Contains preview content for the 2020R2 release.
Audience: Administrators who manage the model.
Level owners have special privileges for the levels they own. If your instance uses level-based security, level owners are also the main way you control access to data. See Set Up Level-Based Data Access. If you use access rules for data security, level owners still have certain privileges. Plus, you can use owned levels to create dynamic access rules. See Create Access Rules.
Level ownership trickles down the level hierarchy. Users who own a parent level own its child levels and each child level's child and so on. To assign levels to a user, update the Level Owners level setting. Or edit the user from the Administration menu if you have Admin Access permissions.
Before You Begin
How You Get There
From the nav menu, select Modeling. From the Levels and Dimension menu, select Levels.
How Level Owners Work
Level Owners as Access Control
If your instance uses level-based security, level ownership controls your access to data. As a level owner with the appropriate permissions, you can:
- Access data. You must own at least one level to access any data at all.
- Open level assigned sheets assigned to the levels you own.
- View the level's data in charts and reports.
- Complete tasks with special privileges. See the section, Level Owner Special Privileges.
You can still see the level, even without level ownership when:
- You have the Model Access > Organization Structure > All Levels permission. You can edit the level settings from the level hierarchy. You can't see the data associated with the levels in sheets and reports.
- Your user-assigned sheets includes the level. You can enter and edit the level's data.
- You edit modeled sheets with level columns and split the row. You can choose any level from the drop-down and add or edit data.
- You use formula assistant or explore cells for accounts with a Public at all levels data privacy setting. You can choose levels you don't own in the level drop-down, reference that account from any level, and drill into the level's source data.
- You have Integration > Data Designer permission. You can view all the levels in Integration.
- You're viewing a shared report with the level or a shared global report snapshot with the level.
Level Owner with Access Rules
If you use access rules:
- Your access rules control your access to data in level-assigned sheets, reports, and charts. See Access Rules Overview.
- You can complete tasks with your special privileges. See the section, Level Owner Special Privileges.
Access Ruled Defined by Level Owners
Grant access to a large number of users with these dynamic rules. For a user group, create a rule that grants access to all owned levels. Every user in the group gets immediate access to all their owned levels. When you update the user's owned levels, you don't need to update the rule. It dynamically honors the user's current owned levels. See Create Access Rules.
Level Owner Special Privileges
No matter what your security structure is, as a level owners, you can:
- Manage owned levels from the modeling menu. Required permission: Access Model Management > Org Structure.
- Approve levels in workflow. Required permission: Approve Levels permission.
- Assign level ownership to other users. Required permission: Model Management Access > Organization Structure.
- View and create journal entries on owned levels that you own. Required permission: Access Consolidation.
- Review Intercompany Eliminations debits and credits for owned levels. Required permission: Access Consolidation.
- Receive shared-by-level reports in your Shared Reports folder. Required permission: Access Reports permission.
Find Out Who Owns a Level
You can view a list of level owners on the level hierarchy or in the settings of each level. Use the examples to walk you through level access.
In the Hierarchy
To see level owners, look at the Level Owners column in the hierarchy list:
- Total Company, has Admin listed in the Level Owner column. This means that Admin can access all the levels.
- Admin and Accounting Mgr can access Company A.
- Admin, Accounting Mgr and VP of Sales have access to Operations.
- United States has nothing listed. It inherits the level owners of Operations and up (all three users listed).
- North Sales Manager only has access to Sales-North.
- The other sales departments inherit the level owners from Operations and up.
In the Settings
Select a level from the level list (for example, Company A), and click on the Level Access scroll bar to activate.
- User IDs with gray text, like Admin, are read-only because they're inherited.
- IDs highlighted blue, like Accounting Mgr, are directly assigned to the level.
- IDs with black text do not own the level.
Set the Level Owners for Levels
- Create or clone the level and select Save. You won't see the inherited access until you save. If you edit the Level Owners setting before saving, you will lose your changes.
- Click on the Level Owners scroll bar to activate. Do not click in the list or you might deselect current user IDs.
- To remove users IDs, Ctrl-click on User IDs highlighted blue.
- To add user IDs, Ctrl-click on User IDs with black text.
Whatever IDs you add or remove are also added and removed from the level's children.
Create Partial Admin Access
Partial admin access gives you full admin permissions to a limited part of the model. To create a partial admin access role, you these permissions:
- Admin Access > Roles
- Admin Access > Users
- Model Management Access > Organization Structure > All Levels
To create partial admin access:
- Create a role with most if not all available permissions, if you haven't already. Name the role something relevant, such as Full Admin.
- Create the user profile if you haven't already.
- In the user settings:
- For Role, choose the admin role from the drop-down.
- For Owned Levels, select only some of the levels from the list.
Now the user has all the capabilities, but only within a set of levels. See Users, Roles, and Permissions.