LUY provides access control for defining and restricting permissions by using roles.
The assignments of roles to users are not managed in LUY. It can be associated within the organization’s identity management system, or the internal user management iTURM (built-in) can be used.
Key points of LUY and identity management
Role names in LUY must exactly match the role/group names in the identity management system, while respecting case sensitivity.
If a user is present in multiple groups and these groups are sent from the identity management system, they will be matched to roles in LUY and all the matching roles will be effective for that user. The resulting permissions are a combination from all applicable roles.
The only static and uneditable role is "luy_Supervisor". Users with this role assigned (either directly or by hierarchical role) have all privileges in LUY, independent of any other configuration.
The role “luy_Supervisor” must not be deleted.
Permissions summary
When selecting a certain role on the “roles and permissions” page, the effective permissions of this role are shown. Roles in the LUY permission system might hand their settings down to another role. These are called subordinate roles. The resulting access rights based on this hierarchical role structure are displayed as grey checkboxes.
Permissions to view and edit data
The permissions to read, create, update and delete (CRUD) building block types and business mappings can be set with the displayed checkboxes.
Read: Users with a role with this permission can view all information about building block types and business mappings. This permission is required to grant further permissions.
Update: Users with this permission are able to edit building block types and business mappings.
Create: Users with this permission are able to create building block types and business mappings. The “copy” action is also protected by this permission.
Delete: Users with this permission are able to delete building block types and business mappings.
Permissions for relations
Permissions for the relations between building block types A and B, are derived from the building block type permissions as follows:
If a user has read permissions for A and B, then the user has the permission to view the relations between building blocks of those types.
If a user has update, create or delete permissions for either A or B, then the user has the permission to edit the relations between building blocks of those types, meaning updating, adding and removing relations is possible.
Functional permissions
Functional permissions control the visibility of certain tiles on the start screen, as well as the access to specific functions. For a detailed description, expand the following table:
List of functional permissions
Functional permission
Description Affected feature or area of user interface | menu entry / tab
Configure attribute and groups
Permission to add, edit or delete attributes. Be aware that users without this permission can still edit attribute values.
Permission to add, edit or delete attribute groups and control edit rights.
Administration / Attribute groups
Configure LUY
Permission to edit the configuration of LUY.
Administration / System
Configure plugin API
Permission to create, edit, delete and run scripts of the plugin API. Be aware that plugin scripts can access all data, independent of the user who created or executes the script.
Administration / plugin API
Share reports
Permission to edit, create and delete saved queries. Controls sharing dialogs and external sharing, too.
Reports / Saved queries
Edit customization
Permission to customize LUY.
Administration / Customizing
Edit roles and grant permissions
Permission to manage roles and permissions.
Administration / Roles and permissions
Execute bulk updates
Permission to execute bulk updates/mass updates via the multi mode.
Lists / Multi mode
Execute iteraQL power queries
Permission to use the query console to execute iteraQL power queries. Note that this permission does not control iteraQL queries via the REST API.
Reports / Query console
Export diagrams and lists
Permission to export various reports jpgs, pdf, csv, excel, etc.
Manage surveys
Permission to create/edit/delete surveys.
Administration / Surveys
Manage users
Permission to manage users.
Administration / Users
Run import and export
Permission to import and export data.
Reports / Export/Import
Share diagrams reports externally
Permission to share diagram reports externally (via sharing link). Be aware that this permission is also affected by the share reports permission.
Reports / Saved queries
Share building block type list reports externally
Permission to share building block type list reports externally (via sharing link). Be aware that this permission is also affected the share reports permission.
Reports / Saved queries
Subscribe to building blocks and reports
Permission to subscribe to changes of building blocks and reports and view your personal subscriptions.
Lists / Subscribers
Supervising data
Permission to delete all comments on building blocks.
Single element view / Comments
Use custom dashboard
Permission to use custom dashboards.
Reports / Custom dashboard
Use diagram builder
Permission to access the diagram builder.
Diagrams / Diagram builder
Use nested cluster
Permission to access the nested cluster.
Diagrams / Nested cluster
Use global search
Permission to run a global search on building blocks.
Start / Search input box
Use graphics reactor
Permission to access and use the LUY graphics reactor.
Reports / Graphics reactor
Use navigator
Permission to access the navigator.
Diagrams / Navigator
Use personal global filter
Permission to use the personal global filter.
Complete application
Use diagrams
Permission to use all built-in diagrams.
Diagrams / <all diagram types>
View all subscribers of a building block
Permission to view subscribers of a building block.
Lists / Subscribers
View history
Permission to view a building block's history.
Single element view / History tab
View roles and permissions
Permission to view roles and permissions.
Administration / Roles and permissions
Read and write access for attribute groups
In LUY, it is possible to restrict the read and write permissions for attributes by setting the permission for the whole attribute group. For each group and each role, the access can be set to read-only or read/write.
If no permissions are set for attribute groups, the permissions draw from the attributes themselves.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
