This article outlines how to use the RESETACCESSRIGHTS function and provides practical examples and use cases to show how the function can be applied to manage access rights efficiently in different situations.

Before you begin

We recommend that you’re familiar with access rights inheritance before you start using the RESETACCESSRIGHTS function.

For more information, see Understand Access Rights Inheritance. 

About the RESETACCESSRIGHTS function

The RESETACCESSRIGHTS function prevents a Block from inheriting access rights. It does not impact the access rights of the source Block itself; it only prevents the source Block’s access rights from being applied to the Block that references it.

For a full description of the function’s parameters, see RESETACCESSRIGHTS function. 

Syntax

RESETACCESSRIGHTS(expression)

We recommend being as specific as possible in the expression you include within the brackets when using the function.

Examples

The examples below show how to retain the access rights inherited from either Metric A or Metric B, or both. 

RESETACCESSRIGHTS(Metric A + Metric B)

This stops the inheritance of access rights from both Metrics, which can expose more data than intended. It’s important to be as specific as possible.

RESETACCESSRIGHTS(Metric A) + Metric B

This stops the inheritance of access rights exclusively from Metric A.

Metric A + RESETACCESSRIGHTS(Metric B)

This stops the inheritance of access rights from only Metric B.

Use cases for the RESETACCESSRIGHTS function

To determine which expressions to include within the parentheses of the RESETACCESSRIGHTS function, it’s important to understand the different cases where restricted access rights need to apply. It’s recommended to use this function as specifically as possible, and to avoid applying it across entire formulas. By identifying exactly where you want to remove inherited access rights, you can efficiently remove those rights but still preserve overall data security.

Aggregations ‍

When referencing the aggregation of a Dimension that has access rights rules applied, a Member must have full access to the data to view the total.

For example, consider an Employee Dimension with access rights applied. If you reference a total for all salaries to be included in an expense line, the aggregation total is inaccessible to any Member who lacks full access to all employees. Members with only partial access are denied visibility of the aggregation total. To allow these Members to view the Total Salary Costs, you must apply the RESETACCESSRIGHTS function.

It's important to note that a Member without full access to a Dimension cannot view the total for that Dimension—even if the referenced data includes unpopulated or blank values. Full access is mandatory unless the RESETACCESSRIGHTS function is used to override these restrictions.

Shared Dimensions across Applications

Shared Blocks retain their access rights when they are used by another Application. However, to stop access rights inheritance on shared Blocks, you must allow use of the RESETACCESSRIGHTS function in the Application where you want to stop access rights inheritance.

You do this by configuring specific settings in the Roles, permissions and access page of your Application. If you try to use the RESETACCESSRIGHTS function without toggling on these settings, the following error is displayed: 

Error: The RESETACCESSRIGHTS function cannot be used on this expression as it attempts to remove access rights inherited from other Applications.

1. In your Application settings, go to the Roles, permissions and access page. 
2. Click Data access and then Manage inheritance. 
   Update the following setting(s) to adjust your access rights inheritance. 
   
   - Use the RESETACCESS RIGHTS() function to remove inherited access rights for Blocks shared from other Applications.
   When you toggle on this setting, you allow the use of the RESETACCESSRIGHTS function to remove inherited access rights from shared Blocks across Applications. For more information on sharing Block from Libraries, see Using Libraries to Share Data Between Applications.
   
   - Remove access rights inherited through formulas within this Application.
   This setting is only available when the previous setting is toggled on. When you toggle on this setting, inherited access rights are removed in the entire Application, without needing the RESETACCESSRIGHTS() function. This means that formulas that share and reference Blocks within this Application automatically do not inherit access rights.

Optimize performance by managing inherited and redundant rules

It can happen that you have an Application with hierarchical Dimensions either through a group Property, or a mapping attribute with access rights defined on multiple levels. In this situation, you can potentially have multiple rules inherited to a Metric. While generally, this is not a problem, it can occasionally cause performance issues depending on the size of Lists and how many Blocks are inherited.

For example, let’s say you have an Employee and Department List that are part of a hierarchy.

Consider its access rights setup:

• Two different access rights rules set up for all Metrics structured on those Dimensions. 
• Two different access rights rules are needed to account for some Metrics structured by the Employee Dimension and also for Metrics structured by Department. 
• There could also be another access rights rule for a Country Dimension. 

When you have a Metric, structured by the Country, Employee, and Department Dimensions, that references multiple Blocks that are also structured on these Dimensions - it can lead to performance issues.  

Inherited access rights rules are unnecessary because the Metric’s Dimension structure already inherits the rules.  In cases like this, you can use the  RESETACCESSRIGHTS function to eliminate rules duplication.