Roles and Permissions FAQ
This section provides answers to frequently asked questions about roles and permissions in Atoti Limits.
My organization doesn’t require any restrictions for users. How do I configure Atoti Limits to allow all users to access all features?
The ROLE_LIMITS
role is the all-access role in Atoti Limits. Assign this role to all users to allow them to access all features.
For data access, there are no restrictions by default, so all users can access all data.
Where do I configure roles and their permissions?
Roles should be assigned to users in the security configuration for both Atoti Limits and the connected Atoti server. This ensures that user access to the Limits KPIs and calculated members in the business cube is in sync with the data the user can access in Atoti Limits. We recommend that you place your security configurations in one module, then depend on that module in both Atoti Limits and the Atoti server.
Data access permissions are configured via properties in Atoti Limits. Define the permissions for each role in
the application.yml
file of the Atoti Limits module. The only configuration required in the Atoti server is to
assign the relevant roles to users.
What is the difference between general roles, permission roles, and data access roles?
The general roles are pre-defined roles to define a user’s business function (user, manager, admin, and so on). These roles control access to key components of Atoti Limits, such as the REST API and Activiti. Each user should be assigned at least one of these roles and can have multiple depending on their business function.
The permission roles are pre-defined roles that control access to
specific features in Atoti Limits. Assign these roles to users to grant or restrict their ability to perform
actions such as creating and evaluating limits. All users are required to have at least one of these roles in order to
interact with the Atoti Limits module. ROLE_READ_ONLY
is the role with the least access, ROLE_LIMITS
is the
full-access role, and each of the other roles provide access to a specific feature or subset of features.
The data access roles are custom roles that control the data users
can access in Atoti Limits (including the KPIs and calculated members that Atoti Limits creates in the
business cube). You must define the permissions for these roles in the application.yml
file of the
Atoti Limits module, then assign the roles to users in the security configuration. Users are not required to have
a data access role and there is no limit to the number of data access roles a user can have.
warning
Take caution if you are assigning multiple data access roles to a user, as the user will have access to the intersection of the data that each role provides which effectively restrains what the user can access.
What is the purpose of the limits.autoconfiguration.content-service.limits-created-measures-owner
property and when would I want to set this?
The limits.autoconfiguration.content-service.limits-created-measures-owner
property determines the role(s) that can
view the KPIs and calculated members created by Atoti Limits in the business cube. If this property is not set in
the application configuration, it will be auto-configured based on the roles set as the Owners
of the
pivot/entitlements/kpi
folder in the content server.
Depending on your organization’s security requirements, you might not want the auto-configured role(s) as In this
case, you can set the limits.autoconfiguration.content-service.limits-created-measures-owner
property to a specific
role or set of roles in the application.yml
file of the Atoti Limits module. Setting this property will override
the auto-configured value.