General access rules and User Management
This section contains some general information about the Access control system and a summary of the rules that apply.
The following tasks make up the Access control system in Corporater BMP:
-
Assign Access – a generic set of permissions
-
Create Access profiles - a set of access rights used to specify what objects specific users have access to
-
Map Access profiles – connect a specific user or group, object, and profile
-
Configure Access control for objects
These tasks can be performed i Configuration Studio:
-
Users can be created and configured
-
Groups can be created and configured
-
Users can be connected to Groups
-
Admin Access can be assigned
-
Other Accesses can be assigned
-
Access Profiles can be created and configured
-
Profiles can be mapped
-
Access control for objects can be configured
General access rules for the Web
Users are by default assigned Web Access. A user must be assigned either Guest, Web or Admin Access in order to access the Web. Users without Web, Guest, or Admin Access will be denied access to the Web. Users who have been granted Admin or Configuration Studio Access will have access to Configuration Studio.
By default all users have Read access to all organization objects. However if an organization does not have any scorecards at all, that organization will not be visible in the organization tree. This also means that if a user does not have 'Read' access to any scorecards for an organization, that organization will not be visible in the organization tree for that user.
For model objects other than organization objects, the user's total access rights determine whether or not objects are visible, modifiable or removable in the Web.
General access rules for Configuration Studio
In order to access the Configuration Studio, a user needs either Configuration Studio or Admin Access. Users with Configuration Studio Access can view ("read") model objects, but the user's total access rights determine which objects can be modified or added.
If a certain user is not allowed to add a certain object type to a given object, the object type will not be displayed as an option in the Add menu.
Example: If a user is not allowed to add a Perspective object as a new child of a Scorecard object, then the Perspective element will not be available as an option in the Add menu for that user.
In order to access the various models of the Configuration Studio, such as Transformer, Forms, Reporter, etc., the user must either have to have Admin Access or Configuration Studio Access combined with the access that corresponds to the model. See Users and Groups for more information.
Default system settings
A default installation has the following set of rules when it comes to access restrictions for model objects:
-
Only super administrators can add, remove or modify organization elements
-
Only super administrators can add and remove scorecards unless explicit access is granted via Profiles or Permissions
-
Only super administrators can remove perspectives, strategic objectives and KPIs, unless explicit access is granted via Profiles or Permissions
All users except users with Guest Access can be given rights to add, remove or modify all model objects. Guest users cannot modify any elements, including their own user preferences, and granting additional access rights to Guest will have no effect.
Access control hierarchy
Access rights granted specifically via Access Profiles will be in addition to or override rights given by a user Access. E.g. a user with Web Access may be mapped to an Access Profile giving Write access to a certain object.
The permissions set in Access control on objects will always override permissions set using Access profiles. This means that even if the sum of the user's access rights from Access profiles would grant Read and Write access to an object, if the user is explicitly granted only Read permissions using Access control on an object, the user will only have Read access to the object in question.
Ownership overrides the permissions set explicitly for an object. An owner of an object is automatically given full access to that object. This means that even if explicitly set permissions only grant the user 'Read' access to an object, the user would still have Read and Write full access if he/she is listed as an owner of the object.
To make changes to the user "admin" you must be logged in as "admin".
The default user "admin" cannot be deleted.
