AX2599
Understand role inheritance options for file group permissions
Role inheritance for file group permissions is handled differently than in other areas of Security. For each set of permissions defined for a user on the File Groups tab, you can specify whether role permissions are inherited and how they are inherited.
File group permissions have three different role inheritance options:
- None
- Combine
- Independent
By default, if no file group permissions are configured for a user, the role inheritance is set to independent. This means that users inherit file group settings from all roles that they are assigned but those inherited settings are applied independently instead of merged.
The following sections describe how each role inheritance option works.
No inheritance
The None option means that no role inheritance applies. Role settings are ignored for this particular permission set. If the user only has one permission set, role settings are ignored entirely (for settings on the File Groups tab).
The following example shows how file group settings are treated with no inheritance, assuming that the user belongs to the role:
| File group settings | User-configured settings | Role-configured settings | User Effective Permissions |
|---|---|---|---|
|
File Access Level |
Read-only |
Read/Write |
Read-only |
|
Allow Save Data |
Unchecked |
Checked |
Unchecked |
|
Allow Calc Method Insert |
Checked |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Checked |
Unchecked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: DEPT.Region='South' |
Filtered Plan Files: DEPT.Region='North' |
In this example, the role settings are ignored, and the user has only their configured permissions.
Combine inheritance
The Combine option means that the user's permissions are combined with role permissions. The user is granted the most permissive rights as defined for either the user or the role on a per permission basis.
The following example shows how file group settings are treated with combine inheritance, assuming that the user belongs to the role:
| File group settings | User-configured Settings | Role-configured Settings | User Effective Permissions |
|---|---|---|---|
|
File Access Level |
Read-only |
Read/Write |
Read/Write |
|
Allow Save Data |
Unchecked |
Checked |
Checked |
|
Allow Calc Method Insert |
Checked |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Checked |
Checked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: DEPT.Region='South' |
Filtered Plan Files: (DEPT.Region='North') OR (DEPT.Region='South') |
In this example, the user and role permissions are combined and the user is granted the most permissive set of rights available for each individual setting.
When you select combine inheritance, you can choose to combine with all roles that the user is assigned or to combine with a specific role. For example, imagine that the user belongs to role A and role B with the following permissions:
| File group settings | User-configured settings | Role A-configured settings | Role B-configured settings |
|---|---|---|---|
|
File Access Level |
Read-only |
Read/Write |
Read-only |
|
Allow Save Data |
Unchecked |
Checked |
Unchecked |
|
Allow Calc Method Insert |
Checked |
Checked |
Unchecked |
|
Allow Calc Method Change |
Unchecked |
Checked |
Unchecked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: DEPT.Region='South' |
Filtered Plan Files: DEPT.Country='France' |
In this case, the effective permissions of the user depend on whether the combine inheritance is set to all roles or to a specific role:
| File group settings | Combine: All Roles | Combine: Role A | Combine: Role B |
|---|---|---|---|
|
File Access Level |
Read/Write |
Read/Write |
Read-only |
|
Allow Save Data |
Checked |
Checked |
Unchecked |
|
Allow Calc Method Insert |
Checked |
Checked |
Checked |
|
Allow Calc Method Change |
Checked |
Checked |
Unchecked |
|
Apply settings to |
Filtered Plan Files: (DEPT.Region='North') OR (DEPT.Region='South') OR (DEPT.Country='France') |
Filtered Plan Files: (DEPT.Region='North') OR (DEPT.Region='South') |
Filtered Plan Files: (DEPT.Region='North') OR (DEPT.Country='France') |
When combined with all roles, the user is granted the most permissive set of rights across all of the roles. When combined with only one of the roles, the second role is effectively ignored. Unless the user has another set of permissions that allows inheritance from the second role, the user does not inherit any file group settings from the second role.
Independent inheritance
The Independent option means that the user inherits permissions from roles but the role permissions are applied independently from the user's configured permissions. The user and role permissions are not merged as they are when using the combine option. The user effectively has two sets of permissions:
-
one set based on the user's configured permissions, and
-
one set based on the role's inherited permission.
Additionally, if the user belongs to multiple roles, each role's permissions are inherited independently from each other (assuming that the independent inheritance is set to apply to all roles).
The following example shows how file group settings are treated with independent inheritance, assuming that the user belongs to the role:
| File group settings | User-configured settings | Role-configured settings |
|---|---|---|
|
File Access Level |
Read-only |
Read/Write |
|
Allow Save Data |
Unchecked |
Checked |
|
Allow Calc Method Insert |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Checked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: DEPT.Region='South' |
In this example, the user's effective permissions are the same as the user-configured permissions and the role- configured permission, except applied separately. When the user accesses a plan file that belongs to the North region, it is read-only, and the user is not able to change calc methods. When the user accesses a plan file that belongs to the South region, it is read/write, and the user has all of the other plan file permissions as defined for the role.
If there is any overlap between the two independent permissions, the user is granted the most permissive set of rights for the area of overlap only. In the previous example, the filters cannot overlap, but imagine that the user and role filters were something like the following instead:
| User filter: | DEPT >= 5000 and DEPT < 6000 |
| Role filters: | DEPT >= 4000 and DEPT < 6000 |
In this case, the role permissions alone apply to any departments from 4000 up to 4999. Where the permissions overlap, for departments 5000 to 5999, the user and role permissions are combined.
NOTE: If you use independent inheritance with a specific role instead of all roles, that configuration blocks inheritance from all other roles unless the user has another permission set that allows the inheritance from the other roles.
Multiple permission sets
For each file group, a user can have multiple sets of permissions that apply to the plan files in that file group. This enables you to define different permissions for different subsets of files. For example, you might want to give a user full read/write access to plan files belonging to the North region but only read access to plan files belonging to the South region. In this case, you can create two sets of permissions for the user.
If a user has multiple permission sets, each permission set has its own role inheritance settings. For example, you may want to define filters at the user level but define other access rights at the role level, as shown in the following example:
| File group settings | User-configured settings (Set 1) | Role A-configured settings | User Effective Permissions (Combine: Role A) |
|---|---|---|---|
|
File Access Level |
None |
Read/Write |
Read/Write |
|
Allow Save Data |
Unchecked |
Checked |
Checked |
|
Allow Calc Method Insert |
Unchecked |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Checked |
Checked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='North' |
Filtered Plan Files: <Blank Filter> |
Filtered Plan Files: DEPT.Region='North' |
| File group settings | User-configured settings (Set 2) | Role -configured Settings | User Effective Permissions (Combine: Role B) |
|---|---|---|---|
|
File Access Level |
None |
Read-only |
Read-only |
|
Allow Save Data |
Unchecked |
Unchecked |
Unchecked |
|
Allow Calc Method Insert |
Unchecked |
Checked |
Checked |
|
Allow Calc Method Change |
Unchecked |
Unchecked |
Unchecked |
|
Apply settings to |
Filtered Plan Files: DEPT.Region='South' |
Filtered Plan Files: <Blank Filter> |
Filtered Plan Files: DEPT.Region='South' |
Defining multiple permission sets with separate inheritance settings is a flexible feature capable of meeting a variety of security requirements. When using multiple permission sets, note that it is possible to configure settings that cancel or contradict the settings of another set.
For example, if you configure one permission set with no role inheritance and then configure a second permission set with independent inheritance, the no inheritance setting on the first set is pointless (because you are already independently inheriting all role settings from the second set). Conversely, it can be meaningful to have no inheritance on the first permission set, and then combine inheritance on the second permission set (for either all roles or a specific role). You must understand the purpose of each permission set and check the effective permissions section for the user to ensure that permissions are being inherited as intended.
