locked
PPS Role Security Question RRS feed

  • Question

  • I have three roles set-up in a model where we have a hierarchy that has multiple levels of roll-up and allows data entry at all levels:

     

    1.  Allows Read + Write access to all members of a hierarchy

     

    2.  Allows Write access to all the leaf members of the hierarchy, but only Read access to the higher levels.

     

    3.  Allows Read + Write access to only the leaf levels of the hierarchy with no Read or Write to any higher level.

     

    My question is in regards to what happens when a user gets assigned to multiple roles?   If a single user were assigned to all 3 roles and all 3 roles were in the same cycle and the same input form what security would be invoked?   Would they get #1, #2 or #3?

     

    My hope is that PPS would err on the side of caution and envoke the most restrictive but my testing looks to be the opposite.

     

    In our current situation, they have a lot of users who transition within the organization.  The fear is that a user will change position and get added to a new security role but not removed from an existing role and therefore be able to change data they should not be allowed to change.

     

    If it allows the more liberal of the security setting is there any setting anywhere (even in registry) that will instead force the use of the more restrictive when a user is assigned to multiple roles.

     

    Alan

     

    Friday, August 22, 2008 2:34 PM

Answers

  •  

    The permissions the user would get would be a "Union" of all permissions defined in the 3 roles. Hence in your scenario, the user must be removed from old roles in order for them not to have the right permissions
    Monday, August 25, 2008 7:42 PM

All replies

  • Anyone??

     

    Saturday, August 23, 2008 1:22 PM
  •  

    The permissions the user would get would be a "Union" of all permissions defined in the 3 roles. Hence in your scenario, the user must be removed from old roles in order for them not to have the right permissions
    Monday, August 25, 2008 7:42 PM
  • Hi Alan

     

    Permissions are normally additive UNLESS you have the ability to explicitly set DENY rights, which does not appear in PPS so your testing and conclusions are correct.

     

    Regards

     

    Paul

     

    Tuesday, August 26, 2008 9:30 AM
  • I've got an interesting issue with PPS and I really hope someone can point me in the right direction. I've got an Input form with a list of account. I then setup a Role with read and write access to only a subset of those accounts.

     

    When I setup the cycle and add the form with the contributor set to the role and then logon as one of the users defined in the role i still have access to write data to all of the accounts. It seems like the role isn't doing anything....what am I doing wrong??

    Tuesday, September 30, 2008 2:39 PM
  • Are you making changes to security while the assignment is open? The permissoins metadata will be cached locally, don't forget to refresh the cache.

    Does the user belong to multiple roles? This was exactly the question Alan & Paul were discussing. It is the union of permissions across business roles, not the intersection. Also check that the user you are working with doesn't have a system role like modeler which would give them permissions to the entire model.
    Tuesday, September 30, 2008 4:46 PM
    Moderator
  • Thanks for the info....the problem I had was the user was a modeler and therefore ignores any role permissions.

     

    I'm battleing to understand something. With this additive Role permissions.

     

    I'll try break it all down:

    I have a list of 14 account and a Role defined as Contributor. Within the Role I have two users they both have read access to all 14 account but user 1 has write access to the first 7 accounts and user 2 has write access to the last 7.

     

    I have another role defined as Reviewer and has the same two users still having read access to all the accounts but now have inverse write access. So they basically review and can change each others work.

     

    So if i'm understanding this additive permissions thing within a cycle, if I setup my cycles with the roles I've defined both users will have read and write access to all Acconts? Is this correct? Because it seems like whats happening to me.

     

    I can understand additive Roles within a Contributer or Approver or Reviewer but not accross those restonsibilities. Is it additive across the responsibilities??? help?

    Thursday, October 2, 2008 1:11 PM