Restricting the permissions of a role to certain applications
The permissions of a role can be different, depending on the application a user logs on to (constraints of permissions). Users can inherit different permissions by the same role for different applications. To restrict one of the permissions of a role to a specific application, you assign the application, for which the permission is valid, in the Permission Constraints dialog.
To open the Permission Constraints dialog, expand the folder under a role. Right-click the permission and select the command on the shortcut menu or on the toolbar. You can only open the dialog, if applications are fixed for constraints in the database.
In the upper part, you see the applications that are not assigned to the permission. The list below contains the assigned applications. Double-click the applications to move them from one list to the other. To assign or to remove multiple applications, select them in the lists (multiple selection with Ctrl) and click or .
Example
With respect to OLAP, two different user groups can be distinguished:
- Application users: These users are working with the Designer, Financial Consolidation, Application Studio, and Office Plus applications. The permission OLAP Administrator is only required for them, if they are using Designer to build up and create the data model.
- OLAP database administrators: These users are working with the OLAP Administration. Their responsibility is to keep the system running, for example, to create backups or to check the list of connected users.
If a user belongs to both groups, he receives two different user accounts that grant permissions for his tasks in different applications. This is ensured by restricting permissions for a user or group to the usage of a certain application:
- The OLAP Administrator permission is assigned to application users only in Designer.
- The OLAP Administrator permission is assigned to database administrators only in OLAP Administration.