Access Control

In addition to configuring access rights using profiles and user access, it is possible to set permissions explicitly for a single object. Access Control makes it possible to grant and restrict permissions on the respective object to selected users and user groups. Also, you can assign ownership of the object to the selected users and user groups. By default, there are no restrictions to objects in Configuration Studio.

Before starting to add permissions and ownerships over objects, make sure all necessary users have been added in Users and Groups.

The permissions set in Access Control complement the permissions set using Access profiles. If a user's Access profile grants them Read access to an object, and the user receives Write permissions in Access control for the object, the user ultimately receives both Read and Write permissions to the object.

Permissions and restrictions

By using permissions and restrictions you can designate which users, if any, should have 'Read', and/or 'Write', and/or 'Add' access to any scorecard element. Permissions and restrictions are inactive by default.

Ownership

Ownership of an object automatically grants the user full access to the object. Ownership means granting necessary access rights to users who are not administrators, e.g. to delegate responsibility for an object. Ownership overrides the permissions set explicitly for an object. An owner of an object is automatically given Read/Write access to that object. This means that even if explicitly set permissions only grant the user Read access to an object, the user would have Read and Write access is he/she is listed as an owner of the object. An object may have more than one owner.

How to configure permissions and restrictions

To use Access Control on an object, right click it and choose Access Control.

In the Permissions tab you can give and restrict access to the object.

Override access profile for <object type>: <object name> - By checking or unchecking the checkbox you can activate or deactivate the rest of the configuration panel and also activate or deactivate the restrictions for the specified object. Restrictions will not be in effect unless the box is marked.
Groups and users - choose which groups and/or users will have access to the object. Click Add group or Add user and choose those who are to have access to the object. Click OK.

Admin users can be added to this list, except the reserved System Administrator that has user ID 'admin'. The Everyone group can also be added to the list.

Now highlight one of the entries in the list and choose which Permissions the user should have from the list below. The permissions that can be set for a user or group are:

- Read access - gives the user read access to the object.
- Write access – gives a user access to modify the object and to add child objects, e.g. add perspectives to a scorecard.
- Add access - gives the user access to add child objects, e.g. add perspectives to a scorecard.

This functionality makes it possible to show a KPI a user is Responsible for in the user's My KPIs, even if he/she does not have access to the KPI.

Groups and users that are not specified here will not have access to the object, i.e. they will not see it on the web at all.

The Access control configuration dialog does not contain an Add flag. The Add flag has no meaning for an existing object, as it is only used when checking if a user can add new objects.

Apply permission settings to subelements - mark the checkbox if the permissions should also be in effect for the elements owned by the current element.

Apply permission settings to subelements is a "once only" check box, which means that subelements that are added in the future will not automatically inherit the settings.

Override access profile for <object type>: <object name> - by checking or unchecking the box you can activate or deactivate the permissions for the specified object. If Override access profile for <object type>: <object name> is checked, groups and users that are not specified in Groups and users will not have access to the object, i.e. they will not see it on the web at all. These restrictions will not be in effect if the box is not marked.

The permissions set in Access Control will always override permissions set using Access profiles. This means that even if the sum of the user's access rights from Access profiles would grant Read and Write access to an object, if the user is explicitly granted only Read permissions using the Access control dialog, the user would only have Read access to the object in question.

If Override access profile for <object type>: <object name> is checked, the permission settings configured in this dialog will override any permissions set using Profiles, so it is important that all users or groups that should have access to an object be added to the list. Groups and users that are not included will not have access to the object.

Ownership

Ownership of an object automatically grants the user full access to it. Ownership means granting necessary access rights to users who are not administrators, e.g. to delegate responsibility for an object. Ownership overrides the permissions set explicitly for an object. An owner of an object is automatically given Read/Write access to that object. This means that even if explicitly set permissions only grant the user Read access to an object, the user would have Read and Write access is he/she is listed as an owner of the object. An object may have more than one owner.

How to configure Ownership

In the Ownership tab you can choose which users will have ownership rights to the object. Click Add user and choose the user or users who are to be given ownership to the object.

Apply ownership settings to subelements - mark the checkbox if the ownership settings should also be in effect for the elements owned by the current element.

Apply ownership settings to subelements is a "one time only" check box, which means that subelements that are added in the future will not automatically inherit the settings.