Privileges Tabs

Both the Functional Privileges tab and the Object Association Privileges tab are divided into two grids. One grid is for privilege classes and the second is for privileges that are included in the selected privilege class.

If Allow All Functional and Object Association Privileges (for the (Default) ACD) or Allow All Object Association Privileges for this Role is selected, the role is granted all privileges in all privilege classes. To grant or deny selected privileges to a role, you must clear this option.

Assigning Privileges

By selecting Allow All or Deny All for a privilege class, you select corresponding check boxes for the associated privileges.

For example, you can allow accounts in a role to secure action requests by selecting Allow All for the Associate Action Editors Privilege Class on the Object Association Privileges tab. Accounts in the role can then secure an action request with an ACL that uses the ACD.

Note: You can define Functional Privileges from the (Default) ACD only.

Privilege Classes Grid

Use the Privilege Classes grid to display associated privileges in the Privileges grid. You can also use the Privilege Classes grid to allow or deny all privileges in either a single class or all classes.

To select a row in the Privilege Classes grid, click a row indicator cell or either an Allow All or Deny All cell. The grid arrow , indicates the class of privileges displayed.

You can also allow or deny all privileges in all privilege classes. Use Allow All and Deny All for the Privilege Classes grid or select corresponding commands from the shortcut menu. To remove all selections in the Privilege Classes grid, click or select Clear All.

Privileges Grid

Use the Privileges grid to allow or deny privileges within a privilege class. You can allow or deny a privilege by selecting the corresponding Allow or Deny check box. If both the Allow and Deny check boxes are cleared, the role is denied the privilege.

You can also allow or deny all privileges in the class. Use Allow All and Deny All for the Privileges grid or select corresponding commands from the shortcut menu. To remove all selections in the Privileges grid, click Clear All.

Users in Multiple Roles

When a user is a member of more than one role, certain rules apply to avoid security conflicts.

  • If a privilege is denied for a role, then the privilege is unavailable to all members of the role. This includes the members associated with another role in which the privilege is allowed.
  • If neither the Allow nor Deny check box in a Privilege tab is selected, the privilege is denied. However, members of the role may be allowed the privilege if they are members of another role that is allowed the privilege.

Functional Privileges Tab

Use the Functional Privileges tab on the Role Specifications dialog to assign Functional Privileges to roles in the (Default) ACD.

You can allow or deny access to Functional Privileges for any role in the (Default) Access Control Domain. Configure Functional Security with the Functional Privileges tab on the Role Specifications dialog. For more information see Assigning Privileges.

When a role is denied a Functional Privilege, any functions associated with the privilege are unavailable to the user and group accounts in the role. For example, if the privilege to invoke the Access Definition Editor privilege from the Invoke Definition Editors privilege class is denied to a role, the Access Definition option in the Definitions menu on the main window is unavailable to users in that role and, also, the Edit Access Definition button and menu option are unavailable from any request editor (for example, the Extract Request Editor).

The (Default) ACD governs Functional Privileges. Subordinate ACDs can determine Object Association Privileges only.

Important: Before Functional Security is first enabled, the Security Administrator must define Functional Privileges for all users. If Functional Privileges are not defined before Functional Security is enabled, users will be unable to access any functions in Optim™.
Role Specifications dialog - Functional Privileges tab

The following Functional Privileges, by privilege class, are available.

Create New Actions
Create New Actions privileges are required to create or make copies of action requests (for example, an Archive Request). The New command and the ability to save a copy of a request in a respective request editor will be unavailable to roles that are denied a privilege.

(Local) privileges refer to requests that are created from another object editor. For example, if a role is denied the Insert Request (Local) privilege, the role is unable to create a local Insert Request from the Restore Request Editor.

This class includes the following privileges:
  • Archive Request
  • Compare Request
  • Convert Request
  • Convert Request (Local)
  • Delete Request
  • Extract Request
  • Insert Request
  • Insert Request (Local)
  • Load Request
  • Load Request (Local)
  • Report Request
  • Report Request (Local)
  • Restore Request
  • Table Editor
Create New Definitions
Create New Definitions privileges are required to create or make copies of definitions (for example, an Access Definition). The New command and the ability to save a copy of a definition in a respective definition editor is unavailable to roles that are denied a privilege.

(Local) privileges refer to definitions that are created from another object editor. For example, if a role is denied the Access Definition (Local) privilege, the role is unable to create a local Access Definition from the Extract Request Editor.

This class includes the following privileges:
  • Access Definition
  • Access Definition (Local)
  • Column Map
  • Column Map (Local)
  • Column Map Proc(edure)
  • Column Map Proc (Local)
  • Optim Primary Key
  • Optim Relationship
  • Table Map
  • Table Map (Local)
Create Security Definitions
Create Security Definitions privileges are required to create or make copies of security definitions (for example, an Access Control Domain). The New command and ability to save a copy of a security definition in a respective security definition editor is unavailable to roles that are denied a privilege.
This class includes the following privileges:
  • Access Control Domain
  • File Access Definition
Create Utility Definitions
Create Utility Definitions privileges are required to create or make copies of utility definitions (for example, a Storage Profile). The New command and the ability to save a copy of a utility definition in a respective utility editor is unavailable to roles that are denied a privilege.
This class includes the following privileges:
  • Calendar
  • Archive File Collection
  • Currency
  • Storage Profile
Editor Options
Editor Options privileges are required to create database objects (for example, create tables, drop tables, or modify SQL statements).

This class includes the following privileges:

Create Indexes During Primary Key Index Analysis
Create Indexes During Primary Key Index Analysis privilege is required to create new indexes from the Primary Key Index Analysis dialog.
Create Indexes During Relationship Index Analysis
Create Indexes During Relationship Index Analysis privilege is required to create new indexes from the Relationship Index Analysis dialog.
Create Tables During Create
Create Tables During Create privilege is required to create new tables during the Create Process.
Drop Tables During Create
Drop Tables During Create privilege is required to drop tables during the Create Process.
Modify SQL During Create
Modify SQL During Create privilege is required to modify SQL statements during the Create Process.
Modify SQL During Primary Key Index Analysis
Modify SQL During Primary Key Index Analysis privilege is required to modify SQL statements when creating indexes from the Primary Key Index Analysis dialog.
Modify SQL During Relationship Index Analysis
Modify SQL During Relationship Index Analysis privilege is required to modify SQL statements when creating indexes from the Relationship Index Analysis dialog.
File Maintenance
File Maintenance privileges are required to delete or rename files and directories.

This class includes the following privileges:

File Deletion
Delete a file or directory.
File Renaming
Rename a file or directory.
Invoke Action Editors
Invoke Action Editors privileges are required to create, edit, or run an action request (for example, Insert Request). The respective Action menu item is unavailable to roles that are denied a privilege.
This class includes the following privileges:
  • Archive Request
  • Compare Request
  • Convert Request
  • Delete Request
  • Extract Request
  • Insert Request
  • Load Request
  • Report Request
  • Restore Request
  • Table Editor
Invoke Command Line Actions
Invoke Command Line Actions (PR0CMND) privileges are required to execute a utility from the command line.

This class includes the following privileges:

Archive Directory Maintenance
Invoke Archive Directory Maintenance privilege is required to register or unregister Archive Files or update Archive File entries from the command line (that is, use /ARCMAINT).
Browse
Invoke Browse privilege is required to browse Archive Files, Compare Files, Extract Files, and Control Files from the command line (that is, use /X).
Import
Invoke Import privilege is required to import Optim objects from the command line (that is, use /IMPORT).
***Migrate/FMF/Archive Hold/Archive Expire/Archive Split
Invoke Migrate/FMF (File Maintenance Facility) privilege is required to use the Archive File Migration process (that is, use /MIGRATE). This privilege also includes File Maintenance processes: Remove Rows, Validate, Compress, Hold, Expire, and Split. (that is, use /FMF).***
Restart/Retry
Invoke Restart/Retry privilege is required to restart or retry processes from the command line (that is, use /RESTARTRETRY).
Run
Invoke Run privilege is required to run processes from the command line (that is, use /R).
Table Editor
Invoke Table Editor privilege is required to edit tables from the command line (that is, use /E).
Invoke Configuration Actions
Invoke Configuration Actions privileges are required to perform tasks within the Configuration program (for example, Create/Update DB Alias). The respective Tasks menu item is unavailable to roles that are denied a privilege.
This class includes the following privileges:
  • Apply Maintenance for DB Alias
  • Create/Update DB Alias
  • Drop Optim Directory/DB Alias
  • Update DBMS Version for DB Alias
Invoke Definition Editors
Invoke Definition Editor privileges are required to create or edit an Optim object (for example, an Access Definition). The respective Definitions menu item is unavailable to roles that are denied a privilege.
This class includes the following privileges:
  • Access Definition
  • Column Map
  • Column Map Proc(edure)
  • DB Alias
  • Point and Shoot
  • Primary Key
  • Relationship
  • Table Map
Invoke Options
Invoke Options privileges are required to edit Product Options or use dialogs for securing Optim functions, objects, and Archive Files. The respective Options menu item is unavailable to roles that are denied a privilege.
This class includes the following privileges:
  • Access Control Domain
  • Export Security Definitions
  • File Access Definition
  • Import Security Definitions
  • Product Options
Invoke Utilities
Invoke Utilities privileges are required to open the utilities dialogs. The respective Utilities menu item is unavailable to roles that are denied a privilege.

This class includes the following privileges:

Archive Directory Maintenance
Invoke Archive Directory Maintenance privilege is required for roles that maintain Archive Files or the Archive Directory.
Archive Index Maintenance
Invoke Archive Index Maintenance privilege is required for roles that maintain Archive Indexes.
Browse
Invoke Browse privilege is required for roles that browse Archive, Compare, Extract, or Control Files.
Calendar
Invoke Calendar privilege is required for roles that create or edit Calendars.
Create
Invoke Create privilege is required for roles that create database objects, either online or from the command line.
Currency
Invoke Currency privilege is required for roles that create or edit Currency Definitions.
Export
Invoke Export privilege is required for roles that export Optim objects.
Import
Invoke Import privilege is required for roles that import Optim objects.
Register Archive File
Invoke Register Archive File privilege is required for roles that register Archive Files, whether online or from the command line.
Restart/Retry
Invoke Restart/Retry privilege is required to restart or retry a process.
Scheduling Editor
Invoke Scheduling Editor privilege is required to schedule process requests.
Storage Profile
Invoke Storage Profile privilege is required to manage archive media.
Archive File Collection
Invoke Archive File Collection privilege is required for roles that create or edit Archive File Collections, used with Open Data Manager.
Suspend/Resume Automatic Delete of Archive Files
Invoke Suspend/Resume Automatic Delete of Archive Files privilege is required for roles to either suspend or resume selecting Archive Files scheduled for deletion.
Run Untitled Actions
Run Untitled Actions privileges are required to process new action requests not saved before processing (that is, requests for which Untitled is displayed in the dialog heading). The Run command in a respective action editor is unavailable to roles that are denied a privilege.
This class includes the following privileges:
  • Archive Request
  • Compare Request
  • Convert Request
  • Delete Request
  • Extract Request
  • Insert Request
  • Load Request
  • Report Request
  • Restore Request
Security Tasks
Security Tasks privileges are required to export or import secured Archive Files, modify a FAD, or run a Security Report.

This class includes the following privileges:

Export Secured Archive File
Export a secured Archive File.
Import Secured Archive File
Import a secured Archive File.
Modify File Security with Migrate
Use the Archive File Migration Process to change a FAD.
Report Security Privileges
Run a Security Report.

Object Association Privileges Tab

Use the Object Association Privileges tab to indicate the types of object for which the role has Object Association Privileges. Object Association Privileges allow the role to use roles defined in the ACD as the basis for an ACL that protects objects of the indicated type.

Role Specifications dialog - Object Association Privileges tab

For more information about working with privileges and privilege classes see Assigning Privileges.

Associate Action Editors
Associate Action Editors privileges are required to associate the ACD with an ACL that secures an Action request. An Action request is created in an editor selected from the Actions menu. For example, an Archive File Request.
This class includes the following privileges:
  • Archive Request
  • Compare Request
  • Convert Request
  • Delete Request
  • Extract Request
  • Insert Request
  • Load Request
  • Report Request
  • Restore Request
  • Table Editor
Associate Definition Editors
Associate Definition Editors privileges are required to associate the ACD with an ACL that secures a Definition. A Definition is created in an editor selected from the Definitions menu. For example, an Access Definition Request.
This class includes the following privileges:
  • Access Definition
  • Column Map
  • Column Map Proc(edure)
  • DB Alias
  • Point and Shoot
  • Primary Key
  • Relationship
  • Table Map
Associate Utilities
Associate Utilities privileges are required to associate the ACD with an ACL that secures a Utilities object. A Utilities object is created in an editor selected from the Utilities menu. For example, a Currency Definition Request.
This class includes the following privileges:
  • Calendar
  • Archive File Collection
  • Currency
  • Storage Profile


Feedback