This article covers the permission that controls access to reports in Sapera. Access is not granted to each individual report, but per report tag (a "tag" — the category that reports are grouped under in the report menus).
You assign these permissions in Financial under Security → Groups → select a group → Permissions (set Allow/Deny per permission).
Controls which reports under a given report tag a group can see and run.
The permission is per tag: each report tag has its own *Access* permission in the permission tree, arranged in the tag hierarchy. In the permission tree it reads together with its tag — that is, "Report Tag → Access".
When the group has Allow on a tag, the tag's reports appear in the report menus and can be opened, run and exported. Without access, the tag is filtered out of the menus, and the print/export button shows "access denied".
The permission controls visibility of reports in the report menus and on the print/export button.
A report can belong to several tags. It is visible if the group has *Access* on the tag the report is shown under.
By default, everyone has access. New report tags are automatically granted access for both Administrators and regular users. An administrator restricts access by removing (or denying) access on a specific tag for a group.
Allow vs. Deny: An explicit Deny wins over an inherited Allow.