Permissions for users assigned to multiple roles

  • Article

Different roles can grant different permissions for the same member set. When a user belongs to more than one role, the user inherits the permissions from all roles to which he or she belongs. However, Read and Write permissions are calculated differently from each other.

  • Read permissions. Users can read all possible combinations of members (tuples) that they have been granted Read access to.

  • Write permissions. Users can only write to the specific tuples that they have been granted Write access to in each role.

For example, suppose that a model contains a Product member set and a Region member set. Each member set contains two members. The Product member set contains Ski Jackets and Ski Poles, and the Region member set contains Asia and Europe. Two business roles are defined as follows:

Role 1: Permissions for role 1 to the Region and Product member sets

Read access

Ski Jackets + Asia

Write access

Ski Jackets + Asia

Role 2: Permissions for role 2 to the Region and Product member sets

Read access

Ski Poles + Europe

Write access

Ski Poles + Europe

As a result, a user who belongs to Role 1 can read and write to sales data for Ski Jackets in Asia. A user who belongs to Role 2 can read and write to sales data for Ski Poles in Europe. But when the user belongs to both roles, that user will have the following permissions for the Region and Product member sets:

Read access

Ski Jackets + Asia; Ski Poles + Europe ; Ski Jackets + Europe; Ski Poles + Asia

Write access

Ski Jackets + Asia; Ski Poles + Europe

See Also

Tasks

Edit member set permissions for a business role
Edit user permissions in a business role
Add users to or remove users from a business role