Types of Access Controls

A user has an explicit control on an object if the user is directly and individually granted or denied a permission on the object. Explicit settings have the highest precedence. However, managing a large number of explicit controls for individual users can be cumbersome. For greater efficiency, we recommend that you set explicit controls for groups, use ACTs, and rely on inheritance.

A user has an ACT setting on an object if an ACT that is applied to the object has a permission pattern that explicitly grants or denies the relevant permission to the user. Each ACT adds its pattern of grants and denials to the settings for each object to which the ACT is applied.

One way that a user can have an indirect setting on an object is if the user belongs to a group that has an explicit or ACT setting on the object. Another way that a user can have an indirect setting on an object is through access control inheritance. Inherited settings come from a parent object (such as a folder). Inherited settings matter only if there are no relevant direct controls on the target object. The term “indirect settings” is also used to refer to a WriteMemberMetadata setting that mirrors the WriteMetadata setting, and to grants that come from a user being unrestricted.

Permission conditions constrain explicit grants of the Read permission on OLAP dimensions (limiting access to members) or information maps (limiting access to rows).