Users and roles
User access is controlled by user type and user role. Administrative users have full access across Analytics Exchange while non-administrative users have application-level permissions that control collection and folder-level access.
User types
There are two types of AX Server users:
- The Super Admin assigned as the ACL Analytics Exchange
Tomcat Service Account (TomEE service) during installationNote
Only the Super Admin can access the AX Server Configuration web application, however the Super Admin has no access to AX Client.
- Users added to AX Server after
installation
The Super Admin and users with the Administrator role can add users to AX Server.
User roles
With the exception of the Super Admin, every user in AX Server is assigned one or more of the following roles:
- Admin the Administrator roleNote:
Users that the Super Admin adds are automatically granted this role so that the new users can access AX Client.
- User the Core Client Access role
- Gateway the Web Client Access role
For more information about each role in AX Server, see User security.
Web Client Access licensing
Depending on your organization’s AX Server license, one of four scenarios is possible when granting access to AX Web Client:
- All active users are automatically granted access to AX Web Client
- All active users can be granted access to AX Web Client
- Only a limited number of active users can be granted access to AX Web Client
- Your AX Server installation does not include AX Web Client
If your license does not include AX Web Client access, or if all licenses are in use, you cannot assign the Web Client Access role to users.
Audit item permissions
Users with Core Client Access and Web Client Access roles have further application-level permissions that control which Working directory or Library audit item they can work with.
Each collection and folder has individual permissions that specify:
- which users have “Read only” access
- which users have “Full permissions”
Users with the Admin role have “Full permissions” to all audit items.
For more information about audit item permissions, see .
Permission and role change log in AX Server
AX Server tracks all permission and role changes in the userpermissionlog table of the database.
Using this table, you can query information about the following actions:
- adding new users
- deleting users
- changing user roles
- changing audit item access permissions
- inheriting audit item access permissions
userpermissionchangelog table
| Column | Data Type | Nullable | Description |
|---|---|---|---|
| logId |
|
N | The auto-incrementing primary key for the record. Note If records with the same transactionid value do not have sequential logId values, check your database logs to ensure a manual deletion was not executed on the table. |
| transactionid |
|
N | The unique identifier of the user action that creates
the record. Tip: A single action in the user interface can create multiple records in this table. Group records by the transactionid to find all permissions changes associated with a single user action. |
| userid |
|
N | The user ID of the user whose role or permission changes as a result of the action. |
| username |
|
N | The username of the user whose role or permission changes as a result of the action. |
| audititemid |
|
Y | The identifier of the audit item that the user’s permission change affects. Null on role change. |
| permissiontype |
|
Y | The users permission type for the record. |
| action |
|
N | The action taken by the user who makes the change. |
| changebyuserid |
|
Y | The user ID of the user that made the permissions change. |
| changedbyusername |
|
N | The username of the user that made the permissions change. |
| changetime |
|
N | The timestamp for the record change. |
| application |
|
N | The application from which the change was made:
|
