Simple and granular access permissions

Access permissions determine a user's ability to perform a specific action, or access a feature or object.

Permissions for a specific user are a combination of permissions for that user and permissions for the groups and roles where the user is a member. When a user is a member of more than one group or role, deny permissions for one group or role take precedence over granular permissions for a different group or role.

Users have Read, Run, Write, and Full permissions for items. These simple permissions represent combinations of more granular permissions that administrators use to control access.

Simple permissions mapped to granular permissions

The following simple permissions include combinations of granular permissions:

Read

Includes the read and traverse granular permissions.

Run

Includes the read, execute, and traverse granular permissions.

Write

Includes the read, write, execute, and traverse granular permissions.

Full

Includes the read, write, execute, traverse, and set policy granular permissions.

Granular permissions and permitted actions

The underlying, granular permissions are described in the following list:

Read
View all the properties of an entry, including the report specification and report output.
Note: To run a report with full interactivity, a user must have read permissions on the package or data model that is referenced in the report. For more information about the actions you can do in a report that runs with full interactivity, see Limited and fully interactive reports.

Create a shortcut to an entry.

Write

Modify properties of an entry.

Delete an entry.

Create entries in a container, such as a package or a folder.

Modify the report specification for reports created in Reporting and Query Studio.

Create new outputs for a report.

Execute

Process an entry.

For entries such as reports, agents, and metrics, the user can run the entry.

For data sources, connections, and signons, the entries can be used to retrieve data from a data provider. The user cannot read the database information directly. The report server can access the database information on behalf of the user to process a request. IBM® Cognos® software verifies whether users have execute permissions for an entry before they can use the entry.

For credentials, users can permit someone else to use their credentials. To use the run as the owner report option, a user must have execute permissions for the account.

Set policy

Read and modify the security settings for an entry.

Traverse
View the contents of a container entry, such as a package or a folder, and view general properties of the container itself without full access to the content.