Distributing Privileges

To distribute privileges between system users, use the Privileges section on the navigation panel.

NOTE. When roles of information security administrator and application administrator are separated, the Privileges section is available only for information security administrator.

The privileges enable the user to execute various operations in Foresight Analytics Platform and at DBMS level. When the following operations are executed: create, delete, or edit object structure, grant object access permissions, create and update users, the system connects to the database and requests user credentials in the Database Authorization dialog box. To execute the operation, the user should have appropriate privileges and access permissions at DBMS level.

There is a list of default privilege holders next to each privilege. The owner of the ADMIN schema is included in the Administrators built-in group and inherits a set of privileges of this group.

The privilege enables the users to log in to the system.

This privilege is granted by default to the Administrators and the Users built-in groups.

When roles of information security administrator and application administrator are separated, this privilege will e granted to the Administrators and the Users built-in groups, and the <schema name>_ISA information security administrator.

The privilege enables the users to execute the following operations:

In the Users section:

Change users properties.
Change user password.
Edit service user.
Work with personal user folders.
Export users list in the *.csv format.
View connected users.

In the Groups section:

Create a group of users.
Change properties of a group of users.

In the Privileges section:

Add and remove privilege holders.

In the Policies Editor section:

Set up general policy.
Set up password policy.
Select access control methods and set up access control.
Set up workstation and printer access.

In the Object Classes section:

Select auditing and history operations.

This privilege is given by default to the Administrators built-in group.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the <schema name>_ISA information security administrator.

The privilege enables the users to execute the following operations in the Navigator:

Change object access control parameters.
View access permissions as icons.
Separate access permissions for MDM dictionary elements.

This privilege is given by default to the Administrators built-in group.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the <schema name>_ISA information security administrator.

The privilege enables the users to execute the following operations:

Create relational objects at DMS level.
View and open all objects in the navigator.

This privilege is given by default to the Administrators built-in group.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the Administrators built-in group.

The privilege enables the users to clear access protocol in the Access Protocol section.

This privilege is given by default to the Administrators built-in group.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the <schema name>_ISA information security administrator.

The privilege enables the users to view access protocol in the Access Protocol section.

This privilege is granted by default to the Administrators and the Users built-in groups.

The privilege enables the users to execute the following operations in the Users section:

Create and delete users.
Add and delete domain users.
Add and delete domain groups of users if the user has the Changing User Permissions, Distributing Roles, Changing Policy permission.
Edit service user
Change user's common properties.
Change user password
Work with personal user folders
Export users list in the *.csv format
View connected users.

This privilege is given by default to the Administrators built-in group.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the owner of the ADMIN schema.

The privilege enables the users to disconnect other users connected to a repository in the Users section.

This privilege is given by default to the owner of the ADMIN schema.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the <schema name>_ISA information security administrator.

The privilege enables the users to execute the following operations:

In the Users section:

Update user permissions.

In the Groups section:

Update permissions of a group of users.

This privilege is given by default to the Administrators built-in group.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the Administrators built-in group.

The privilege enables the users to open the object navigator.

NOTE. The user who does not have this privilege can open repository objects, for which he has access permissions, using a link to the specified object or on the web application start page.

This privilege is granted by default to the Administrators and the Users built-in groups.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the Administrators built-in groups.

The privilege enables the users to execute the following operations:

Create an update in the update manager.
Install update in the update manager.
Copy calculation algorithms in the object navigator.
Copy elements located in the working area, in the calculation algorithms.

This privilege is given by default to the Administrators built-in group.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the application administrator.

The privilege is used to control compliance with the project documentation and system settings, control access of users and administrators to the functional capabilities of the information system. The privilege does not allow for editing the security manager settings specified below.

The privilege enables the users to execute the following operations in the web application:

View object permissions in the Navigator section.
View the list of users and their properties in the Users section.
View the list of groups of users and their properties in the Groups section.
View information about distribution of privileges between repository users and groups of users in the Privileges section.
View the set of policies and access check rules in the Attribute-Based Access Control section.
View security categories and levels in the Mandatory Access Control section.
View security policy settings in the Policies Editor section: general policy; password policy; access control, and access of workstations and printers.
View operation auditing settings in the Object Classes section.

By default, the privilege is not assigned to any user or group of users.

When roles of information security administrator and application administrator are separated, this privilege will be granted only to the security subjects, which had it before role separation.

NOTE. Adding or deleting the Security Policy Auditing privilege is available in the web application and in the desktop application. Executing operations corresponding to this privilege is available only in the web application.

The privilege enables the users to log in to the system in maintenance mode.

The maintenance mode is used to install updates, clear and update BI server assemblies cache, and various operations that should be executed in a single-user mode and can result in errors when working in multi-user mode in the repository.

This privilege is given by default to the ADMINISTRATORS built-in group and the ADMIN schema owner. When roles of information security administrator and application administrator are separated, this privilege will also be available for ISA.

To delete the selected privilege holders, click the Delete button in the Privilege Holders dialog box in the desktop application and on the Privilege Holders side panel in the web application.

NOTE. If a domain user/group is selected as the privilege holder, which is not created in Foresight Analytics Platform, the process of creating a domain user/domain group will be started.

In the web application click the Save button on the toolbar or on the side panel.

In the desktop application execute one of the operations:

Select the Repository > Apply Security Policy main menu item.
Click the Apply Security Policy button on the toolbar.

NOTE. If section parameters have been changed, an attempt to go to another section of the security manager or to close it displays a request to apply changed settings.