Roles and Permissions FAQ

This section provides answers to frequently asked questions about roles and permissions in Atoti Limits.

My organization doesn’t require any restrictions for users. How do I configure Atoti Limits to allow all users to access all features?

The ROLE_LIMITS role is the all-access role in Atoti Limits. Assign this role to all users to allow them to access all features. For data access, there are no restrictions by default, so all users can access all data.

Where do I configure roles and their permissions?

Roles should be assigned to users in the security configuration for both Atoti Limits and the connected Atoti server. This ensures that user access to the Limits KPIs and calculated members in the business cube is in sync with the data the user can access in Atoti Limits. We recommend that you place your security configurations in one module, then depend on that module in both Atoti Limits and the Atoti server.

Data access permissions are configured via properties in Atoti Limits. Define the permissions for each role in the application.yml file of the Atoti Limits module. The only configuration required in the Atoti server is to assign the relevant roles to users.

What is the difference between general roles, permission roles, and data access roles?

The general roles are pre-defined roles to define a user’s business function (user, manager, admin, and so on). These roles control access to key components of Atoti Limits, such as the REST API and Activiti. Each user should be assigned at least one of these roles and can have multiple depending on their business function.

The permission roles are pre-defined roles that control access to specific features in Atoti Limits. Assign these roles to users to grant or restrict their ability to perform actions such as creating and evaluating limits. All users are required to have at least one of these roles in order to interact with the Atoti Limits module. ROLE_READ_ONLY is the role with the least access, ROLE_LIMITS is the full-access role, and each of the other roles provide access to a specific feature or subset of features.

The data access roles are custom roles that control the data users can access in Atoti Limits (including the KPIs and calculated members that Atoti Limits creates in the business cube). You must define the permissions for these roles in the application.yml file of the Atoti Limits module, then assign the roles to users in the security configuration. Users are not required to have a data access role and there is no limit to the number of data access roles a user can have.

warning

Take caution if you are assigning multiple data access roles to a user, as the user will have access to the intersection of the data that each role provides which effectively restrains what the user can access.

What is the purpose of the limits.autoconfiguration.content-service.limits-created-measures-owner property and when would I want to set this?

The limits.autoconfiguration.content-service.limits-created-measures-owner property determines the role(s) that can view the KPIs and calculated members created by Atoti Limits in the business cube. If this property is not set in the application configuration, it will be auto-configured based on the roles set as the Owners of the pivot/entitlements/kpi folder in the content server.

Depending on your organization’s security requirements, you might not want the auto-configured role(s) as In this case, you can set the limits.autoconfiguration.content-service.limits-created-measures-owner property to a specific role or set of roles in the application.yml file of the Atoti Limits module. Setting this property will override the auto-configured value.