To open the wizardAn authorization object is a repository object used for access permissions control of users and groups of users by creating data segments.
NOTE. Creating authorization objects is available only in the desktop application.
A data segment is a set of cube data slice and security subjects permissions to this data. Data segments can be created by means of the following cubes:
Cube views can be used.
A cube data slice is a two-dimensional data table obtained by mandatory fixing at least one cube dimension. Dimension fixation is a selection of the dimension elements.
Authorization objects can be of two types:
Static. They determine static permissions permanently acting in time.
Dynamic. They determine dynamic permissions acting only during specific process step execution. The specified access permissions are absent before and after this step execution.
NOTE. Authorization objects with dynamic access permissions can be set up only for the Data Entry and Approval steps on their creation.
When creating an authorization object of any type, the cube permissions are limited for users or groups of users. To grant permissions for users or groups of users, set authorization object on their creation and determine data segment for them.
To create new and edit ready authorization objects, the authorization object wizard is used.
The first authorization object wizard page is Basic Properties. The page appearance depends on authorization object type:
On the first wizard page specify basic properties of authorization object:
Name. Enter authorization object name.
Identifier. Change unique identifier of authorization object if required.
NOTE. Specify a comment for authorization object if required.
Authorization Object Type. Determine access type for users or groups of users:
For Process Steps. When the radio button is selected, the Available Roles area appears where users or groups of users, whose permissions will be determined on setting up specific process steps, are marked. Authorizations are in use only on executing specific process steps and are absent the rest of the time.
After object basic properties have been determined, click the Next button.
The next wizard page, Data Segments, is used to determine the list of data segments. Data segments are set by determining selections by dimensions of the selected source. It enables the user to divide data source into segments available for single groups of users work.
Execute the operations on the second wizard page:
Set selection by source dimensions
Click the Finish button to exit the wizard.
NOTE. To provide correct work of data segments restricting access to various operations with objects, the users or groups of users require only read permissions for segments and/or containers with segments.
Thus, static data segments are created outside the processes using authorization objects, to which permissions are granted for selected users or groups of users. Access permissions to static data segments are determined by discretionary access control method. Along with the discretionary access control method, the attribute-based access control method.
For details about selecting access control methods and their setup see the Selecting Access Control Methods and Their Setup article.
To provide work, dynamic data segments that are created on starting process step and are active till it is finished are defined in processes using authorization objects. Dynamic data segments provide access permissions only at the specified process steps and lock them outside these steps. Access permissions at a specific process step are given only to the users or groups of users specified on creating a dynamic authorization object. Access is restricted for other users.
NOTE. The users of the Administrators group always have access permissions regardless of authorization objects setup.
After creating authorization objects, proceed to their setup in the process.
See also:
Setting Up Role Model | Setting Up Process Authorization Objects
New Object > User Objects > Authorization Object button in the Create group of the Home ribbon tab of the object navigator.
Add Source button. The object selection dialog box opens:
Delete button. The data source will be deleted after operation confirmation.
Edit Value button. A dialog box opens to determine dimension values: