Creating Authorization Objects

Authorization object is the repository object used for access control of users and groups of users by creating data segments.

Data segments are cube slices.

Cube data slice is a two-dimensional data table obtained by fixing one or some of the multidimensional cube dimensions.

Authorization object determines access permissions for users or groups of users to the specified data segments of two types:

• Static permissions that are permanent.

• Permissions that are in use only on process step execution.

NOTE. The authorization object with dynamic access permissions must be specified on creating process steps.

To create authorization objects, use the authorization object wizard.

To open the wizard

Basic properties

The first authorization object wizard page is Basic Properties:

On the first wizard page specify basic properties of authorization object:

• Name. Enter authorization object name.

• Identifier. Change unique identifier of authorization object if required.

• Comment. Determine comment to authorization object if required.

• Authorization Object Type. Determine access type for users of groups of users:

• Static. On selecting the radio button, two areas appear - Read Permissions and Read and Write Permissions where users of groups of users are specified which authorizations are permanent and independent of process steps execution, based on user's specific group.

Example of users selection with static type

• For process steps. If the radio button is selected the Available Roles area appears, where the users or groups of users, whose permissions will be determined on setting up specific process steps, are marked.

Example of users selection for process steps

After object basic properties have been determined, click the Next button.

Data segments

The next wizard page, Data Segments, is used to determine the list of data segments. Data segments are set by determining selections by dimensions of the selected source.It enables dividing data source into segments available for singnle groups of users work.

Execute the following actions on the second wizard page:

Add a source

Delete source

Set selection by source dimensions

Click the Finish button to exit the wizard.

Thus, static data segments are created outside the processes using authorization objects, to which the permissions are granted for selected users or groups of users. Access permissions to static data segments are determined by discretionary access control method. The attribute access control method can be used additionally to discretionary access control.

For details about selecting access control methods and their setup see the Selecting Access Control Methods and Their Setup article.

To work, dynamic data segments, that are created on starting process step and are active till it is finished, are defined in processes using authorization objects.

After creating authorization objects, set up them.

See also:

Setting Up Role Model | Setting Up Authorization Objects