BI platform function permissions are mainly based on the permissions of the current viewer to control what BI-related menu entries the current viewer has, including:
| Menu | When will this entry be visible |
|---|---|
| Reports | At least one chart is visible (Subject Domain Level View Privilege + Chart Level View Overlay Control) |
| Data Cockpit | All staff can see this menu |
| Subscription Management | At least one subject domain "Subscription" permission |
| Report Permission Management | At least one subject field "New" permission |
| Report Log | Only report administrator CRM administrator can see this menu |
| Statistical Index Management | Only report administrators CRM administrators can see this menu |
| Target | Has the "View List" permission for the "Target Value" object |
| Goal Completion | Visible Goals menu, you can see this menu |
1. Chart operation authority
**What can I do with the graph? **
- What charts can I create?
- What charts can I view?
- What charts can I edit/delete?
- What charts can I subscribe/export/repost/share?
1.1 Subject Domain Authority
The operation authority control logic of the BI chart is consistent with the business object, which is controlled by the "role" to which the employee belongs. The operation authority of the BI chart is controlled by the functional authority of the "subject domain" owned by the "role".
The subject domain is the object that is analyzed around a core object introduced in the previous report and statistical chart. When you create a new report and statistical chart, the entry of each "xx analysis" you see is the subject domain. Therefore, each diagram belongs to a specific subject domain.
You can perform any operation with whatever operation authority you have on which subject domain.
1.2 Chart-level permissions
**The granularity of functional permission control at the subject domain level is relatively coarse, how to control permissions at a finer granularity? **
Scenario example:
Amy is the boss's assistant and provides data insight services for the boss. She has the role of report administrator (with the operation authority of all subject fields).
Scott is a salesperson. He needs to understand customer sales and follow-up through data analysis, and has the view, edit, and delete permissions of the "Customer Analysis" subject field.
Amy created a new statistical chart "Sales of Customers in Each Region" through the theme of "Customer Analysis".
Scott "View" sees the diagram, and further "Edit" changes are saved.
Problem: Amy wants the diagrams she creates to be visible only to some people and not editable or deleted by others. In order to solve this problem, we provide: finer-grained permission control at chart level, which can further control permissions on a specific chart.
- View permission:
- Public: visible to all;
- Private: only the selected personnel, departments, user groups or roles are visible.
- Operation authority:
- Edit: permission to edit the chart;
- Delete: permission to delete the chart;
- Export: permission to export the chart;
- Subscription: the permission to subscribe to the chart;
- Share: permission to share the chart;
- Repost: The permission to repost the chart.
*The above viewing and operation permissions are based on the premise of having the subject domain permissions
1.3 System Preset Report Permission
**The "system preset report" subject field controls the operation authority of all preset charts. **
Preset charts: Different from charts created by enterprise users, preset charts refer to charts preset by the system for enterprises out of the box and visible to all employees, such as the preset modules on the homepage and the charts in the cockpit.
- CRM administrator, report administrator: have "view, edit, delete, forward, export, share" permissions;
- Non-administrator roles: have "View" permissions, and can configure "Edit, Delete, Forward, Export, Share" permissions;
- Among them, "edit" means that the preset chart can be saved as a personal chart; "delete" means that these personal charts generated by saving as a preset chart can be deleted.
2. Data cockpit permissions
2.1 Data cockpit background permissions
The operation authority control logic of the data cockpit is consistent with the business object, which is controlled by the "role" to which the employee belongs. The operation authority of the data cockpit is controlled by the "cockpit authority" function authority owned by the "role". controlling.
Background permissions include: view, create, edit, delete
- View: permission to view the data cockpit;
- New: permission to create a new data cockpit;
- Edit: permission to edit the data cockpit;
- Delete: the permission to delete the data cockpit;
Note: only control the custom personal data cockpit
2.2 Data Cockpit Page Permissions
Cockpit type (can be selected when saving a new cockpit): personal type or enterprise type.
View permissions: public, private
- Public: Visible to all people with viewing permissions in the background
- Private: Visible to designated personnel with viewing rights in the background
| Cockpit type | What roles can be created | Data permissions |
|---|---|---|
| Individual type | A role with newly-created permissions in the background | Access the viewer's personal data permissions: If employee A shares the "personal" type cockpit with employee B, B will use B's personal data permissions when viewing |
| Enterprise type | Only CRM administrator and report administrator | Authorizer's data authority: If administrator A authorizes the enterprise type cockpit to B, B will use the administrator's data authority when viewing (the data range can be constrained by global filtering) . Solve the scenario where employees do not have data permissions, but need to see the data through the big screen |
Cockpit operating authority instructions:
| Operation Permissions | Description |
|---|---|
| Create | A role with new permission in the background can create a new "personal type" cockpit, and a CRM administrator and report administrator can create a new "enterprise type" cockpit |
| Edit | Individuals can edit the cockpit created by themselves, edit the cockpit shared/authorized to me by others and check the edit box, CRM administrator and report administrator can edit all cockpit |
| Delete | Individuals can delete the cockpit created by themselves, can delete the cockpit shared/authorized to me by others and ticked to delete, CRM administrator and report administrator can delete all cockpit |
| Sharing | You can share the "personal type" cockpit you created for others to view. After canceling the sharing, others will no longer be visible |
| Authorization | Only CRM administrators and report administrators can authorize the "Enterprise Type" cockpit to be viewed by others. After the authorization is revoked, others will no longer be visible |
| Hidden | Individuals can hide all the cockpits that they can see as needed, only valid for themselves, not affecting others |
- Only CRM administrators and report administrators have access to the "Data Cockpit Management" operation portal. Different cockpits can be viewed for different roles of the enterprise (business owner, finance, department/regional head, general salesperson)/personnel in different departments.
- The default cockpit displayed by employees within the scope of application, in addition to the one assigned by the administrator, will also include the preset cockpit created by the employee, shared/authorized by others, and newly added in version iterations;
- Before the administrator assigns the cockpit, if the employee has adjusted the displayed cockpit or the order, the administrator's assignment will overwrite the employee's own adjustment;
- Employees can also make further adjustments based on the cockpit assigned by the administrator, such as: hiding, adjusting the order, etc.
***When an employee meets multiple sets of settings at the same time, the first set of settings that matches will be selected by default. **
3. Object/Field Permissions
**The BI platform inherits business permissions. When viewing a chart, the visible objects and fields are consistent with those on the business side. **
Amy is a salesperson and does not have the object permission (view list permission) for the object "Cashback", then Amy:
- When creating a report to select an object, the payment object cannot be selected;
- When viewing the report analyzed as the main business module, the details cannot be viewed;
- When viewing the payment collection as a report analyzed by the associated module, the fields and statistical information of the payment collection cannot be viewed;
When viewing the details of statistical graph indicators, all fields cannot be viewed.
- Amy has the object authority of the object "return", but does not have the field authority of the "total amount of this return" field, then Amy:
- When configuring the report, this field cannot be selected;
- This field cannot be viewed when viewing reports and statistical chart indicators, and it is displayed as *****
- Special objects:
Business process instance, business process task, approval process instance, approval process task, process stage, behavior points details.
These objects do not have independent object permission control:
- The version used by the enterprise has the capabilities of business process, approval process, stage propeller, and behavioral points;
- And the enterprise has a process definition of "enabling"; then it can be selected for analysis.
