User permissions and user roles
The Permissions engine allows organisation Administrators (and in some cases Data Architects) to select which models and underlying entities can be accessed by which users and also to control which operations can be performed by these users.
The permissions engine differentiates three roles set for the users during the invitation process (see the User Management article for more details):
Admin - this user role is completely bypassing the permissions engine and have access to all the models and underlying entities and all the functionality in the system.
Data Architect - this user role is dedicated to meta-data models creation, management of dictionary, etc. The models and the functionality available to the Data Architects are controlled by the Permissions engine
Reviewer - this user role is dedicated to review of models, providing assistance or performing quality assurance. This user role can’t interact with a model other that viewing it or posting comments (if permitted).
Please note that this is not exhaustive description are not exhaustive but provide an overview of an intended role. Below is a shortened description of most important permissions and the availability of assignment to user roles.
It is important to note that permissions can be assigned on three different levels of any model: the Model itself, Model Version and Framework level.
This allows for better management of accessibility of users to dedicated parts of the platform as envisaged by its administrators.
Adding users to the list of permissions of an object:
The permissions can be granted or revoked using the “Permissions” option in the object (Model, Model Version or Framework) overflow.
To add a user or a user group to the list first click on the “Users” field and search for the user or group you want to grant the permissions to:
Now select the role you want the selected user or group to have in the object (e.g. Data Architect)
Click the “Add permission” button to add the selected user or group with the chosen role to the permissions list.
Please note that the users or groups that are added with a “Reviewer” role will be able to only see the object and all the relevant concepts in it, but won’t be able to create, edit or delete any model concepts.
Model permissions:
Permission group | Permission name | Description |
|---|---|---|
Import | XBRL | Enables user to Import new model version in XBRL format. Please note that this functionality’s availability is also subject to the SLA between BR-AG and your organisation (see the Import/Export global settings subsection below). |
XLS | Enables user to Import new model version in MS Excel format. Please note that this functionality’s availability is also subject to the SLA between BR-AG and your organisation (see the Import/Export global settings subsection below). | |
DB | Enables user to Import new model version in Database file format. Please note that this functionality’s availability is also subject to the SLA between BR-AG and your organisation (see the Import/Export global settings subsection below). | |
Users | Update | Enables user to manage and assign permissions to this model (this screen) |
Model | Update | Grants user the permission to edit the model and its properties |
Read | Enables user to view the model. Removing this permission effectively removes access for a given user to the model | |
Delete | Grants user the ability to delete the model with all of its underlying entities | |
Versions | Create | Allows user to create new versions of the model |
Please note that all the model permissions are applicable only to the users that possess “Data Architect” role. The users that posses the “Reviewer” role can be granted only the “Model - Read” permission (any other permissions given to this type of users will be ignored by the permissions engine even if set.
Example:
In this case the user has read and update access to the model, enabling him to access the model, edit its properties as well as the ability to create new versions inside the model. The user however cannot delete the model, add or remove users to the permissions list of this model or import new versions using neither of XBRL, XLS or DB formats.
Model Version permissions:
Permission group | Permission name | Description |
|---|---|---|
Users | Read | Enables user to view permissions for this model (this screen) |
Version | Read | Enables user to view the model version. Removing this permission effectively removes access for a given user to the model version |
Update | Grants user the permission to edit the model version, its properties and the underlying entities (except Dictionary that has its own set of permissions, see below) | |
Delete | Grants user the permission to delete the model version with all of its underlying entities | |
Dictionary | Read | Enables user to see the Dictionary of the current model version |
Create | Grants user the permission to create new entries in the model version’s dictionary | |
Update | Grants user the permission to update existing entries in the model version’s dictionary | |
Delete | Grants user the permission to delete entries in the model version’s dictionary | |
Frameworks | Create | Enables user to create frameworks in the model |
XBRL export | Read | Grants user the permission to see XBRL files exported by other users (see the Import/Export global settings subsection below). |
Manage | Enables user to initiate export of the model version in XBRL format (see the Import/Export global settings subsection below). | |
DB export | Read | Grants user the permission to see DB files exported by other users (see the Import/Export global settings subsection below). |
Manage | Enables user to initiate export of the model version in DB file format (see the Import/Export global settings subsection below). | |
EXCEL export | Read | Grants user the permission to see MS Excel files exported by other users (see the Import/Export global settings subsection below). |
Manage | Enables user to initiate export of the model version in MS Excel format (see the Import/Export global settings subsection below). | |
Comment | Read | Grants user the permission to see comments posted by other users inside the given model version |
Create | Enables user to post comments inside the given model version | |
Update | Enables user to edit the comments posted by other users (e.g. to mark a comment as accepted/rejected or change its priority) | |
Delete | Enables user to delete comments |
Please note that any of “Create” “Update”, “Delete” or “Manage” permissions are not applicable to the users that possess only “Reviewer” role and will be ignored by the permissions engine even if set. The only exception is “Comment - Create” because the reviewers can be granted the permission to post comments.
Also the comments permissions in the model version apply only to the dictionary concept and the References section (which are stored on the model version level), so to comment elements stored on framework level (e.g. a table) the user needs permissions in the framework.
Example:
In this example the user has the following permissions:
has full access to the model version and it’s properties, able to see, edit or even delete the model version
has full access to the dictionary of this model version
able to see and download exports in DB format initiated by other users
See comments made by other users, post comments, edit and even delete comments posted by other users
However the user cannot:
Change permissions for this model version
Initiate exports in any format
see or download exports in XBRL or MS Excel formats initiated by other users.
Framework permissions:
Permission group | Permission name | Description |
|---|---|---|
Framework | Read | Enables user to view the framework. Removing this permission effectively removes access for a given user to the framework and all of its versions |
Update | Grants user the permission to edit the framework, its properties and the underlying entities (except Dictionary that has its own set of permissions, see below) | |
Delete | Grants user the permission to delete the framework with all of its underlying entities | |
Comment | Read | Grants user the permission to see comments posted by other users inside the given framework |
Create | Enables user to post comments inside the given framework | |
Update | Enables user to edit the comments posted by other users (e.g. to mark a comment as accepted/rejected or change its priority) | |
Delete | Enables user to delete comments |
Please note: “Framework - Update” and “Framework - Delete” permissions are not applicable to the users that possess only “Reviewer” role and will be ignored by the permissions engine even if set.
Example:
In this case the user can see edit the Framework or any of its underlying objects (e.g. framework versions, tables, business rules etc.). But they can’t delete the framework, comment on it or see other users' comments.
Default permissions
The user that creates a new Model, Model Version or a Framework automatically gets full set of permissions to the created object. (As in the creator is permitted to do anything they want with the objects they create).
When Model Version or a framework is copied, the permissions set for the source object are also copied to the copy.
Import/Export Global Settings
The availability of the Import and Export functions in various formats (XBRL/DB/Excel) for different user roles are also managed on the back end of ATOME: Matter platform by BR-AG and are bound by contractual agreement. You can check which functions are available on your environment in the “Interoperability” tab of the “Edit organisation” dialog, but it can be set only by BR-AG employee according to the SLA between BR-AG and your organisation.
There are three possible selections for each function in the table:
None: the users in this role do not have access to the selected function
Download: the users in this role can see the imports/exports initiated by other users and download the imported/exported files, but cannot initiate the import or export themselves
Manage: the users in this role can initiate trigger the import or export function given they have a permission to do so via the object’s permission dialog and they can also see the imports/exports initiated by other users and download the imported/exported files
Note that the XBRL, Excel and DB Import functions are available only for ITA-type models and are currently not supported for DPM-type models.
Example:
In this case:
Admins can import models and other dedicated materials to ATOME: Matter and export them from in any available format
Data Architect are only available to download already existing models and dedicated materials in every format support by the platform with the exception of Imported XBRL files
Reviewers are not allowed to do any of those tasks