Skip to main content
Skip table of contents

Roles and permissions

LUY provides access control for defining and restricting permissions by using roles.

The assignments of roles to users are not managed in LUY. Roles need to be assigned to users via the used Authentication Methods

Key points of LUY and identity management

  • Role names in LUY must exactly match the role/group names in the identity management system, while respecting case sensitivity.

  • If a user is present in multiple groups and these groups are sent from the identity management system, they will be matched to roles in LUY and all the matching roles will be effective for that user. The resulting permissions are a combination from all applicable roles.

  • The only static and uneditable role is "luy_Supervisor". Users with this role assigned (either directly or by hierarchical role) have all privileges in LUY, independent of any other configuration.

The role “luy_Supervisor” must not be deleted.

Permissions summary

When selecting a certain role on the “roles and permissions” page, the effective permissions of this role are shown. Roles in the LUY permission system might hand their settings down to another role. These are called subordinate roles. The resulting access rights based on this hierarchical role structure are displayed as grey checkboxes. 

Permissions to view and edit data

The permissions to read, create, update and delete (CRUD) building block types and business mappings can be set with the displayed checkboxes.

  • Read: Users with a role with this permission can view all information about building block types and business mappings. This permission is required to grant further permissions.

  • Update: Users with this permission are able to edit building block types and business mappings.

  • Create: Users with this permission are able to create building block types and business mappings.
    The “copy” action is also protected by this permission.

  • Delete: Users with this permission are able to delete building block types and business mappings.

Permissions for relations

Permissions for the relations between building block types A and B, are derived from the building block type permissions as follows:

  • If a user has read permissions for A and B, then the user has the permission to view the relations between building blocks of those types.

  • If a user has update, create or delete permissions for either A or B, then the user has the permission to edit the relations between building blocks of those types, meaning updating, adding and removing relations is possible.

Functional permissions

Functional permissions control the visibility of certain tiles on the start screen, as well as the access to specific functions. For a detailed description, expand the following table:

List of functional permissions

Functional permission

Description
Affected feature or area of user interface / menu entry / tab

Configure attribute and groups

Permission to create, edit or delete attributes in LUY

Administration / Attribute groups

Configure LUY

Permission to edit the configuration of LUY

Administration / System

Configure global filters

Permission to view and edit the content of global filters

Reports / Global filters

Configure plugin API

Permission to create, edit, delete and run reactions with the plugin API

Be aware that plugin scripts can access all data, independent of what user created the script or executes it.

Administration / Plugin API

Share reports

Permission to edit, create and delete reports

Also controls use of sharing dialogs and external sharing

Reports / Reports

Edit customization

Permission to configure the customizing of LUY

Administration / Customizing

Edit metamodel

Permission to customize the metamodel of LUY

Administration / Metamodel

Edit roles and grant permissions

Permission to manage roles and permissions

Administration / Roles and permissions

Execute bulk updates

Permission to execute bulk updates/mass updates via the “multi mode”

Lists / Multi mode

Execute iteraQL power queries

Permission to use the query console to execute iteraQL power queries. Note that this permission does not control iteraQL queries via the REST API.

Reports / Query Console

Export diagrams and lists

Permission to export diagrams and lists as jpg, pdf, csv, excel, etc. 

Manage surveys

Permission to create/edit/delete surveys

Administration / Surveys

Manage users

Permission to manage users

Administration / Users

Run import and export

Permission to import and export data (Excel ex- and import)

Reports / Export and Import

Share diagrams reports externally

Permission to share diagram reports externally (via sharing link)

Be aware that this permission is also affected by “Share Reports” permission.

Reports / Reports

Share building block type list reports externally

Permission to share building block type list reports externally (via sharing link)

Be aware that this permission is also affected by “Share Reports” permission.

Reports / Reports

Subscribe to building blocks and reports

Permission to subscribe to building blocks, reports and view your personal subscriptions

Lists / Subscribers 

Supervising data

Permission to delete all comments on building blocks

Single element view / Comments

Use custom dashboard

Permission to use custom dashboards

Reports / Custom Dashboard

Use nested cluster

Permission to access the “nested cluster” diagram

Diagrams / Nested cluster

Use global search

Permission to the run global search on building blocks

Start / Search input box

Use graphics reactor

Permission to access and use the “graphics reactor”

Reports / Graphics reactor

Use navigator

Permission to access the navigator

Diagrams / Navigator

Use global filters

Permission to use the “global filter”

Complete application

Use diagrams

Permission to use all built-in diagrams

Diagrams / <all diagram types>

View all subscribers of a building block

Permission to view subscribers of a building block

Lists / Subscribers

View history

Permission to view building block type and element history

Single element view / History tab

View roles and permissions

Permission to view roles and permissions

Administration / Roles and permissions

Read and write access for attribute groups

In LUY, it is possible to restrict the read and write permissions for attributes by setting the permission for the whole attribute group. For each group and each role, the access can be set to read-only or read/write.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.