If user privileges and object security settings differ, the following rules apply:
Object security settings that deny a user action always override individual user privileges that allow the action. For example, a book that denies the Edit action cannot be edited by a user who is allowed to edit books.
Individual user privileges that deny an action always override object security settings that allow the action. For example, a user privilege that denies editing a book always denies the user to edit any book, regardless of the book’s object security settings.
An object’s security settings for a user override the object’s security settings for a group. If the security settings allow a user to perform an action, and the security settings for the group deny the action, the user can perform the action. For example, the CFO user is allowed to edit the Cash flow measure, and is also a member of the Executive group. The CFO can edit the measure, regardless of the measure’s security setting for the Executive group. Similarly, if the security settings deny a user from performing an action, and the security settings for the group allow the action, the user cannot perform the action.
If an object does not define security settings for a user, security settings for groups apply. If security settings are defined for multiple groups to which the user belongs, the following rules apply:
If any group denies an action, Metrics Management denies the user from performing the action.
If one group allows the action, and no other group specifically denies the action, Metrics Management allows the user to perform the action.
Object security settings that deny a user action always override individual user privileges that allow the action. For example, a book that denies the Edit action cannot be edited by a user who is allowed to edit books.