The Roles section

This topic describes what user Roles are and how to manage them in the Roles section of the System Administration area.

Roles are security profiles that you associate with Board users in the Users section of the Subscription Hub. They contain information that defines a Board user's access to the Data models of a Platform (via Database Security profiles and security selections) and access to various Platform features (via Application Profiles that are managed in the Features section).

Roles (and the associated Application Profiles) represent the second security layer of Board's Four Security Layers model.

To access the Roles section, access the System Administration space of the desired Platform and click on the Roles tile. You will be taken to the Roles page.

In the Roles section, you can see all existing Roles and their main information: the table is sortable and searchable using the interactive header fields. You can also show or hide columns to your liking, by clicking the Column chooser button in the upper right corner of the table.

The table contains the following information:

• Name. This column displays the name of each Role

• Folder security. This column displays the name of the Folder security profile assigned to the Role

• Feature. This column displays the name of the Application Profile made in the Features section

• Default database security profile. This column displays the name of the default Database security profile associated with each Role. See Database security for more information

Creating a Role

To create a Role, proceed as follows:

1. Click on the  button next to the "Roles" title in the top left corner to bring up the Role configuration panel

2. Enter the name of the Role in the "Name" field.

3. (Optionally & only if Folder security is enabled) Associate Folder security profiles. Under the "Folder security" section, enable the desired Folder security profiles in the list to associate them with a Role. The "Folder security" section is only visible when the "Enable Folder Profile Security" option is enabled in the Folder security section

   If the Folder profile security option is not enabled, users will have access to all Capsules and Capsule Folders (of the Platforms they are associated with in the Subscription Hub) by default.

   In the case of a Role associated with multiple Folder security profiles that have overlapping security rules (i.e. different access levels for the same Capsule folder), the rules with higher privileges will take precedence over the others.

   

4. Choose an Application Profile from the dropdown list under the "Features" section 

5. Associate Database security profiles. Enter the name of an existing Database security profile in the "Default database security profile" field under the "Data Models" section to associate it with a Role. In addition, you can specify a Database security profile for each Data model separately. To do this, click on "+ DB PROFILE" to open the configuration window, then choose a Data model from the dropdown menu and enter the name of the Database security profile in the "Profile" field, and then click "ADD".  You will see this profile display in the table below. When a user enters a Capsule, the Database security profiles are applied in the following way:

   • Roles without an associated Database security profile. A user with this Role will not have access to values stored in the Cubes of any Data model that contains at least one Database security profile; the user can access values stored in the Cubes of only Data models that do not contain any Database security profiles

   • Roles associated with only the default Database security profile. A user with this Role will have access to values stored in the Cubes of all the Data models that either contain that same Database security profile, or do not contain any Database security profiles

   • Roles associated with different Database security profiles for different Data models. A user with this Role will have access only to values stored in the Cubes of the specified Data models, provided they contain the specified Database security profiles. In the case of a Role with both the default Database security profile and the specific profiles for different Data models, the specific ones will be applied first and the default one will be applied after, even if a Data model contains both security profiles. For example, if you associate a user Role with both a default "MANAGER" profile with full privileges and the "STANDARD" profile with limited privileges to a specific Data model, the user will access that Data model with the "STANDARD" profile, even if the Data model contains both security profiles

     The rules above also apply when a user tries to access the Data model design space of a Data model.

     The type of access to a Data model and its resources depends on the authorizations of the Database security profiles associated with the Roles. See Database security profiles for more information.

   

6. (Optional) Configure selections. If needed, you can configure and apply security selections and custom selection scripts to a user Role for each Data model under the "Select" section. These are filters that allow you to restrict access to data within Cubes or Entities, both in the Capsules/Presentations environment and in the Data model designer space. You can do this by applying a selection to the Entity members associated with the desired Cube or feature: users affected by these selections will only have access to values and data within the applied selection.
   To configure the selections, click on "+ SECURITY SELECTION” to open the window to configure a security selection and proceed as follows:

   • Add security selections (1). First select a Data model from the dropdown menu at the top of the window that you would like the security selection to apply to, then choose the desired Entity members from the Select window by clicking on the "SELECTION" button under the "Select"section, and click APPLY. Then, click ADD to add the security selection. Only data related to the selected Entity members will be visible to the user associated with this Role

   • Add a Custom selection script (2). First select a Data model from the dropdown menu at the top of the window that you would like the security selection to apply to, then enter a Custom selection script in the “Custom selection script” field by using the following syntax:

     SELECT EntityName=Member1,Member2,Member3,etc.  (for example, SELECT Country=France,Italy)

     Then, click "ADD” to add the security selection. The Custom selection script can also be used to dynamically filter data displayed in Board for each user by using Security Filters in Security filters, Substitution formulas or Metadata variables. See Add and manage User metadata to use selection scripts based on custom user metadata defined in the Subscription Hub. Read the Security filters section for more details on Custom selection scripts, including unbalanced hierarchies special select scripts

     If you configure security selections and custom selection scripts on the same user Role, Board will apply the security selections first, and then it will apply the selection based on the custom selection scripts, following their order from top to bottom.
     Selections applied in Play mode can also be saved using Select Bookmarks, even if the "Deny selection editor" option is enabled on the security profile associated with the active user.

     These selections at a Role level are meant to enrich the flexibility given to Makers when defining the security architecture, for example, defining certain entities at Role level and then further restricting them at the Database level.
     Do not overlap these definitions on the same entities for which security has been defined at the Database profile level, at which the security should be simply defined.

   • Add a Security Select based on Cube (3). First select a Data model from the dropdown menu at the top of the window that you would like the security selection to apply to, then, under the "Select Entity based on Cube" section, select the desired Entity from the "Entities" dropdown list. Select the desired Cube from the "Cubes" dropdown list. Click the blue check mark on the right to add the Dynamic selection. Then, click ADD to add the security selection. Read more about the details of the "Select Entity based on Cube" feature.  

7. Click on "CREATE" in the bottom right corner of the screen to create and save the Role.

Read more about the best practices of defining security settings at the Role level and Database level.

Managing Roles

To edit a Role, select it and click the pencil icon to modify the desired options as explained in the steps of the previous paragraph.

To delete one or more Roles, select the desired ones and then click on the trashcan icon.

Changes made to the Database security profiles and Folder profiles of a Role will have an immediate effect on the users associated with it. On the other hand, changes made to the security selections will be applied only after the user associated with the Role signs out of the Platform and then signs in again.

Changes made to an Application Profile will be applied only when the user associated with it signs out of the Platform and then signs in again.

Assign a Role to a user

To assign a Role to a user, proceed as follows:

1. Go to the Users section in the Subscription Hub

2. Select the user you want to assign a Role to

3. Choose the Role in the dropdown menu under the "Role" column of the "Platform authorization" table 

If you change the Role of a user who is currently logged into a Platform, the change will not take effect until the user logs out of the Platform and then logs in again.