Application Security

A four-prong approach to application security consists of:

• Workflow security

• Entity security

• Account security

• Security roles

Once you identify entities and assign them to workflow profiles, data loaders and certifiers can be determined for each entity. Data loaders load data into the system, therefore they need read/write access to entities. Data certifiers review and sign off on the loaded data, so they need read access to entities. Security can also be done on the account or any other dimension to control who can review specific dimension members. 

Security is determined through users and groups. Users are given specific roles to determine what data is accessed or edited. For example, if a user is given the ModifyData role in an application, he/she will have write-access to any data in it.  Users are also put into security groups.  Groups can support native groups, exclusion groups, or groups of groups.  For example, a user can be put into an entity’s read/write data group for read/write access to the entity’s data.

Every object has access and maintenance security rights, with the exception of Task Scheduler. Access allows the security group to view the object, while maintenance allows the groups to edit the definition of the object. This system applies to most objects, such as cube views, dashboards, transformation rules, and workflow profiles.