User group permissions control both what data objects group members can access and what they can do with those objects. Objects such as code sets, users, groups, and repositories have access permissions that can be set at the group level. These permissions give group members the ability to create an object and to read, edit or delete an existing object.
Repositories have additional permissions that allow a user to add, edit, sync-in (import), and delete records. Be careful to assign correct permissions to a repository and its underlying objects. Anyone given access to the repository must have read privilege on the underlying profile and the code sets used by the repository. If you are allowing a user to import data into a repository, they must have permission to create File Definition and Data Source objects.
Repository security assignments must include an attribute security filter and might include a record security filter. The filter attribute controls which attributes in a repository the user is allowed to read and edit. If no specific filter is defined for profile, the default filter must be specified. If no filter is defined, the user will not see any data. The Record security filter applies search condition on records returned from a repository to limit access to only those records that match the Record filter criteria.
While it is possible to set permissions for individual users to access an object, it is strongly suggested that you assign permissions to groups instead.
For a detailed description of how assigning permissions affects access to particular securable objects, see Securable Object Permissions in Detail.
There are two ways to define security for a securable object. The result is the same in either case. Use the method most convenient for you.
- Define a group's access to one or more securable objects: You can set a group's permissions for one or more objects at once.
- Define access to a securable object for one or more groups: You can edit a securable object's permissions and define the access each user group has to the object.
Define a group's access to one or more securable objects
- Log into the Classic UI as an administrator.
- In the Feature bar, open Users and Groups, then select Groups.
- Select the group for which you want to manage object security, open the Action dropdown menu, then select Security.
- The Security page will appear. It lists the system's users, groups, and data model
objects. You can click Show All and Hide All in the upper right of the page
to expand and collapse all the objects. Edit the permissions.
- Create: If checked, the group's users can create that object.
- Read: If checked, the group's users can read the object.
- Edit: If checked, the group's users can edit the object.
- Delete: If checked, the group's users can delete the object.
Additional permissions are available for repositories:
- Sync-in: Users can import data into a repository.
- Add Records: Users can add new records to a repository.
- Delete Records: Users can delete records from a repository.
- Edit MetaData: Users can change repository properties.
- Edit Record Attribute Filter: (Required) You must select a filter. The default filter allows access to all attributes. For more information, see Create or Edit an Attribute Security Filter.
- Record Filter: If no filter is specified, users will have access to all rows of data in the repository. For more information, see Create or Edit a Record Security Filter.
- Click Save. Your changes will be saved and a completion message will appear.
Define access to a securable object for one or more groups
To assign the securable object to one or more groups at a time:- Open the list that contains the object. For example, to open the Profiles list, open the Feature bar, open Model, and select Profiles.
- Select the securable object you want to define access to.
- Open the Action dropdown menu and select Security.
- The Security window will appear. It lists the system's users and user groups. You can click Show All and Hide All in the upper right of the page to expand and collapse all the objects. Expand the Groups section.
- Edit the permissions.
- Read: If checked, the group's users can read the object.
- Edit: If checked, the group's users can edit the object.
- Delete: If checked, the group's users can delete the object.
- Click Save at the bottom of the list.
Securable Object Permissions in Detail
Object | Permissions Available | Description |
---|---|---|
Users | Read/Edit/Delete | User has Read/Edit/Delete permission by default to themselves; must be granted access to others. |
Groups | Read/Edit/Delete | User has Read permission by default to Groups they belong to; must be granted access to others. |
Style Maps | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Style Maps (used in publication) created themselves; must be granted access to others. |
Templates | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Templates (used in publication) created themselves; must be granted access to others. |
Data Sources | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Data Sources (used for import) created themselves; must be granted access to others. |
Sequences | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Sequences (used in repositories with auto-generated sequence attributes) created themselves; must be granted access to others. |
Profiles | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Profiles (attributes defined for a repository) created themselves; must be granted access to others. |
Code Sets | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Code Sets created themselves; must be granted access to others. |
Taxonomies | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Taxonomies created themselves; must be granted access to others. |
Hierarchies | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Hierarchies created themselves; must be granted access to others. |
Transmission Options | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Transmission Options (used in definition of a repository) created themselves; must be granted access to others. |
Attribute Security Filters | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Attribute Security Filters (used to grant access to repository attributes) created themselves; must be granted access to others. |
Record Security Filters | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Record Security Filters (used to grant select privilege to certain rows in repositories) created themselves; must be granted access to others. |
File Definitions | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any File Definitions created themselves; must be granted access to others. |
Repository Folders | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Repository Folders created themselves; must be granted access to others. |
Media Groups | Read/Edit/Delete | User has Read/Edit/Delete permission by default to any Media Groups created themselves; must be granted access to others. |
Repositories |
Read/Edit/Delete/ View/SyncIn/ Add Records/ Delete Records/ Edit Meta Data/ Edit Record Attribute Filter/Record Filter |
Read: permission to read repository definition Edit: permission to Edit items within repository; combine with Edit Record Attribute Filter to determine which attributes have Read/Edit Delete: permission to delete repository and contents View: permission to view the repository in context of EnterWorks Content feature listing SyncIn: permission to use Import to add data to repository Add Records: permission to add new rows to repository Delete Records: permission to delete rows from repository Edit Metadata: permission to change repository properties |