Advanced security users and roles

Advanced security enables the security administrator to assign not only user-level permissions, but also role-level permissions.

A role is an arbitrary association based on whatever criteria the administrator selects. For example, common tasks that are performed by multiple users, or the requirement of certain users for certain types of information.

Role-level permissions offer the convenience of setting permissions for any number of users at once. By combining user-level permissions and role-level permissions, the administrator can implement a complete security structure with whatever degree of compartmentalization is required.

Permissions are assigned to roles in the same way they are assigned to individual users. For example, there may be several quality assurance specialists who must perform the same tasks to test and analyze system performance.

Instead of setting the same permissions for each of those users, the administrator can:

  • Create a role called Quality Tester.
  • Set permissions once for the Quality Tester role.
  • Make all those users members of that role.

Roles can also be members of other roles. For example, the Quality Tester role might be a member of the System Operator role. This automatically extends all permissions that are granted to user members of the System Operator role to all user members of the Quality Tester role.

Interaction of user- and role-level permissions

Sometimes, you must individualize permissions for a given user. This is even when that user has a basic function similar to that of other users. Advanced security is designed so that role-level permissions and user-level permissions can be combined to define the appropriate level of access for each individual user.

User membership in multiple roles

Any user can be a member of as many roles as necessary and thereby acquire all the permissions of all those roles.

For roles and permissions, user-level permissions always take precedence over role-level permissions. To ensure a user is granted or denied a specific permission, you can grant or deny that permission at the user level.

Roles as members of other roles

Making a role a member of another role extends all permissions that are granted to the second role to all members of the first role. If a role belongs to two or more other roles, then the member role is granted all permissions that are granted to the roles to which it belongs.

Permissions that are explicitly specified for the lower-level role take precedence over those specified for the higher-level role. For example, suppose the System Operator role was denied Insert permission for a resource, but the Quality Tester role was granted that permission. In that case, the members of the Quality Tester role would be granted the Insert permission.