BellaDati distinguishes between two basic permission schemes:
- Assigning user roles
- Permissions assigned by sharing
BellaDati implements following user roles:
- General BellaDati user - this role is assigned by default to all BellaDati users and this cannot be changed. Such users have only the very basic access to BellaDati functions: report and dashboard view, user profile editing
This role is usually sufficient for report or dashboard consumers such as general managers or company management members.
He can't create his own reports, but other users (report editors) can share their reports with him - even with permission to edit their reports. For users who can only view the report can be also different control types. See the list of allowed operations for selected control type.
- Report editor - report editor is able to create, edit, comment and share analytical reports. He can create reports only from his own or shared data sets. Therefore it's usual that users with "report editor role" have also the "data manager" role.
- Data manager - data manager cares about the parts of the data warehouse. His job is to prepare and import data into particular data sets, control and edit the source data, create alarms and join existing data sets. He is also able to prepare translation for particular indicators, attributes and members. He is owner of data sets, which he creates during the imports. He can share data sets with other users (report editors) or directly use them if he has also "report editor" role.
- Domain administrator - domain administrator a specific and important user role. He cares about the users and user groups. He is able to create or import users, delete them, change their profile information and passwords and assign user roles to particular users or whole user groups (he may assign "domain administrator" role to other users as well). He is able to access all the statistics of his domain. He can even delete all the content of domain (data sets, reports, dashboards) or forbid the publishing of domain content on the web. He is the only user who sees all the data sets in his domain. Therefore this user role should be assigned to only one competent user.
- User manager - cares about the users and user groups. He is able to create or import users, delete them, change their profile information and passwords. User manager cannot assign user roles.
- IoT admin - IoT admin can access and administrate the IoT Management Console. This feature is available only if the IoT Management Console is enabled in the license and can be assigned only by the domain administrator, not user manager. In order to enable IoT admin user, the IoT console related data sets must be shared with him (must be able to view these data sets:
- IoT Console - Audits
- IoT Console - Connection schedules
- IoT Console - Data captures
- IoT Console - Device metadata
- IoT Console - Device types
- IoT Console - Modules
- IoT Console - PLC Devices
It's possible to combine all user roles mentioned above. Eg. both roles data manager and report editor assigned at the same time allows such user performing the whole process from setting up a data source, modeling data set, report creation and sharing dashboards.
System administrator: There is also a System administrator role in BellaDati. This user role is not required for BellaDati Cloud usage. However this role could be useful for BellaDati On-Premise or Unlimited Cloud tariffs, especially for large enterprise companies or international business groups that require managing more separated domains (eg. for their SBU). System (Global) administrator can change the global settings, enable and disable features of each domain and access any content. This user cannot create own content (data sets and reports).
User roles can be assigned to user groups as well. These roles are merged with standard user roles results - particular user has both roles together. Here is an example:
- user has report editor role
- user is member of a user group, which have the data editor role
- in result, user has report and data editor roles, the second one is inherited from the user group.
Only domain or system administrators can reassign user roles.
Permissions are granted to users while sharing data sets or reports. There two levels of shared permissions:
- Read-only access
- Full access
Owner: Each data set, report or dashboard has always assigned one user that has full access and also can manage sharing in addition to that. These user are called owners and usually are the creators of the data set, report or dashboard.
Permissions assigned by sharing particular data sets or reports have priority over standard user roles. This means user with only general user role assigned can have permission to edit particular data set or report which has been shared with him on full access level!
Permissions can be granted to a user or a user group. When there are multiple permission simultaneously (one for a user and one for a user group to which the user belongs), edit rights or the lowest view access rights have priority. Edit rights have always preference over view rights. Lower view rights have always preference over higher view rights.
When user has limited controls and user group all controls -> limited controls will be used.
When user has all controls and user group limited controls -> again limited controls will be used.
When user has edit rights and user group all controls -> edit rights will be used.
|User rights||Group 1 rights||Group 2 rights||Result|
|Viewer - Limited controls||Editor||-||Editor|
|Editor||Viewer - Limited controls||-||Editor|
|Viewer - Limited controls||Viewer - No controls||-||Viewer - No controls|
|Viewer - All controls||Viewer - No controls||-||Viewer - No controls|
|Viewer - No controls||Viewer - All controls||-||Viewer - No controls|
|-||Viewer - All controls||Viewer - No controls||Viewer - No controls|