Generic Permissions
Generic permissions are managed on a table-by-table basis, rather than on a screen-by-screen basis. For example, if you want a user to be able to add or delete assets, you should edit the user or the user’s group and give them Read / Write permission on the system table ‘Asset’. If you want to enable this user or group only to view assets but not to add or delete them, give the user or group Read permission.
You can set up permissions on business objects, which can be either dynamic tables (tables defined by client or expert system) or core system tables.
In addition to setting up permissions on specific tables, you can set up Special Permissions. For more information, see Special Permissions.
You set up all these permissions on the Permissions tab of the Edit Personnel dialog (see Set Up Permissions for User/User Group):
Inheritance of Permissions
Each user has their own permissions, plus they inherit the permissions of any user group they are a member of. If a user has their own permissions, these override the permissions they inherit from any user group.
When multiple permission levels apply, they are prioritised as follows:
Priority |
Permission Level |
|---|---|
1 |
User-specific permission |
2 |
Permissions inherited from user group |
Determining Permissions
To figure out the permission for an item, NEXUS proceeds as follows:
It retrieves the permissions specific for the user for the relevant business object (dynamic or system table).
If no user-specific permissions have been set up, it checks the same permissions of all groups the user is a member of. If the user is a member of several groups with different permission settings, it determines the permission based on the permission types (see below).
If there are no resultant permissions set, then NEXUS checks if there is a Special Permission that can be applied. For example, if an Asset Information form has no explicit permissions (because it is set to Inherited), then NEXUS will use the Asset Information special permission.
Permission Types
The following types of permissions can be applied:
Permission Type |
Description |
|---|---|
Read/Write |
Allows a user to both view and modify the contents of a table or item. This permission is additive and overwrites Read and Inherited. |
Read |
Allows a user to view the contents of a table or item but not make any changes. This permission is additive and overwrites Inherited. |
Inherited |
It means that no specific permissions have been applied for this security item, for this user or user group. In case of a user, permissions will be inherited from the user group as described above. In case of a user group, Inherited means that no permissions are set up, that is, the permission will be Deny All. |
Deny |
Denies Write permissions. This permission is subtractive and overwrites Read/Write and Inherited. |
Deny All |
Denies Read/Write permissions. This permission is subtractive and overwrites all other permission types. |
For example, if a user is a member of several user groups, and their permission in one user group is Read, in the other it’s Read/Write, then Read/Write will apply. If, however, the permission is Deny All in any of the user groups, Deny All will apply.
Caution
To log in to the database, a NEXUS login must have Read permissions (as a minimum) to the Personnel table, so ensure that is set to Read for all users.
Setting Deny All on the Special Permission Security will disable the main menu item, regardless of what permissions have been set on the security permissions tables.
Special Permissions
Special permissions can be used in case there’s no relevant business object (dynamic or system table) for which the permissions can be applied to, or, if you want to apply permissions to specific types of system tables in general when there’s no permission set up for specific tables. See below for more information about each special permission:
Special Permission |
Description |
|---|---|
Asset Information |
Applies as the default permission for any AIG or Sub AIG business objects where the AIG or Sub AIG table permission itself is set to Inherited. |
Database Backup |
Permission for creating database backups. There’s no relevant system table business object. |
Database Overwrite |
Permission for overwriting the database. There’s no relevant system table business object. |
Events |
Applies as the default permission for any Event, Sub Event, Continuous Event and Survey Data dynamic table business objects where the permission is set to Inherited. This special permission does not include the core Event system tables (such as Event, Bookmark, Multimedia). These are covered under the Event node of the System Table business objects only. |
Global Tables |
Applies as the default permission for any Global Table business objects where the permission is set to Inherited. This pertains only to the data within the Global Tables. Security permissions for the configuration of Global Tables are managed in the Table Definition node of the System Table business object. |
Jobs Management |
Permission for using the Job Management Console. There’s no relevant system table business object. |
Licensing |
Permission for managing licences. There’s no relevant system table business object. |
Manage Settings |
Permission for configuring the NEXUS database. There’s no relevant system table business object. |
Risk Models |
Applies as the default permission for any Risk Model business objects where the permission is set to Inherited. This does not include the Risk Assessment system table. |
Security |
Applies as the default permission if the permission of the Security Permissions system business object is set to Inherited. |
Sensors |
Applies as the default permission for any Sensor business objects where the permission is set to Inherited. This pertains only to the data within the Sensor Tables. Security permissions for the configuration of Sensors are managed in the Table Definition node of the System Table business object. |
Upgrade Schema |
Permission for performing schema update. There’s no relevant system table business object. |
Set Up Permissions for User/User Group
Once you have a user or user group created in your database, you can assign permissions to them as described below. By default, most permissions are inherited based on the permission management rules described above.
In the menu, navigate to .
On the Users or Groups tab, select the relevant user or user group and click Edit in the toolbar, or just double-click the item to open the dialog for editing.
In the dialog that appears, go to the Permissions tab.
Select either a business object or a special permission for which you want to make permission settings.
Right-click the selected item and in the drop-down menu, select the required permission under Permission.
For example, if you want to change the Security permissions for a user group from Deny All to Read / Write, proceed as follows:
Click OK.