Managing Roles
User accounts are not assigned privileges directly, but are accorded privileges by being assigned to a user role. This simplifies user account management. Through the role, you define a user’s privileges to create, read, update, delete, purge, and restore actions.
User accounts can be assigned to more than one role. If the roles assigned to the user have different or conflicting security levels, OneData evaluates the security and assigns it as follows:
![*](chapterTOC_bullet.png)
Combines the role privileges, granting the privileges for any objects explicitly defined within the role, but applying the most conservative security assigned globally to the user role in every other object.
![*](chapterTOC_bullet.png)
If one of the user roles includes a row filter,
OneData limits the user to the security privileges explicitly defined in the object, but grants the least conservative security as defined in the global settings.
For example, User A has two roles, an administrator role, and a role named Update_Country, which has a row filter that specifies update on country values “US” and “UK.” User A can select and browse values in all of the available objects, but can update only those values in the Country object where the country is “US” or “UK.”
The following table defines the security enforced by the user role.
User Role Properties
Security Type | Description |
Functions | Defines the functions that users can perform, including data and object management, and system administration privileges. These functions are standard in OneData and cannot be modified. |
Folders | Defines the object folders that users can access. Restricting access to a folder also restricts access to any objects within that folder. |
Definition Objects | Defines which definition objects the user can access and the functions the user can perform on the object: Select: the user can only view the object. Update: the user can update the object. |
Data Object | Defines the functions a user can perform on a specific data object: Row Filter: Restricts user privileges at the column level. The row-level filter restricts the user to viewing only specific records. You can create complex selection conditions. Row-level filters can be assigned to a role and/or the user. Select Definition: View the object definition. Update Definition: Full object edit privileges. Select: View records. Update: Edit existing records. Insert: Insert new data records. Delete: Delete existing records. Purge: Purge records. Export: Export records to another source or email recipient. Import: Import new records into an object. |
Remote Snapshots | Defines the functions a user can perform on remote snapshots: Select Definition: View the snapshot definition. Update Definition: Full snapshot edit privileges. Select: View the snapshot. Export: Export snapshot records to another source or email recipient. |
Remote Object | Defines the user privileges on remote objects. These privileges are the same as for data objects, but include the ability to define a row filter or limit record purges. |
Complex Views | Defines the user privileges on complex views. Select Definition: View the object definition. Update Definition: Full object edit privileges. Insert: Insert new data records. |
Conceptual Objects | Defines the user privileges on conceptual data objects. Select Definition: View the object definition. Update Definition: Full object edit privileges. Show in Data Entry: View data records. |
Reports | Defines the user privileges on reports. Manage Reports: Full edit privileges on reports. Execute Report: Generate a report ad hoc. |
Users | Defines the users who are assigned to the user role. Manage Reports: Full edit privileges on reports. Execute Report: Generate a report ad hoc. Select the users who are assigned to the role. |
Connections | Defines the connections that the user can access. |