AX2609

Table permissions

The settings on the Tables tab define access for each table or table type. The left-hand side of the tab lists the available tables in the system, organized by table type. Tables that do not belong to a table type are listed under (No Type). When you select a table or a table type in the list, you can configure the security settings for the user or role within the Configured Permissions section in the right-hand side of the tab.

Example Tables tab

The Effective Permissions section displays the full permissions of the user for the selected item, taking into account any rights inherited from the table type or a role, and other settings such as administrator rights or subsystem restrictions. Make sure to check this section to ensure that users are being granted rights as you expect.

Because table permissions can be set at any point in the treeview, it can be difficult to later tell which items have been configured. To change the view to only show items with configured permissions, select the check box for Show configured items only. If the treeview is blank after selecting this check box, this means that the user or role has no configured permissions.

NOTE: By default, the Everyone role grants all users full read access to document reference tables Database tables that are managed within an Axiom file. The table structure is created based on the document structure each time the data is saved. Primarily used for driver files in file groups.. Any changes made to document reference tables in the Tables tab will not apply to users unless you modify the Everyone role to remove full access (or unless you configure the user to ignore role inheritance for that table).

Read access settings

The following settings apply to all tables and table types, to define read access to data. By default, the write access is automatically set to the same level as the read access. If that is the desired level of access, then you do not need to do anything further to configure write access for a table or table type.

Item Description

Item	Description
Full access (Full read access)	Select this check box if you want the user or role to have full access to the table or table type. By default, this check box grants full read and write access. If you want to configure write access separately, then you must enable the separate option to Specify custom write access. Selecting that option exposes additional settings for write access, and renames this check box to Full read access. NOTE: If you are defining access for a table that belongs to a table type, and full access has already been granted at the table type level, then this check box is effectively ignored. However, the setting will be stored at the table level and could apply in the future if the table type access is ever changed, or if the table is removed from the table type. Be sure to check the Effective Permissions section of the dialog to see what level of access is being granted due to inheritance.
Filter (Read filter)	If you want the user or role to have filtered access to the table or table type, specify the filter. For example: `ACCT.Acct>10000` restricts the user to only accessing data for accounts over 10000. `DEPT.Dept=100` restricts the user to only accessing data for department 100. `DEPT.Region='North'` restricts the user to only accessing data for departments assigned to the North region. By default, the filter applies to both read and write access. If you want to configure write access separately, then you must enable the separate option to Specify custom write access. Selecting that option exposes additional settings for write access, and renames this option to Read filter. NOTE: If you are defining a filter for a table that belongs to a table type, the filter will be concatenated to the table type filter using OR. If full access has been granted at the table type level, then the table level filter is effectively ignored. However, the filter will be stored for the table and could apply in the future if the table type access is ever changed, or if the table is removed from the table type. Be sure to check the Effective Permissions section of the dialog to see what level of access is being granted due to inheritance.

Full access

(Full read access)

Select this check box if you want the user or role to have full access to the table or table type.

By default, this check box grants full read and write access. If you want to configure write access separately, then you must enable the separate option to Specify custom write access. Selecting that option exposes additional settings for write access, and renames this check box to Full read access.

NOTE: If you are defining access for a table that belongs to a table type, and full access has already been granted at the table type level, then this check box is effectively ignored. However, the setting will be stored at the table level and could apply in the future if the table type access is ever changed, or if the table is removed from the table type. Be sure to check the Effective Permissions section of the dialog to see what level of access is being granted due to inheritance.

Filter

(Read filter)

If you want the user or role to have filtered access to the table or table type, specify the filter. For example:

ACCT.Acct>10000 restricts the user to only accessing data for accounts over 10000.
DEPT.Dept=100 restricts the user to only accessing data for department 100.
DEPT.Region='North' restricts the user to only accessing data for departments assigned to the North region.

By default, the filter applies to both read and write access. If you want to configure write access separately, then you must enable the separate option to Specify custom write access. Selecting that option exposes additional settings for write access, and renames this option to Read filter.

NOTE: If you are defining a filter for a table that belongs to a table type, the filter will be concatenated to the table type filter using OR. If full access has been granted at the table type level, then the table level filter is effectively ignored. However, the filter will be stored for the table and could apply in the future if the table type access is ever changed, or if the table is removed from the table type. Be sure to check the Effective Permissions section of the dialog to see what level of access is being granted due to inheritance.

To define a filter for a table or table type, type the filter into the Filter box, or use the Filter Wizard . Note the following:

If the filter is for a table type, the filter should be based on key columns that are common to all tables in the table type (using either the key column itself, or a column in the lookup table that the key column links to). For example, if the GL table type has two required key columns, ACCT and DEPT, then you can create a table type filter that uses one or both of these columns, or one that uses grouping columns in the associated reference tables. Filters using any other columns may be invalid.
If the table type has required columns, then any filter defined must be based on those required columns. If the required columns do not have lookups, then no valid filters can be defined.
When selecting key columns in the Filter Wizard, the Filter Wizard automatically uses the lookup column in the reference table instead of the column in the data table. For example, if you select the column Acct in the GL2022 data table, the filter wizard automatically uses ACCT.ACCT in the filter (instead of GL2022.ACCT).

After defining a filter, you can validate the filter syntax by clicking the Validate filter button .

IMPORTANT: If you define a write filter on a reference table, then any columns used in the filter must also be included in the save definition when saving to that table using Save Type 1. For example, if the table is DEPT and the filter uses DEPT.Region, then the Region column must be included in the save definition in order for the user to save data.

Write access settings

The following settings only apply if you want to configure write access at a different level than the read access.

NOTE: Write access settings do not apply to document reference tables. Document reference tables are only created and edited via a source document; therefore the ability to write data to the table is controlled by the user's access rights to the document.

Item Description

Item	Description
Specify custom write access	Select this check box if you want to configure write access at a different level than the read access. When this check box is selected, two additional settings become available in the dialog to set the write access: Full write access and Write filter. If you want the user to have no write access to the table, then select this check box and ignore the other write access settings. If Full write access is unchecked and Write filter is blank, then the user has no write access.
Full write access	Select this check box if you want the user or role to have full write access to the table or table type. NOTE: If you are defining access for a table that belongs to a table type, and full access has already been granted at the table type level, then this check box is effectively ignored. However, the setting will be stored at the table level and could apply in the future if the table type access is ever changed, or if the table is removed from the table type. Be sure to check the Effective Permissions section of the dialog to see what level of access is being granted due to inheritance.
Write filter	If you want the user or role to have filtered write access to the table or table type, specify the filter. For example: `ACCT.Acct>10000` restricts the user to only saving data for accounts over 10000. `DEPT.Dept=100` restricts the user to only saving data for department 100. `DEPT.Region='North'` restricts the user to only saving data for departments assigned to the North region. NOTE: If you are defining a filter for a table that belongs to a table type, the filter will be concatenated to the table type filter using OR. If full access has been granted at the table type level, then the table level filter is effectively ignored. However, the filter will be stored for the table and could apply in the future if the table type access is ever changed, or if the table is removed from the table type. Be sure to check the Effective Permissions section of the dialog to see what level of access is being granted due to inheritance.

Specify custom write access

Select this check box if you want to configure write access at a different level than the read access.

When this check box is selected, two additional settings become available in the dialog to set the write access: Full write access and Write filter.

If you want the user to have no write access to the table, then select this check box and ignore the other write access settings. If Full write access is unchecked and Write filter is blank, then the user has no write access.

Full write access

Select this check box if you want the user or role to have full write access to the table or table type.

Write filter

If you want the user or role to have filtered write access to the table or table type, specify the filter. For example:

ACCT.Acct>10000 restricts the user to only saving data for accounts over 10000.
DEPT.Dept=100 restricts the user to only saving data for department 100.
DEPT.Region='North' restricts the user to only saving data for departments assigned to the North region.

To define a filter for a table or table type, type the filter into the Filter box, or use the Filter Wizard . Note the following:

If the filter is for a table type, the filter should be based on key columns that are common to all tables in the table type (using either the key column itself, or a column in the lookup table that the key column links to). For example, if the GL table type has two required key columns, ACCT and DEPT, then you can create a table type filter that uses one or both of these columns, or one that uses grouping columns in the associated reference tables. Filters using any other columns may be invalid.
If the table type has required columns, then any filter defined must be based on those required columns. If the required columns do not have lookups, then no valid filters can be defined.
When selecting key columns in the Filter Wizard, the Filter Wizard automatically uses the lookup column in the reference table instead of the column in the data table. For example, if you select the column Acct in the GL2022 data table, the filter wizard automatically uses ACCT.ACCT in the filter (instead of GL2022.ACCT).

After defining a filter, you can validate the filter syntax by clicking the Validate filter button .

Other table permissions

The following permissions can also be defined for tables and table types:

Item	Description
Open Table in Spreadsheet	This option specifies whether the user can view the table in Open Table in Spreadsheet, and at what level of access. Select one of the following: None (default): The user cannot view the table in Open Table in Spreadsheet. Read-Only: The user can view the table as read-only in Open Table in Spreadsheet. Read/Write: The user can view the table as read/write in Open Table in Spreadsheet. Granting this permission gives the user access to the Table Library, so that the user can launch Open Table in Spreadsheet for the table. This permission does not apply to document reference tables. Document reference tables cannot be opened via Open Table in Spreadsheet. This permission can only be assigned if the user has read or read/write permission to the table data (either configured on the user or inherited from a role). If the user inherits Open Table in Spreadsheet permission from a role but does not have any corresponding access to table data, then the permission will be ignored. If the user is granted read/write access to Open Table in Spreadsheet but only has read access to the table, then the spreadsheet access will be limited to read-only.
Allow changing table structure	Select this check box if you want the user to be able to edit the table structure and table properties. If selected, then the user can open the Edit Table dialog for the table. The user can add, modify, and delete table columns, as well as modify other table properties. Granting this permission gives the user access to the Table Library, so that the user can launch Edit table structure for the table. By default this option is not selected, which means the user cannot edit the table structure or table properties. This permission does not apply to document reference tables. The table structure of document reference tables is controlled via the source file. This permission can be granted regardless of whether the user has access to the table data.
Ignore role inheritance	Select this check box if you do not want the user to inherit table access settings from a role (including the Everyone role). If selected, then only the user's individual settings will be used to determine access to data in the table or table type. If this check box is not selected, then the user will be granted the most permissive set of rights among the user's configured settings and any roles that the user belongs to. If both the user and a role have filtered access, then the filters are concatenated using OR.

Item

Description

Open Table in Spreadsheet

This option specifies whether the user can view the table in Open Table in Spreadsheet, and at what level of access. Select one of the following:

None (default): The user cannot view the table in Open Table in Spreadsheet.
Read-Only: The user can view the table as read-only in Open Table in Spreadsheet.
Read/Write: The user can view the table as read/write in Open Table in Spreadsheet.

Granting this permission gives the user access to the Table Library, so that the user can launch Open Table in Spreadsheet for the table.

This permission does not apply to document reference tables. Document reference tables cannot be opened via Open Table in Spreadsheet.

This permission can only be assigned if the user has read or read/write permission to the table data (either configured on the user or inherited from a role). If the user inherits Open Table in Spreadsheet permission from a role but does not have any corresponding access to table data, then the permission will be ignored. If the user is granted read/write access to Open Table in Spreadsheet but only has read access to the table, then the spreadsheet access will be limited to read-only.

Allow changing table structure

Select this check box if you want the user to be able to edit the table structure and table properties. If selected, then the user can open the Edit Table dialog for the table. The user can add, modify, and delete table columns, as well as modify other table properties.

Granting this permission gives the user access to the Table Library, so that the user can launch Edit table structure for the table.

By default this option is not selected, which means the user cannot edit the table structure or table properties.

This permission does not apply to document reference tables. The table structure of document reference tables is controlled via the source file.

This permission can be granted regardless of whether the user has access to the table data.

Ignore role inheritance

Select this check box if you do not want the user to inherit table access settings from a role (including the Everyone role).

If selected, then only the user's individual settings will be used to determine access to data in the table or table type.
If this check box is not selected, then the user will be granted the most permissive set of rights among the user's configured settings and any roles that the user belongs to. If both the user and a role have filtered access, then the filters are concatenated using OR.

Restricting access to document reference tables

By default, all users have full read access to document reference tables, via the Everyone role. In most cases this is the desirable level of access. However, in some cases you may need to restrict access to a subset of users. To restrict access to a document reference table, you must do the following:

In the Everyone role, clear the Full Access check box for the table. Now no non-admin users have access to the table.
For each individual user or role that you want to grant full or filtered access to the table, modify the table access settings as desired.

TIP: Alternatively, you could leave the Everyone role at full access, and then modify specific users to Ignore role inheritance for the table. Those users would then have no access to the table.

Write access settings do not apply to document reference tables. Document reference tables are only created and edited via a source document; therefore the ability to write data to the table is controlled by the user's access rights to the document.

NOTE: If you have restricted access to a document reference table created by a driver file, keep in mind that your security changes will not be cloned when the file group is cloned. This is because the table itself is not cloned; the driver file is. If you want to apply the same changes to the new table created by the new driver file, then you will need to manually configure access to this table after processing the drivers for the new file group.