups for the system. When you select a file group in the list, you can define the security settings for the user or role using the two sub-tabs on the right-hand side.

File Group: Manage access to file group administration features such as Create Plan Files and Process Plan Files. This tab can be ignored for most end users.
Plan Files: Manage access to plan files. It is necessary to configure access on this tab if you want the user to have any access to plan files in the file group.

Example File Groups tab, configuring permissions to plan files

File groups are listed by display name, followed by the file group code in parentheses. If the name of the file group is different than the display name, that name is also displayed in the parentheses.

The Effective Permissions section displays the full permissions of the user, taking into account any inherited role rights and other settings such as administrator rights.

NOTE: If a non-admin user has no effective permissions for a file group (either on the File Groups tab or on the Files tab), then that user cannot see the file group in Axiom Explorer, the Axiom ribbon tab, and other lists of file groups.

File Group tab

Use the File Group tab to configure user access to administration features for the file group. This tab is optional and can be ignored for most end users.

To grant a user access to one of these features, select the check box. By default, all check boxes on this tab are not selected, which means the user does not have access to any of these features.

Item	Description
Modify File Group	This permission grants general administrative rights to the file group. The user can: Edit the file group settings Clone the file group Manage scenarios for the file group Manage restore points for the file group
Create Plan Files	The user can create plan files for the file group, using the Create Plan Files feature. This permission is limited to those plan files where the user has read/write access, as defined in the File Groups tab of Security. This permission also grants access to the Copy Plan Files feature for standard file groups, which can be used in certain specialized configurations to copy plan files from one file group to another. In this case the user must have read/write access and Create Plan Files permission to the target file group. NOTE: If the file group is an on-demand file group, then users do not need this permission in order to create new plan files "on demand." Instead, users need the Create New Records permission.
Create New Records	The user can create new plan files for the on-demand file group. This process includes creating a new identity record in the plan code table and then creating a plan file for that record using either its assigned template or by copying an existing plan file (when using the Clone selected item feature). This permission only applies to on-demand file groups. By default, this permission is automatically enabled on the Everyone role when a new on-demand file group is created. This means that any user with at least Read-Only access to plan files in this file group will also have the ability to create new plan files. (This includes plan file permission sets with the potential to be elevated to read-only access or higher, due to the Interacts with Process Management permission.) If you do not want all users with access to the file group to be able to create new plan files, then you can remove the permission from the Everyone role and instead grant it to individual users and roles.
Process Plan Files	The user can process plan files for the file group, using the Process Plan Files feature. This permission is limited to plan files where the user has at least read-only access, as defined in the File Groups tab of Security. The user can run Axiom queries and save data as part of the process, but the user can only save the file if they have read/write access to it.
Run Axiom Queries	The user can refresh Axiom queries in plan files, using the Refresh feature. By default, non-admin users cannot use the Refresh feature in plan files. If you have a plan file design where users should be able to refresh the queries in the file as needed, then you should enable this permission. NOTES: This permission does not apply to "refresh on open" Axiom queries, or to queries run using the RunAxiomQueryBlock function. These queries will always run, regardless of whether the user has this permission. This permission does not apply to form-enabled plan files (when viewed as an Axiom form). Axiom queries in form-enabled plan files will refresh according to the standard form refresh behavior, regardless of whether the user has this permission.
Manage Calc Methods	The user can perform all management activities for calc method libraries in the file group, including adding new calc methods, editing calc methods, deleting calc methods, as well as use any other calc method features available on the CM Library menu. The user can also insert or change calc methods in any file group files that the user has access to, and can override any calc method controls.

Plan Files tab

Use the Plan Files tab to configure user access to plan files for the file group. Each plan file permission set defines the following:

The plan files that the permission set applies to (all plan files or a filtered subset)
The permissions to be applied to those plan files (such as: access level, ability to save data, and calc method permissions)
The role inheritance to be applied to the permission set (none, combine, or independent)

Users can have multiple permission sets per file group—for example, to define read/write access to one set of plan files and read-only access to another set of plan files. These permission sets can be configured for the user directly or inherited from one or more roles. Roles can only have one defined permission set per file group.

You can add, edit, and delete permission sets as follows:

To add the first permission set for a user or a role, click Add a Permission.
To add an additional permission set for a user, click the plus icon .
To edit a permission set, double-click it. You can also select it and then click the edit icon .
To delete a permission set, select it and then click the delete icon .

NOTES:

If a user has no configured permission sets, the user will inherit role permissions using independent inheritance. Each role's permissions will be inherited as a separate unit. For more information on role inheritance behavior for file groups, see Understanding role inheritance options for file group permissions.
If a user has multiple configured permission sets, only the first permission set displays in Open Security in Spreadsheet.

When creating or editing a permission set, the Plan File Permission dialog opens. Within this dialog, you can configure all permissions relating to this permission set.

Item	Description
File access level	The level of access that the user or role has to the plan files covered by this permission set. Select from one of the following: No Access: The user or role has no access to plan files. The No Access option is intended to be used in conjunction with Interacts with Process Management and/or with Combine role inheritance. You can define other permissions for the plan files, and those permissions will apply when the user's access level is elevated due to a plan file process, or combined with another permission set to result in a higher level of access. Read Only: The user or role has read-only access to plan files. Read/Write: The user or role has read/write access to plan files in the file group. NOTES: The ability to save data to the database from within a file is controlled separately, using the Allow Save Data permission. If you are using a plan file process with this file group, select the level of access that you want the user to have when they are NOT the current step owner. For example, you may want the user to have no access if they are not the step owner, or read-only access. If the file group uses virtual spreadsheet plan files, and you want file locking behavior to apply to the plan files, then users must have Read/Write access to the files instead of Read-Only access (even though the virtual files cannot be saved). For more information, see Using virtual plan files.
Allow Save Data	Select this check box if you want the user or role to be able to save data to the database from the plan files covered by this permission set. NOTES: If you are using a plan file process to manage access to plan files, you do not need to select this option. When the user is a step owner of a plan file, the user's permissions will be "elevated" as needed, including the ability to save data to the database. Generally you would only enable Allow Save Data for a user if you want the user to be able to save the data at all times, regardless of process step ownership. If a user has Read Only access and Allow Save Data, then the user will be able to save data to the database but not save changes to the file. Generally this configuration would only be used with form-enabled plan files. Users with this combination of rights can save data from the file at any time, regardless of whether the file is locked to another user. In most cases, this option is only selected if the user also has Read/Write access to the file group, so that file changes and data changes can be saved in sync.
Allow Calc Method Insert	Select this check box if you want the user or role to be able to insert calc methods into plan files. This option enables or disables the user's overall ability to insert calc methods. Within individual templates/plan files, calc method controls can be used to further control which calc methods can be inserted and where they can be inserted. It is valid to select this option even if the user has No Access or Read Only access to plan files, if the user's access will be elevated by a plan file process or combined with another permission set. It is also valid to insert calc methods in read-only plan files when using form-enabled plan files. NOTE: This setting does not apply if the user has been granted the Manage Calc Methods permission. Users with this permission can perform any calc method action in any plan file that they have access to within the file group.
Allow Calc Method Change	Select this check box if you want the user or role to be able to change methodologies in the plan file by overwriting one calc method with another. This option enables or disables the user's overall ability to change calc methods. Within individual templates/plan files, calc method controls can be used to further control which calc methods can be used to overwrite and where overwrite is allowed. It is valid to select this option even if the user has No Access or Read Only access to plan files, if the user's access will be elevated by a plan file process or combined with another permission set. NOTE: This setting does not apply if the user has been granted the Manage Calc Methods permission. Users with this permission can perform any calc method action in any plan file that they have access to within the file group.
Allow Unprotect	Select this check box if you want the user or role to be able to unprotect the worksheet and workbook within plan files. If enabled, the user will have access to the Protect toggles in the Advanced group on the Axiom ribbon. This option should only be granted in special situations. Normally, end users are not allowed to unprotect plan files.
Allow Sheet Assistant	Select this check box if you want the user or role to see the Sheet Assistant. Generally, you should only expose the Sheet Assistant if the user is expected to edit file settings, including Axiom query settings. Enabling this permission also has the following impacts: The user has access to the Control Sheet. The Control Sheet is hidden by default in plan files but the user can unhide it via the Sheet Assistant. The Drilling Control Sheet will not be hidden if the user has the Sheet Assistant permission. If the user has read/write permission and the Sheet Assistant permission, then the user can enable forms for the file and can see the Form Assistant and Form Control Sheet. The Data Source Assistant is also available if the Sheet Assistant is available. If this check box is not selected, then the user cannot see the Sheet Assistant or the other related items as described above. This option should only be granted in special situations. Normally, end users are not allowed to edit settings in plan files.
Allow File Processing	Select this check box if you want the user or role to be able to perform file processing on the file. If selected, then the user has access to file processing features, including the File Processing button on the menu and the File Processing task pane. The related control sheets will also be visible to the user. If this check box is not selected, then the user cannot perform file processing actions and cannot see the related menu items, task panes, or control sheets. This option should only be granted in special situations. Normally, end users do not perform file processing in plan files.
Apply settings to	Select one of the following to determine the plan files that this permission set applies to: All Plan Files: The configured permissions apply to all plan files in the file group. Filtered Plan Files: The configured permissions apply to a subset of plan files in the file group, as defined using a filter. For more information on defining a plan file filter, see Defining plan file filters.
Interacts with Process Management	This option specifies whether this permission set interacts with plan file processes. It is enabled by default for users, and disabled by default for roles. Enabling this option has the following effects, for plan files covered by this permission set: If the access level of the permission set is No Access, the permission set will still be considered for step ownership when the user is directly assigned as the step owner. If "interacts" is disabled, then the permission set is only considered if the access level is at least Read Only. If the ownership assignment is through a role, enabling this option tells the process to consider this permission set when evaluating which role members should be step owners. If this option is not enabled, then this permission set will be ignored by the plan file process when evaluating the role permission.

Settings for users only

The following settings apply only to users, not to roles. These settings specify how the user will inherit file group rights from any roles that the user is assigned to. For more information, see Understanding role inheritance options for file group permissions.

Item	Description
Role Inheritance	Specify how the user will inherit file group permissions from roles: None: The user will not inherit file group permissions from roles. Only the user's configured permissions will be applied. Role permissions will be ignored. Combine: The user's permissions and any role permissions will be combined, so that the user will be granted the most permissive set of rights among all the plan file access settings. Using the Role(s) setting, you can specify whether this applies to all roles that the user belongs to, or only a specific role. Independent (default): The user will inherit permissions from roles, but the user's configured permissions and the role's inherited permissions will be applied separately. Using the Role(s) setting, you can specify whether this applies to all roles that the user belongs to, or only a specific role.
Role(s)	Select which roles the role inheritance settings apply to. This setting only applies if the role inheritance is set to Combine or Independent. If you select (all roles), then the specified inheritance settings apply to all roles that the user belongs to. This is the default setting. If you select a particular role, then the specified inheritance settings apply to only that particular role. If the user belongs to other roles, and those other roles are not selected in additional file group permission sets for the user, then those role permissions are ignored.

Item

Description

Role Inheritance

Specify how the user will inherit file group permissions from roles:

None: The user will not inherit file group permissions from roles. Only the user's configured permissions will be applied. Role permissions will be ignored.
Combine: The user's permissions and any role permissions will be combined, so that the user will be granted the most permissive set of rights among all the plan file access settings. Using the Role(s) setting, you can specify whether this applies to all roles that the user belongs to, or only a specific role.
Independent (default): The user will inherit permissions from roles, but the user's configured permissions and the role's inherited permissions will be applied separately. Using the Role(s) setting, you can specify whether this applies to all roles that the user belongs to, or only a specific role.

Role(s)

Select which roles the role inheritance settings apply to. This setting only applies if the role inheritance is set to Combine or Independent.

If you select (all roles), then the specified inheritance settings apply to all roles that the user belongs to. This is the default setting.
If you select a particular role, then the specified inheritance settings apply to only that particular role. If the user belongs to other roles, and those other roles are not selected in additional file group permission sets for the user, then those role permissions are ignored.

Defining plan file filters

To define a filter to control access to plan files, select the Filtered Plan Files option and then use the Filter Wizard to construct the filter. (You can also type a filter directly into the filter box.) The filter must be based on the plan code table for the file group, or on a reference table that the plan code table links to. When using the Filter Wizard, the wizard only displays the eligible tables.

After defining a filter, you can validate it by clicking the Validate filter button . This check is to ensure that the filter syntax is valid. You can test to make sure that a file group filter is operating as you expect by logging in as the user (or as a user assigned to the role) and checking to see which plan files display in the Open Plan Files dialog for the file group.

Filter variables can be used in plan file filters, to set a filter that is based on a user's login name (see example below) or on another related user property. This is useful to be able to set a filter at the role level, yet resolve the filter dynamically for each user in the role. For more information, see Filter variables.

NOTE: You can leave the filter blank only if you are using Combine role inheritance. This assumes that either the user or the role has a filter that will apply after the permissions are combined. If the filter remains blank after inheritance, then the user will have no access to plan files.

Example filters

DEPT.Dept IN (200,400)

This example limits the user to accessing plan files for departments 200 and 400.

DEPT.Region='North'

This example limits the user to accessing plan files for departments assigned to the North region.

DEPT.Owner='{CurrentUser.LoginName}'

This example limits the user to accessing plan files for departments that are assigned to that user (by the presence of the user's login name in the Owner column). This type of filter would most likely be set on a role, so that the filter could be set once yet resolve dynamically for each user in the role. For example, for user JDoe, this filter would resolve as DEPT.Owner='JDoe'.