Advanced Access Control Settings

The checkbox is deselected by default. After the checkbox is selected, it is available to preview the reports created by means of the Dashboards, Analytical Queries (OLAP), Reports and Time Series Analysis tools as extra large icons in the object navigator.

If this checkbox is selected, it is available to preview even the objects, for which the user does not have permissions to open (read), but has permissions to read descriptor (this permission is required to display an object in the object navigator). When the checkbox is deselected, object class icons is displayed for such objects.

If the Use Mandatory Access Control or Use Security Levels checkboxes are selected, objects cannot be displayed as extra large icons.

NOTE. Selecting or deselecting the checkbox is logged.

On selecting the checkbox copying to clipboard and screenshots are available. Deselecting this checkbox blocks these functionalities. The checkbox is selected by default.

If the checkbox is selected, auditing of copying information to clipboard is enabled. The record is logged in the access protocol as the Export operation. If the Allow Copying to Clipboard and Making Screenshots checkbox is deselected, the auditing of failed operations is executed on working with clipboard.

NOTE. Making screenshots is not logged.

The checkbox is selected by default. Hiding this checkbox allows to block development tools in Foresight Analytics Platform, that can be used by advanced users to export data from the warehouse of Foresight Analytics Platform. Execution of the Dal system assembly, the File class in the IO system assembly, the UIQuery component will be blocked. The following methods will not be executed:

For the IFile interface:

Open.
AppendBinary.
AppendText.
OpenBinaryReader.
OpenTextReader.
OpenBinaryWriter.
OpenTextWriter.

For the IFileStream interface:

Create.

For the IFileInfo interface:

Open.
AppendBinary.
AppendText.
OpenBinaryReader.
OpenTextReader.
OpenBinaryWriter.
OpenTextWriter.

Selecting the checkbox enables the user to rewrite the released memory with zeroes.

Select the checkbox to create a special role at DBMS server. All permissions at DBMS level to work with repository will be granted for a special role.

A special role is used to grant permissions to users on repository login without access to system objects: read, modify, delete, etc.

NOTE. An application role can be used, if the p4audit service user is created.

Selecting the checkbox enables the user to apply password hashing. Password specified in database settings is hashed on establishing connection with the database. The checkbox is deselected by default.

On selecting this checkbox the Do not Hash Admin Password checkbox is available and it enables the user to disable password hashing for administrator only.

NOTE. Administrator (ADMIN) is the owner of the schema.

Cancel of the administrator password hashing can be required when:

Admin's password is used to connect to database using TOAD or PlsqlDev. For example, to create a user at the DBMS level.
On specifying administrator's password in connection of the web application (web.config).

After enabling or disabling password hashing on the next connection to the database the password is checked if it is hashed, and if the answer is No or Yes, the password change dialog box opens.

When this checkbox is selected, Foresight Analytics Platform built-in authorization is used. A connection is made under the built-in administrator (the schema owner in DBMS) to access the DBMS data. Passwords and permissions are checked at Foresight Analytics Platform level and permissions are not granted through the database server. If the checkbox is deselected, authorization by means of DBMS only is used.

To save DBMS schema owner's login and password encrypted, use the PP.Util.exe utility.

This type of authorization is used in configuration of Foresight Analytics Platform via security server.

NOTE. Enabled built-in authorization is not used if repository settings have integrated domain, domain or role authentication in DBMS set.

The checkbox is available if the role separation between ISA and AA is enabled.

The checkbox determines whether users holding the same privilege as the application administrator can open repository objects. If this checkbox is selected, the fact that the user holds the Reading and Writing Permissions for All Navigator Objects privilege is ignored, and the attempt to open a repository object brings up a message that the user has not enough permissions to perform this operation.

The checkbox is available if the role separation between ISA and AA is enabled.

If the checkbox is selected, the application administrator (or a user holding the Creating and Deleting Users privilege) cannot delete a user who has any access permissions to repository objects. On an attempt to delete a user, the notification message appears that this user has access permissions. Deleting such a user requires removing all available access permissions. On deleting the user only permissions are checked; prohibitions are ignored, that is, the user who has only prohibitions will be deleted.

The checkbox is available if the role separation between ISA and AA is disabled.

After selecting the checkbox and enabling role separation, ISA will not be available to delete groups with access permissions to repository objects.

The checkbox is deselected by default, and it becomes available only when the role separation between ISA and AA is enabled.

The checkbox is displayed only for Oracle-based repositories.

If the checkbox is selected, two roles are created that contain the Create User, Drop User and Alter User permissions:

The first role includes the Create User and Drop User system privileges.
The second role includes the Alter User system privilege.

When the checkbox is deselected, both roles are deleted. Also, roles are deleted on deactivating of role distribution between ISA and AA.

Selecting the checkbox sets the period, during which the reuse of deleted user identifier is forbidden.

Selecting this checkbox enables the user to set the period of user inactivity, by the end of which the user is blocked.

Delayed loading is applied on a large number of users, delayed loading subjects are loaded after finishing regular object loading.

If the checkbox is selected, all new security objects have their own delayed loading checkbox.

By default, if delayed loading is used, all objects are loaded simultaneously.

NOTE. If section parameters have been changed, an attempt to go to another section of the security manager or to close it displays a request to apply changed settings.