LUY provides access control for defining and restricting permissions by using roles.
The assignments of roles to users are not managed in LUY. It can be associated within the organization’s identity management system, or the internal user management iTURM (built-in) can be used.
Key points of LUY and identity management
Role names in LUY must exactly match the role/group names in the identity management system, while respecting case sensitivity.
If a user is present in multiple groups and these groups are sent from the identity management system, they will be matched to roles in LUY and all the matching roles will be effective for that user. The resulting permissions are a combination from all applicable roles.
The only static and uneditable role is "luy_Supervisor". Users with this role assigned (either directly or by hierarchical role) have all privileges in LUY, independent of any other configuration.
The role “luy_Supervisor” must not be deleted.
Permissions summary
When selecting a certain role on the “roles and permissions” page, the effective permissions of this role are shown. Roles in the LUY permission system might hand their settings down to another role. These are called subordinate roles. The resulting access rights based on this hierarchical role structure are displayed as grey checkboxes.
Permissions to view and edit data
The permissions to read, create, update and delete (CRUD) building block types and business mappings can be set with the displayed checkboxes.
Read: Users with a role with this permission can view all information about building block types and business mappings. This permission is required to grant further permissions.
Update: Users with this permission are able to edit building block types and business mappings.
Create: Users with this permission are able to create building block types and business mappings. The “copy” action is also protected by this permission.
Delete: Users with this permission are able to delete building block types and business mappings.
Permissions for relations
Permissions for the relations between building block types A and B, are derived from the building block type permissions as follows:
If a user has read permissions for A and B, then the user has the permission to view the relations between building blocks of those types.
If a user has update, create or delete permissions for either A or B, then the user has the permission to edit the relations between building blocks of those types, meaning updating, adding and removing relations is possible.
Functional permissions
Functional permissions control the visibility of certain tiles on the start screen, as well as the access to specific functions. For a detailed description, expand the following table:
List of functional permissions
Functional permission
Description Affected feature or area of user interface / menu entry / tab
Configure attribute and groups
Permission to create, edit or delete attributes in LUY
Administration / Attribute groups
Configure LUY
Permission to edit the configuration of LUY
Administration / System
Configure global filters
Permission to view and edit the content of global filters
Reports / Global filters
Configure plugin API
Permission to create, edit, delete and run reactions with the plugin API
Be aware that plugin scripts can access all data, independent of what user created the script or executes it.
Administration / Plugin API
Share reports
Permission to edit, create and delete reports
Also controls use of sharing dialogs and external sharing
Reports / Reports
Edit customization
Permission to configure the customizing of LUY
Administration / Customizing
Edit metamodel
Permission to customize the metamodel of LUY
Administration / Metamodel
Edit roles and grant permissions
Permission to manage roles and permissions
Administration / Roles and permissions
Execute bulk updates
Permission to execute bulk updates/mass updates via the “multi mode”
Lists / Multi mode
Execute iteraQL power queries
Permission to use the query console to execute iteraQL power queries. Note that this permission does not control iteraQL queries via the REST API.
Reports / Query Console
Export diagrams and lists
Permission to export diagrams and lists as jpg, pdf, csv, excel, etc.
Manage surveys
Permission to create/edit/delete surveys
Administration / Surveys
Manage users
Permission to manage users
Administration / Users
Run import and export
Permission to import and export data
Reports / Export and Import
Share diagrams reports externally
Permission to share diagram reports externally (via sharing link)
Be aware that this permission is also affected by “Share Reports” permission.
Reports / Reports
Share building block type list reports externally
Permission to share building block type list reports externally (via sharing link)
Be aware that this permission is also affected by “Share Reports” permission.
Reports / Reports
Subscribe to building blocks and reports
Permission to subscribe to building blocks, reports and view your personal subscriptions
Lists / Subscribers
Supervising data
Permission to delete all comments on building blocks
Single element view / Comments
Use custom dashboard
Permission to use custom dashboards
Reports / Custom Dashboard
Use nested cluster
Permission to access the “nested cluster” diagram
Diagrams / Nested cluster
Use global search
Permission to the run global search on building blocks
Start / Search input box
Use graphics reactor
Permission to access and use the “graphics reactor”
Reports / Graphics reactor
Use navigator
Permission to access the navigator
Diagrams / Navigator
Use global filters
Permission to use the “global filter”
Complete application
Use diagrams
Permission to use all built-in diagrams
Diagrams / <all diagram types>
View all subscribers of a building block
Permission to view subscribers of a building block
Lists / Subscribers
View history
Permission to view building block type and element history
Single element view / History tab
View roles and permissions
Permission to view roles and permissions
Administration / Roles and permissions
Read and write access for attribute groups
In LUY, it is possible to restrict the read and write permissions for attributes by setting the permission for the whole attribute group. For each group and each role, the access can be set to read-only or read/write.
If no permissions are set for attribute groups, the permissions draw from the attributes themselves.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
