Data Access
Security settings that control access to the Entity:
Data Cell Access Security
Blocking a User Group from knowing the existence of a certain Entity or Account can be accomplished on the Member in the Dimension Library. Data Cell Access Security is where an access rule can be made more granular than the Application/Cube/Entity/Scenario level. Here, No Access, Read Only or All Access can be granted to an intersection of data.
Use the Read-Only and Read-Write security group settings on Entities and Scenarios to specify the users that need access to any data for those Dimensions. Then, Cube Data Access Security can be used to refine which data certain users can access. For example, if restricting read and write access by Cost Center, which may be set up as UD1 in the application, is wanted. This can be done by having entries in Cube Data Access Security that specify which users have access to certain cost centers.
If security needs to be controlled for combinations of Members involving multiple Dimensions, slices can be defined using Member Filters when providing access.
Example: An Entity typically has a primary group of people responsible for that Entity, but an administrator might want to provide limited access to that Entity for another larger group of people. If the larger group of people is only allowed to view data for summary level accounts and only for a specific product segment set up in UD2, Member Filters can be used to provide access only to the corresponding data cell intersections. In addition, the ability to reference the current Entity’s name and text properties using Substitution Variables can also simplify security maintenance when product segments and users are different for each Entity.
First, choose a User Group, the level of access, and then enter a Member Filter. For example, a User Group that includes Senior Management and Human Resources can have All Access to actual compensation figures (S#Actual, A#[Total Compensation].Tree), but everyone else will have No Access.
NOTE: Each of these Data Cell Access Security rules either grants or takes away access. This depends on the Action, Behavior and Access Level and the order in which the rule appears in the list.
General
Category: This is an optional Category name by which access rules can be named and grouped. If these categories are created, more than one can be applied to an Entity’s security settings. All these rules will apply if the category is left blank in the Entity’s security settings.
Description (Optional): Description for the rule.
Security
Access Group: This is the group of users to which particular security roles apply. It can be an actual named security group or refer to an Entity or Scenario group. The first four options refer to the Entity’s Read Data Group, Read Data Group 2, Read Write Data Group or Read Write Data Group 2. The 5th and 6th group are the Scenario Read Data Group or Read Write Data Group. For example, if you are in the Read Data Group for an Entity, then you will need to be given access to Product Sales data for that Entity, the rule would be set up as follow:
Further down in the dialog:
All Access groups from the 7th Access Group down are the full list of security groups from the specific Framework database.
Action
Actions: There are three cases that will drive different behaviors and access levels for this particular Data Cell Access Security rule in relation to other rules that came before or after it in the list. It depends on whether the user trying to query or update data is in a particular User Group. It also depends on if the cell of data in question falls within a certain Member Filter. Below are the three cases:
-
If User is in Group and Data Cell is in Filter
-
If User is in Group and Data Cell is NOT in Filter
-
If User is NOT in Group and Data Cell is in Filter
Behavior: There are eight possible behaviors that coincide with the three action cases. For example, the Increase Access rules will increase support while going down the list of rules. The rules in the list will continue until it either reaches the end of the list or it reaches a Behavior that includes the word "Stop.”
Skip Item and Continue: Default for If User is in Group and Data Cell is not in Filter or If User is not in Group and Data Cell is in Filter
Skip Item and Stop: Choose this behavior to skip a Cube Data Access Item and stop evaluating the remaining Cube Data Access Items.
Apply Access and Continue: Default for If User is in Group and Data Cell is in Filter
Apply Access and Stop: Choose this behavior to apply access to a Cube Data Access Item and stop evaluating the remaining Cube Data Access Items.
Increase Access and Continue: Choose this behavior to increase access to a Cube Data Access Item and then continue evaluating the remaining Cube Data Access Items.
Increase Access and Stop: Choose this behavior to increase access to a Cube Data Access Item and then stop evaluating the remaining Cube Data Access Items.
Decrease Access and Continue: Choose this behavior to decrease access to a Cube Data Access Item and then continue evaluating the remaining Cube Data Access Items.
Decrease Access and Stop: Choose this behavior to decrease access to a Cube Data Access Item and then stop evaluating the remaining Cube Data Access Items.
Access Level
No Access: Read or write to the cell.
Read Only: Read the cell.
All Access: Read and write to the cell.
These properties work together with the security that is placed on an Entity. Refer to the Security section under Entity Dimension.
Data Cell Conditional Input
Data Cell Conditional Input is not a security setting that is the same setting applies to all users. Use Data Cell Conditional Input when a Dimension Member is intended to be used for input sometimes, but used for a calculation elsewhere. For example, if you want to manually type in F#OpeningBalance in the Budget Scenario, but use a formula in the Actual Scenario, Data Cell Conditional Input could be used to enable write access to the data cell appropriately.
Category: This is an optional Category name by which access rules can be named and grouped. If these categories are created, more than one can be applied to an Entity’s security settings. If the category is left blank in the Entity’s security settings, then all of these rules will apply.
Description (Optional): Description for the rule.
Action: There are two cases that will drive different behaviors and access levels for this particular Data Cell Conditional Input rule in relation to other rules that came before or after in the list. This depends on whether the cell of data in question falls within a certain Member Filter. Below are the two cases:
-
If Data Cell is in Filter
-
If Data Cell is NOT in Filter
Based on the Action case, a series of Behaviors and Access levels will apply. See Action under Data Cell Access Security for more information on Access Level choices.
Member Filters: These are the areas of the Cube that are affected by this rule.
Data Management Access Security
Data Management Access Security helps determine what areas of a Cube can be modified through a Data Management Sequence or step being launched by a user.
Category: This is an optional Category name by which access rules can be named and grouped. If these categories are created, more than one can be applied to an Entity’s security settings. If the category is left blank in the Entity’s security settings, then all these rules will apply.
Description (Optional): Description for the rule.
Security: See Data Cell Access Security for a description.
Action: See Data Cell Access Security for a description.
Member Filters: These are the areas of the Cube that are affected by this rule.
See Security Best Practices in Implementing Security for more information on Data Access Security.