Edit user permissions in a business role
By default, users have the same permissions to business data as those defined for the role to which they belong. However, you can restrict access to member sets or members for particular users.
Before you modify user permissions, read the following information.
You must belong to the User Administrator role to change the permissions for a user.
The Customize user permissions check box must be selected for the member set. This check box can only be selected in the Role page by a member of the Data Administrator or Modeler role. When this check box is selected, both Read access and Write access to the selected member set are set to None for all users in the role and for all users who are added to the role in the future. Therefore, permissions must be individually configured for each user who requires Read or Write permissions to the member set. For more information, see Enable custom user permissions for a member set.
To access business data, users must be granted Read permissions to at least one member in every member set in the models that the role can access. For more information about this requirement, see Best practices for business roles.
You cannot give more access than the role allows, and you can only restrict access. Customized user permissions cannot exceed those of the role. For example, if a role has Read-only access to a member set, you can only remove Read access for users who belong to the role. You cannot give Write access.
If role permissions use a static list, use a static list when you define user permissions for the same members. Otherwise, your role settings might not be valid. For more information, see Best practices for business roles.
Users who belong to multiple roles can possess permissions that exceed those of a particular role, yet Read and Write permissions are calculated differently. For more information, see Permissions for users assigned to multiple roles.
To edit user permissions for a business role
In the Workspace Browser pane, click Security and Roles.
At the top of the Security and Roles workspace, in the View menu, select Business Roles Only.
In the list of roles, click the role whose user permissions you want to change.
Click the Users page. The top half of the Users page lists all the users who belong to the business role. The bottom half of the page lists all the member sets in the model site. The Read access and Write access columns display a summary of the permissions for the selected user.
All. The user has Read or Write access to all members in the member set.
None. The user has no Read or Write access to any member in the member set.
Custom. The user has permissions configured for individual members in the member set.
Select the user whose permissions you want to change.
Select the member set whose permissions you want to change for the selected user.
In the Workspace Actions pane, under Edit User Permissions, click the appropriate Edit button to modify the Read or Write access that the user has to the selected member set. The Change READ Permissions for User or the Change WRITE Permissions for User dialog box opens. Either displays a list of members and their corresponding permissions (None, Read-Only, Write-Only, Read + Write). These two dialog boxes function similarly.
Note
The Customize user permissions check box must be selected in the Role page before you can edit user permissions. Only members of the Data Administrator or Modeler role can turn on this feature.
In the Change READ or WRITE Permissions for User dialog box, the Selected Members column lists the members that the user can access. You can search by member properties to find particular members. For information about finding members or about how to use the Change READ or WRITE Permissions for User dialog box, see "Change READ or WRITE permissions for user" in the product help.
In the Available members box, specify permissions, as follows:
To enable access, select the check boxes next to a member. Selecting a check box gives Read or Write access to the member for the user and adds the member to the Selected Members list.
To deny access, clear the check boxes next to a member. Clearing a check box denies Read or Write access to the member for the user and removes the member from the Selected Members list.
Right-click a member to add or remove descendants by using the shortcut menu. This feature allows you to work with a dynamic set instead of explicit member selections. You may have to clear check boxes for members that belong to a set before the menu command becomes available.
The availability of check boxes in the Change READ or WRITE Permissions for User dialog box is based on the permissions defined for the role. For example, if the role does not grant Read access to a member, that member will not show a check box.
Read access for members that contain descendants is determined by the Read access that is defined for its descendants. In PerformancePoint Add-in for Excel, the value of the member will be the result of its visible descendants (the descendants to which the user has Read access). Therefore, only leaf members will display a check box in the Change READ Permissions for User dialog box.
After you select or clear members appropriately, click OK. Make sure that Read access is granted to at least one member in every member set that the model contains. For more information about this requirement, see Best practices for business roles.
On the File menu, click Save Model Site to save your changes.
See Also
Tasks
Edit member set permissions for a business role