Rights Objects in Jedox

Jedox uses rights objects for granting access to general functionality to user roles. This article gives an overview of available rights objects and describes the default rights given to roles after a standard installation.

See Administration of User Rights for the chain of rights (right objects > roles > groups > users) used in Jedox.

See Specific Rights in Jedox Web for an explanation of how rights objects relate to actions in Jedox Web components Reports and Designer.


audit

Controls access to the component "Audit" of Jedox Web and to the "Audit data" in Jedox OLAP cells.

N: Users have no access to this component.
R: Users are allowed to view the "Audit data" in Jedox OLAP cells.
D [W]:1 Users have full access to this component. Additionally to view the audit data in Jedox OLAP cells, they can define the audit settings for various cubes per databases (i.e., should audit be enabled for a given cube, and how far back should audit data go).

cell data

Controls general access to the data cells in all cubes on the system. Some exceptions apply, e.g. for attribute cubes; see documentation of other rights objects.

N: Users are not allowed to view any cell data in any cube.
R: Users are generally allowed to read cell data.
W: Users are allowed to edit base-level cell data.
D: Users are allowed to delete base-level cell data (i.e., write 0 as value into cells). Note that if the user should be able to clear complete cubes, he will also need D access on the "cube" right object.
S: Users are allowed to splash values on consolidated-level cells (including 0).

Related rights objects: cube


cell data Excel

Equivalent to "cell data", this rights object controls general access to the data cells in all cubes on the system accessed from the Excel Add-in. Some exceptions apply, e.g. for attribute cubes; see documentation of other rights objects. Note that "cell data Excel" will only become effective once it is set to a more restrictive setting than "cell data".

N: Users are not allowed to view any cell data in any cube.
R: Users are generally allowed to read cell data.
W: Users are allowed to edit base-level cell data.
D: Users are allowed to delete base-level cell data (i.e., write 0 as value into cells). Note that if the user should be able to clear complete cubes, he will also need D access on the "cube" right object.
S: Users are allowed to splash values on consolidated-level cells (including 0).

Related rights objects: cube


cell data hold

Controls the ability for users to set a "hold" on a cell or cube slice. See Setting Holds and Using the Hold Manager for more information. Note that in addition to the rights set out in the cell data hold object, individual permissions on cells and cubes may affect a user's ability to use this feature. See Rights with Impact on Jedox Web for details.

N: Users have no access to hold features or to the Hold Manager.
R: Users can view a list of holds via the Hold Manager, unless other access restrictions on the cell or cube prevent it.
W: Users can set and view "holds".
D: Users can release, set, and view "holds".

cube

Controls general access to cubes in OLAP databases. Access to data in specific cubes can be restricted within databases.

N: Users can not use any cubes at all. This prevents access to all data provided in cubes.
R: Users are allowed to see cubes, but not edit them. Note that this only concerns the cube objects themselves, not contents such as cells, etc.
W: Users are allowed to edit (rename) cubes.
D: Users are allowed to delete cubes. This right is also required if a user attempts to completely clear a cube.

database

Controls general access to databases in OLAP.

N: Users are not allowed to see any databases.
R: Users are allowed to see databases but not edit them.
Note that this only concerns the database objects themselves, not contents such as cubes, etc.
W: Users are allowed to edit (rename) database.
D: Users are allowed to delete databases.

dimension

Controls general access to dimensions in OLAP databases. Note that this only concerns the dimension objects themselves, not their contents (such as elements).

N: Users are not allowed to see dimensions.
R: Users are allowed to see dimensions, but not to edit them. Users are allowed to change attribute values on dimensions.1
W: Users are allowed to see, create, and edit (rename) dimensions.2
D: Users are allowed to see, create, edit (rename), and delete dimensions.

1Editing attribute values also requires at least R access on the object "cube" and W access on "dimension element".

2Executing an Upload Action requires at least W access on the rights objects "dimension" and "dimension element".

Related rights objects: cube, dimension element, cell data


dimension element

Controls general access to elements in database dimensions.

N: Users are not allowed to see elements in dimensions.
R: Users are allowed to see elements in dimensions, but not to edit them.
W: Users are allowed to see, create, and edit (rename) elements in dimensions. Users are allowed to create attributes on dimensions and to edit attribute values.1 2
D: Users are allowed to see, create, edit (rename), and delete elements in dimensions, as well as attributes. 1

1Creating and editing attributes also requires at least R access on the objects "cube" and "dimension". Editing attribute values also requires at least R access on the objects "cube" and "dimension".

2Executing an Upload Action requires at least W access on the rights objects "dimension" and "dimension elements.

You can also control the assignment of group rights in global connections through the dimension element right object.

Related rights objects: cube, dimension


drillthrough

Controls whether users are allowed to send Drillthrough requests via Supervision-Server.

N, R, W: Users are not allowed to send Drillthrough requests.
D: Users are allowed to send Drillthrough requests.

event processor

Controls usage of the "event processor" parameter in Writeback requests to the OLAP server. This parameter allows users to circumvent triggering Supervision Server (SVS) when changing cube data.

N [R, W]:1 Users are not allowed to circumvent SVS events.
D: Users are allowed to circumvent SVS events.

group

Controls the handling of groups in the OLAP server.

N: Users have no access to #_GROUP_ dimension.
R: User can see "group" objects in the #_GROUP_ dimension of System DB (or any other DB), but cannot edit / delete them.
W: Users are allowed to change "group" objects (rename users) and create new groups.
D: Users are allowed to delete groups.

Related rights objects: user, password, rights


list

Controls general access to lists in OLAP databases. Note that this only concerns the list objects themselves, not their contents (such as elements).

N: Users are not allowed to see lists.
R: Users are allowed to see lists, but not edit them.
W: Users are allowed to see, create, and edit (rename) lists.
D: Users are allowed to see, create, edit (rename), and delete lists.

Note: When defining "Calculation" blocks in a list, the data retrieved in the calculation is governed by the access rights of the user who uses the list in a View. That is, if a calculation block retrieves data from some cube cell or slice to which the user does not have access, an error will be shown in the View using the list.

Related rights objects: cube, dimension, dimension element, cell data


password

Controls the handling of passwords on the OLAP server. Users are always allowed to change their own password.

Retrieval of passwords can be enabled by setting the palo.ini option enable-password-retrieval. If set, users with R rights for the password object are able to retrieve passwords. Passwords are stored in hashed form, not in plain text.

N: Users have no rights on passwords. They cannot see or edit them.
R: Users have no rights on passwords. They cannot see or edit them.
W: Users are allowed to read and change passwords for other users, but cannot delete them.
D: Users are allowed to delete and change passwords.

Note: Further roles can also be created. The roles "etl" and "designer" have the default access right on "password" set to N.

Related right objects: user, group, cube, rights.


rights

Controls access to user rights structures at system and database level, i.e., access to System Database, access to user-right related, database-specific cubes, and access to Security settings on Jedox Web objects (files, folders etc.).

N: Users are not allowed to access rights-related structures.
R: Users are allowed to read rights-related structures. Users are allowed to see System database.
W: Users are allowed to edit rights-related structures, e.g. set database-specific rights in #_GROUP_DIMENSION_DATA cubes.* This includes ability to change settings for a users own group or role.
D: Users are allowed to delete rights related structures. Users are allowed to view the "Security" dialog for objects (files, folder, etc.) in Jedox Web and edit the security settings.

*Editing data in those cubes requires at least R access on the rights objects "dimension" and "dimension element".

Note: when #_Rights cell property is checked in a View, calculated List items will be locked for non-admin users.

Related rights objects: user, group, password


rule

Controls the access to cube rules

N: Users are not allowed to access list of rules on a cube
Note that rules will still be used in calculations requested by this user.
R: Users are allowed to access list of rules on a cube, but cannot edit them.
W: Users are allowed to create and edit rules.
D: Users are allowed to delete rules.

ste_analyzer

This rights object is obsolete as of Jedox 2020.3. It will be removed in a future version.


ste_conns2

Controls access to the Connection Manager component of Jedox Web.

N: Users are not allowed to access Connection Manager.
D [R, W]:1 Users have full access to Connection Manager.

Note: to work in Connection Manager, the user’s role must also have full access (D) on the objects "user", "group", "password", and "rights".

Related rights objects: user, password, group, rights


ste_etl2

Controls access to the component Integrator of Jedox Web.

N:

Users can execute and monitor loads or jobs. They are not allowed to access the Integrator component.

R:

Users are allowed to display Jedox Integrator (ETL) projects or components. Furthermore they can execute and monitor loads or jobs.

W:

Users are allowed to create and edit Jedox Integrator (ETL) projects or components, and to perform test and data preview. Furthermore they can execute and monitor loads or jobs. In order to create Jedox Integrator (ETL) Tasks additional authorization for the component Scheduler is required (right object "ste_scheduler").

D:

Users have full access to the component Integrator. They are allowed to create, edit, and delete Jedox Integrator (ETL) projects or components, and to perform test and data preview. Furthermore they can execute and monitor loads or jobs. In order to create Jedox Integrator (ETL) Tasks additional authorization for the component Scheduler is required (right object "ste_scheduler").


ste_files2

Controls visibility of the Designer component of Jedox Web. To set rights to access files indirectly (e.g. through Integrator functions that load files into Designer or the Upload Action), you must also set the user role's rights in "ste_storage".

N: Users are not allowed to view the Designer component.
D [R, W]:1 Users can view Designer component. Access to files, either through Designer or other Jedox components, must be set in ste_storage.

ste_licenses2

Controls access to the component "Licenses" of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to view the component "Licenses", but they are not allowed to add, activate, remove, or assign licenses.
D [W]:1 Users have full access to this component.

Related rights objects: rights, system operations, ste_sessions


ste_logs2

Controls access to the Logs component of Jedox Web.

N: Users have no access this component.
D [R, W]:1 Users have full access to this component.

ste_mobile2

Controls access to the Mobile Touch Interface of Jedox Web (used for Browsers on Tablets and hand-held devices).

N: Users have no access this component.
D [R, W]:1 Users are allowed to use the Mobile Touch interface.

ste_packages2

Controls access to the component "My Models" of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to see the panel "My Models" and the list of installed models. They are able to check for updates, but they are not able to install, uninstall, or modify models.
D [W]:1 Users have full access to this component. They are able to install, update, and uninstall models.

You can restrict RPC calls by using "ste_files" and "ste_packages" rights objects. It is possible to provide different access levels to packages, variables, script execution, and other aspects of models.


ste_palo2

Controls access to the component Modeler of Jedox Web.

N: Users are not allowed to the component Modeler of Jedox Web.
D [R, W]:1 Users are allowed to access the component Modeler of Jedox Web with generally full capabilities (may be restricted on specific items).

You need at least R rights on "ste_palo" (and optionally on "ste_files") if you access the File Manager from the Modeler for tasks, such as database scripts or backing up files. This allows you to restrict access to the Designer and Reports while still allowing access to the Modeler.


ste_perf2

Controls access to the component "Performance" of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to view results of the component "Performance".
D [W]:1 Users have full access to this component. Note that currently there are no specific capabilities for full access.

ste_reports2

Controls access to the component Reports of Jedox Web.
As of Jedox Version 7.1, the read access (R) and the write access (W) have changed.

N: Users are not allowed to see the component Reports.
R:

Users are allowed to access the component Reports in user mode. You can browse report groups and hierarchies, and open reports, but cannot modify Report group contents.

As of Jedox Version 7.1, the options to export a report as WSS file, as XLSX OLAP snapshot, or to create batch XLSX tasks are now disabled. The option to export as XLSX snapshot is still available.

Note: if a user has access only to the Reports component and there exclusively R access, the end-user mode should be used.

W: As of Jedox Version 7.1, writable access allows additionally the following options to the read access: to export a report as WSS file, as XLSX OLAP snapshot, or to create batch XLSX tasks. However, this user will still see the hierarchies in the Reports panel in read mode, i.e., report hierarchies cannot be changed or added, nor can new reports be created.
D: Users are allowed to access the component Reports in "admin" mode. He can browse report groups and hierarchies, and open reports. Additionally, he can modify Report group contents.

ste_repository2

Controls access to the component "Marketplace" of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to browse the Marketplace panel, but cannot install any of the available models.
D [W]1 Users have full access to this component. They are allowed to install models from the Marketplace. Note that if a model executes database scripts during installation, the user running the installation must also have all OLAP rights required for the commands in the scripts. This usually means that rights for creating databases, dimensions, cubes, elements, rules, etc. will be required.

ste_scheduler2

Controls access to the component Scheduler of Jedox Web.

N: Users are not allowed to access the component Scheduler, and they are not allowed to create tasks in other components.
R: Users are allowed to access the component Scheduler for reading, and they are allowed to execute tasks.*
W: Users are allowed to access the component Scheduler. They are allowed to execute tasks and furthermore to create and edit global tasks.
D: Users are allowed to access the component Scheduler. They are allowed to execute, create, and edit tasks, and furthermore to delete global tasks.

*For more information on access rights for the component Scheduler of Jedox Web, see article Specific Rights in Jedox Web.

Related rights objects: ste_reports, ste_etl


ste_sessions2

Controls access to the component "Sessions" of Jedox Web.

N: Users have no access this component.
R: Users are allowed to view the component "Sessions", but they are not allowed to close sessions or to stop running jobs
D: Users have full access to this component.

Related rights objects: system operations, ste_licenses


ste_settings2

Controls access to the component "Settings" of Jedox Web.

N: Users have no access to this component.
R: Users are allowed to view the component "Settings", but they are not allowed to add, edit, or remove settings.
D [W]:1 Users have full access to this component.

ste_storage2

This object controls the user role's ability to access files in Designer indirectly, via other Jedox functionalities (such as Integrator projects that load files to Designer or Upload Actions). The existing rights object ste_files continues to control the visibility of Designer. An Upload Action now works in end-user mode.

The rights object "ste_storage" is automatically created when OLAP starts. When the object is created, it copies the rights from "ste_files" except when "ste_files" is set to N (no rights); in that case, "ste_storage" is set to R (read).

N: Users are not allowed to access files.
R:

Users can view files accessed indirectly, but cannot write or delete them.

W: Users can read and write to files accessed indirectly.
D: Users have full access to files accessed indirectly, including deleting them.

ste_users2

Controls access to the User Manager, Group Manager, and Role Manager components of Jedox Web.

N: Users are not allowed to access User / Group / Role Manager.
D [R, W]:1 Users are allowed to access User / Group / Role Manager with generally full capabilities (may be restricted on specific items).

Note: to work in User Manager, the user’s role must also have full access (D) on the objects "user", "group", "password", and "rights".

Related rights objects: user, password, group, rights


sub-set view

Controls access to stored Subsets and stored Views on the OLAP server. If users have R rights or higher on "sub-set view", OLAP implicitly assigns R rights to the "user" and "group" rights objects.

Stored Subsets and Views are saved as elements in internal dimensions of the database. Thus, the user needs to have R rights on "dimension element" to access them. Higher rights (W or D) on "dimension element" are no longer required to create or modify stored Subsets and Views.

N: Users are not allowed access to stored Subsets and stored Views.
R: Users are allowed to read both private and global Subsets and Views.
W: Users can create, edit, and delete private Subsets and Views.
D: Users can create, edit, and delete both private and global Subsets and Views.

Related rights objects: user, group, dimension element


ste_views

Controls access to the "Drill Anywhere" feature. Note that this right object only works if the "sub-set view" is set to at least R level.

N: Users are not allowed to use the Drill Anywhere feature.
D [R, W]: Users have full access to the Drill Anywhere feature.

system operations

Controls access to the following items on administrative level:

  • #_CONFIGURATION cubes of databases
  • System-related OLAP server operations
  • Monitoring information (sessions, jobs)
N: Users have no access to system operations.*
R: Users have read access to system operations, i.e., they are allowed to retrieve system monitoring information.
W: Users are allowed to edit #_CONFIGURATION cubes. Users are allowed to execute the following OLAP API methods: /cube/save, /database/save, /server/save. Users are allowed to close sessions and to stop jobs.
D: Users are allowed to commit and to rollback changes on "Undo" areas, which have been defined by other users.
Users are allowed to remove licenses. Users are allowed to execute following OLAP API methods: /server/shutdown, /svs/restart, /cube/load, /cube/unload, /database/load, /database/unload.

*Exception: all users can always retrieve data from #_CONFIGURATION cubes, regardless of what is defined as an access right.

Related rights objects: ste_licenses, ste_sessions


user

Controls access to the #_USER_ dimension in the system database, which is used to handle users in the OLAP server.

N: Users have no access to #_USER_ dimension.*
R: Users can see "user" objects in the #_USER_ dimension of the System DB (or any other DB), but cannot edit / delete them.
W: Users are allowed to change "user" objects (rename users) and create new users.
D: Users are allowed to delete users.

*The #_USER dimension is also necessary for storing and reading so-called local Subsets, i.e., Subsets that are private to each user. If users have R rights or higher on "sub-set view" but N rights on "user", the OLAP server behaves as if the user has R rights for that Subset. The user rights in this case do not have to be changed explicitly by the designer or administrator.

Related rights objects: password, group, rights, sub-set view


user info

Controls the access to objects of type "user info" (databases, dimensions, cubes). Access to any data in cubes of this type is governed by this rights object. This is normally not relevant in end-user scenarios.

N: Users have no access to user info objects.*
R: Users have read access to user info objects.
W: Users have write access to user info objects.
D: Users have delete access to user info objects.

*Even with N access, every user is still generally allowed to access user info objects created by Jedox Web (necessary for access to the components Reports, Designer, and other Metadata).


1If a setting is noted in square brackets, it can be used, but it will have the same effect as the setting before the square brackets, which is recommended. For example: N [R, W]; in this case, N, R, W would have the same described effect, but it is recommended to only use N.

2Rights objects with the prefix "ste_" control access to various components of Jedox Web. For these objects, it is relevant what the license assigned to a user permits. For example, a user may have sufficient access to a "ste_" rights object to view the corresponding component in Jedox Web, but still be prohibited from using that component based on the license that has been assigned. The same is true if a license grants access, but the rights object access does not.

Updated November 4, 2024