Roles and permissions

LUY provides access control for defining and restricting permissions by using roles.

The assignments of roles to users are not managed in LUY. Roles need to be assigned to users via the used Authentication Methods

Key points of LUY and identity management

Role names in LUY must exactly match the role/group names in the identity management system, while respecting case sensitivity.
If a user is present in multiple groups and these groups are sent from the identity management system, they will be matched to roles in LUY and all the matching roles will be effective for that user. The resulting permissions are a combination from all applicable roles.
The only static and uneditable role is "luy_Supervisor". Users with this role assigned (either directly or by hierarchical role) have all privileges in LUY, independent of any other configuration.

The role “luy_Supervisor” must not be deleted.

Permissions summary

When selecting a certain role on the “roles and permissions” page, the effective permissions of this role are shown. Roles in the LUY permission system might hand their settings down to another role. These are called subordinate roles. The resulting access rights based on this hierarchical role structure are displayed as grey checkboxes.

Permissions to view and edit data

The permissions to read, create, update and delete (CRUD) building block types and business mappings can be set with the displayed checkboxes.

Read: Users with a role with this permission can view all information about building block types and business mappings. This permission is required to grant further permissions.
Update: Users with this permission are able to edit building block types and business mappings.
Create: Users with this permission are able to create building block types and business mappings.
The “copy” action is also protected by this permission.
Delete: Users with this permission are able to delete building block types and business mappings.

Permissions for relations

Permissions for the relations between building block types A and B, are derived from the building block type permissions as follows:

If a user has read permissions for A and B, then the user has the permission to view the relations between building blocks of those types.
If a user has update, create or delete permissions for either A or B, then the user has the permission to edit the relations between building blocks of those types, meaning updating, adding and removing relations is possible.

Functional permissions

Functional permissions control the visibility of certain tiles on the start screen, as well as the access to specific functions. For a detailed description, expand the following table:

List of functional permissions

Functional permission	Description Affected feature or area of user interface / menu entry / tab
Configure attribute and groups	Permission to create, edit or delete attributes in LUY Administration / Attribute groups
Configure LUY	Permission to edit the configuration of LUY Administration / System
Configure global filters	Permission to view and edit the content of global filters Reports / Global filters
Configure plugin API	Permission to create, edit, delete and run reactions with the plugin API Be aware that plugin scripts can access all data, independent of what user created the script or executes it. Administration / Plugin API
Share reports	Permission to edit, create and delete reports Also controls use of sharing dialogs and external sharing Reports / Reports
Edit customization	Permission to configure the customizing of LUY Administration / Customizing
Edit metamodel	Permission to customize the metamodel of LUY Administration / Metamodel
Edit roles and grant permissions	Permission to manage roles and permissions Administration / Roles and permissions
Execute bulk updates	Permission to execute bulk updates/mass updates via the “multi mode” Lists / Multi mode
Execute iteraQL power queries	Permission to use the query console to execute iteraQL power queries. Note that this permission does not control iteraQL queries via the REST API. Reports / Query Console
Export diagrams and lists	Permission to export diagrams and lists as jpg, pdf, csv, excel, etc.
Manage surveys	Permission to create/edit/delete surveys Administration / Surveys
Manage users	Permission to manage users Administration / Users
Run import and export	Permission to import and export data (Excel ex- and import) Reports / Export and Import
Share diagrams reports externally	Permission to share diagram reports externally (via sharing link) Be aware that this permission is also affected by “Share Reports” permission. Reports / Reports
Share building block type list reports externally	Permission to share building block type list reports externally (via sharing link) Be aware that this permission is also affected by “Share Reports” permission. Reports / Reports
Subscribe to building blocks and reports	Permission to subscribe to building blocks, reports and view your personal subscriptions Lists / Subscribers
Supervising data	Permission to delete all comments on building blocks Single element view / Comments
Use custom dashboard	Permission to use custom dashboards Reports / Custom Dashboard
Use nested cluster	Permission to access the “nested cluster” diagram Diagrams / Nested cluster
Use global search	Permission to the run global search on building blocks Start / Search input box
Use graphics reactor	Permission to access and use the “graphics reactor” Reports / Graphics reactor
Use navigator	Permission to access the navigator Diagrams / Navigator
Use global filters	Permission to use the “global filter” Complete application
Use diagrams	Permission to use all built-in diagrams Diagrams / <all diagram types>
View all subscribers of a building block	Permission to view subscribers of a building block Lists / Subscribers
View history	Permission to view building block type and element history Single element view / History tab
View roles and permissions	Permission to view roles and permissions Administration / Roles and permissions

Read and write access for attribute groups

In LUY, it is possible to restrict the read and write permissions for attributes by setting the permission for the whole attribute group. For each group and each role, the access can be set to read-only or read/write.