This section covers the topic of how to apply Access Control to Access Control: the ability to control the access rights that your administrator(s) are granted for defining and modifying your organization's Access Control model. This is an advanced area and should be used only when you have a firm grasp of Access Control concepts.

For an example of how this functionality might be useful, consider a regulatory requirement that makes it necessary to restrict the access that some administrators have to certain data:

Due to export control regulations, only a small number of users in the USA region of a multi-national corporation should have access to the organization's export control information.

Administrators (and any other users) outside of the USA region should not be able to access this data.

These administrators should also not be able to create or modify the Access Control model to allow themselves or others to gain access to the data.

To configure this kind of Access Control model, aPriori provides a "Super Users" sub-group of the system-defined Administrators group (see Super_Users). Administrators who belong to the Super Users group have extra privileges that other administrators do not have. Specifically, they are able to access any data in the aPriori system, and they have the ability to define and modify the Access Control model.

All administrators by default have full rights to access all data in the system. But Super User Administrators not only have these same permissions, they have these permissions with the "Strong Grant" option enabled. In addition, Super User Administrators also have the following key privilege:

You may recall that all users can have permissions that include components, roll-ups, and VPEs as resources. But Super User permissions can also target permissions and groups as resources. This is what gives Super Users their special capabilities.