Controlling access to functionality: Privileges

As discussed earlier in this chapter, there are different types of users and groups in the user community. It is your responsibility as a system administrator to assign privileges to users and groups. They give you full control over the user experience.

Privileges give users access to specific MicroStrategy functionality. For example, the Create Metric privilege allows the user to use the Metric Editor to create a new metric, and the Monitor Caches privilege allows the user to view cache information in the Cache Monitor.

There is a special privilege called Bypass All Object Security Access Checks. Users with this privilege can ignore the access control permissions and are considered to have full control over all objects. For information about permissions, see Controlling access to objects: Permissions.

Based on their different privileges, the users and user groups can perform different types of operations in the MicroStrategy system. If a user does not have a certain privilege, that user does not have access to that privilege’s functionality. You can see which users are using certain privileges by using License Manager (see Using License Manager).

Most privileges may be granted within a specific project or across all projects. Certain administrative privileges, such as Configure Group Membership, do not apply to specific projects and can only be granted at the project source level.

For a complete list of privileges and what they control in the system, see the List of Privileges chapter in the Supplemental Reference for System Administration.

Assigning privileges to users and groups

Privileges can be assigned to users and user groups directly or through security roles. The difference is that the former grants functionality across all projects while the latter only apply within a specified project (see Defining sets of privileges: Security roles).

To assign privileges to users or groups

1 From Developer User Manager, edit the user with the User Editor or edit the group with the Group Editor.
2 Expand User Definition or Group Definition, and then select Project Access.
3 Select the check boxes to grant privileges to the user or group.

Rather than assigning individual users and groups these privileges, it may be easier for you to create Security Roles (collections of privileges) and assign them to users and groups. Then you can assign additional privileges individually when there are exceptions. For more information about security roles, see Defining sets of privileges: Security roles.

Assigning privileges to multiple users at once

You can grant, revoke, and replace the existing privileges of users, user groups, or security roles with the Find and Replace Privileges dialog box. This dialog box allows you to search for the user, user group, or security role and change their privileges, depending on the tasks required for their work.

For example, your organization is upgrading Flash on all users’ machines. Until the time the Flash update is completed, the users will not be able to export reports to Flash. You can use Find and Replace Privileges to revoke the Export to Flash privilege assigned to users, and when the upgrade is complete you can grant the privilege to the users again.

To access the Find and Replace Privileges dialog box, in Developer, right-click the User Manager and select Find and Replace Privileges. The Find and Replace Privileges dialog box opens. For detailed instructions on how to find and replace privileges, see the MicroStrategy Developer Help.

How are privileges inherited?

A user’s privileges within a given project include the following:

Privileges assigned directly to the user (see Assigning privileges to users and groups)
Privileges assigned to any groups of which the user is a member (see About MicroStrategy user groups)

Groups also inherit privileges from their parent groups.

Privileges assigned to any security roles that are assigned to the user within the project (see Defining sets of privileges: Security roles)
Privileges assigned to any security roles that are assigned to a group of which the user is a member

Predefined user groups and privileges

MicroStrategy comes with several predefined user groups. For a complete list and explanation of these groups, see About MicroStrategy user groups. These groups possess the following privileges:

Everyone, Public/Guest, Third Party Users, LDAP Public/Guest, and LDAP Users, have no predefined privileges.
The predefined product-based user groups possess all the privileges associated with their corresponding products. For a list of these groups, see Groups corresponding to product offerings.

International Users is a member of the following product-based groups: Analyst, Mobile User, Web Reporter, and Web Analyst. It has the privileges associated with these groups.

System Monitors and its member groups have privileges based on their expected roles in the company. To see the privileges assigned to each group, right-click the group and select Grant Access to Projects.

How predefined user groups inherit privileges

Several of the predefined user groups form hierarchies, which allow groups to inherit privileges from any groups at a higher level within the hierarchy. These hierarchies are as follows:

Web Reporter
Web Analyst

- Web Professional

In the case of the MicroStrategy Web user groups, the Web Analyst inherits the privileges of the Web Reporter. The Web Professional inherits the privileges of both the Web Analyst and Web Reporter. The Web Professional user group has the complete set of MicroStrategy Web privileges.

Analyst
Developer

In the case of the MicroStrategy Developer user groups, the Developer inherits the privileges of the Analyst and therefore has more privileges than the Analysts.

System Monitors
various System Monitors groups

The various System Monitors user groups inherit the privileges of the System Monitors user group and therefore have more privileges than the System Monitors. Each has its own specific set of privileges in addition, that are not shared by the other System Monitors groups.

International Users

This group inherits the privileges of the Analyst, Mobile User, Web Reporter, and Web Analyst groups.