Understanding Full-Service Report Permissions, Scope, and Filters

Updated

Access to Full-Service Reports is determined by a combination of security role permissions, report-level restrictions, security role scope, and report filters. These components are evaluated in sequence to determine whether a user can access a report and what data is included when it is run. This article explains how each component works and how to troubleshoot report access using a consistent model.

Overview

Access to Full-Service Reports is determined through four distinct controls:     

  • Security role permissions (what reports a user can access)
  • Security role scope (which users may be included in a report)
  • Report-level permissions (further refines who may be included in the report)
  • Report filters (report run time selections for which users are included in the report output)

These controls are evaluated in sequence and serve different purposes. Understanding how they differ is key to diagnosing report access issues.  

Access Sequence

The system evaluates report access using the following sequence of steps: 

  1. Security Role Permissions → determines Access
  2. Security Role Scope → determines Reach
  3. Report-Level Permissions → determines Eligibility
  4. "Whom to Include" Parameter → determines Output

A failure at any step will either prevent a User from running a report entirely or limit the data returned in the final results.

Step 1: Security Role Permissions (Access)

The system first evaluates a user’s security role permissions for Full-Service Reports to determine which reports appear in the Reports list within the Reports utility.

A user must be assigned a security role that:

  • Includes the Full-Service Reports permission
  • Includes the specific report(s) within that permission

If a report is not assigned to any of the user’s roles:

  • The report will not appear in the Reports list for a user

To review the list of Full-Service Reports available to each security role, refer to: Reviewing and Creating New Security Roles.

At this step, the system determines which reports are visible, but does not yet evaluate which users can be included. This is determined in later steps.

Note: Assigning or removing reports from a security role’s Full-Service Reports permission is managed through a General Work Request.

Step 2: Security Role Scope (Reach)

For reports included in a security role, the system uses the individual selected parameters for the role to define the specific set of users for whom the report can be run.

Example

  • The Faculty role is Self-Scoped, meaning users can only run reports for their own account.

  • A role scoped to a Department allows a user to run reports for everyone within the selected department.

  • Any scope beyond "self" grants users access to the "Whom to Include" filter in Step 4.

While the security scope establishes the initial set of potential subjects, this list may be further refined by the Whom to Include parameter within the report itself. For more information, refer to Security Roles Overview.

Note: Scope is defined at the system level and cannot be overridden by individual report settings.

Step 3: Report-Level Permissions (Eligibility)

Note: This step will not apply to all reports. This is commonly used for unit-specific reports, such as programmatic accreditation or unit-level annual review reports.

After confirming access and scope, the system evaluates eligibility for users to within the scope to appear in reports.

Some reports include restrictions based on organizational units, such as a College or Department. This means that only users associated with the specific unit may be included in the report. You can review these restrictions using the Security Details for Full-Service Reports report.

This report can be retrieved from the Users & Security tool and it includes three columns: 

Screenshot of the three columns of the report
  1. Report Name (Column A): Identifies the title of the report
  2. Report Permissions (Column B): Defines any unit-based restriction
  3. Security Roles (Column C): Lists which security roles have access to run the report

Report permissions (outlined in Column B) are validated against the user’s most recent Yearly Data record

Example

You will often find that AACSB reports are restricted to the College of Business unit. With these restrictions, only users who have the College of Business in their most recent yearly data record are eligible to appear in the AACSB report.

To learn more about this report and how to run it, refer to Reviewing and Creating New Security Roles

Step 4: "Whom to Include" Parameter (Output)

The final step determines which individuals are included in the report results. The "Whom to Include" parameter allows users to filter the specific group of accounts already defined by their security scope. This parameter is the second step when generating a report. 

Screenshot of the Whom to Include parameter

To learn more about the filter options available from the "Whom to Include" parameter, refer to Creating a New Report: Export Raw Data

This parameter can be utilized by a user whose scope must extend beyond "Self." If the "Whom to Include" option is not visible, it is because the user's security roles are limited to a self-scope, which only permits them to access their own data.

The system determines which users fall within a specific scope based on the values in their most recent yearly data record. Users are included only by their current scope, but all previous scopes are shown. This can cause cases where a secondary scope is selectable but returns no data.

Example

An individual with a "College" scope for the College of Science can only filter for users who are also assigned to the College of Science. If a user’s most recent yearly data record lists their unit as the College of Science, they will appear as an option in the "Whom to Include" parameter.

For institutions supporting multiple college appointments for one user, other Colleges may be listed in Whom To Include. These will only contain the users which have a joint appointment with that unit and College of Science.

Once the filter is applied, only the selected users will be included in the final report output.

Troubleshooting Report Access

The following list identifies common reasons why a report may not appear or function as expected, along with recommended troubleshooting steps.

Report is missing from the Reports list. 

  • Cause: A report will only appear in the reports list if the current user is eligible to run the report over their own activities data or for users included in their security role and scope.

  • Resolution: First, confirm the user’s security role includes the "Full-Service Reports" permission and that the specific report is selected within that role (as outlined in Step 1). If the role is configured correctly but the report is still missing, review the report permissions in Step 3 to ensure the user is properly aligned and that no additional restrictions are in place.

User cannot run reports for other users

  • Cause: If the "Whom to Include" parameter is missing when a user attempts to run a report for other users, it indicates that the requirements in Step 4 have not been met. Specifically, this occurs when a user has not yet been assigned a security role with a scope extending beyond "Self." If a user's only assigned role is self-scoped, they will only be permitted to run the report for their own data, and the filtering parameter will not available.

  • Resolution: Review the user’s assigned roles and their associated scope in the Users and Security tool. If a user only has a self-scoped role, such as "Faculty," they can only access their own data. To grant broader access, assign an additional role with a Department or College scope. For guidance, refer to the guide on Searching and Managing User Accounts

Users are missing from the "Whom to Include" filter

  • Cause: If a user does not appear in the "Whom to Include" filter, it is because they fall outside the runner's defined security scope. For example, if the user running the report has a scope limited to the "College of Science," they can only filter for individuals assigned to that specific unit. If a user’s most recent yearly data record lists a different unit, they will not be available as an option in the "Whom to Include" parameter.

  • Resolution: This usually occurs when a user's yearly data record does not align with the expected unit. The "Whom to Include" filter relies on the most recent Yearly Data record to determine eligibility. Use the Manage Data Utility to confirm the user has a current record and that their unit assignment is correct. Detailed information can be found in Step 4.

A user is selected in the "Whom to Include" filter, but no data appears in the report output. 

  • Cause: If a user can be selected in the "Whom to Include" parameter but no data is returned in the report, it indicates that the user does not meet the specific filtering criteria or logic defined within the report template. While their security scope allows them to be included in the search, their actual data records do not match the report's requirements.

  • Resolution: Download the report template to review the specific criteria used to pull data. If the user’s records do not meet the report's defined filters or logic, they will not appear in the results. For assistance, refer to the guide on How to Review a Report Template.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

How to Contact Support
There are many ways to reach out! Click the icon above for our support options.
Watermark Academy
Click the icon above to access the Watermark Academy for consultation, training, and implementation companion courses.
Customer Community
Can’t find the answer? Ask fellow users how they’re making the most of Watermark in our Community!