Data Access Tab
The Data Access tab controls access to data at the Cube level. As part of the security order of operations, once a user has access to an application, the next layer of security is to get access to the Cube. This is controlled on Cube Properties > Security section, see Cube Properties. Next layer of security is getting access to the data stored in a Cube. When considering using Data Access, the security level gets down to slices of data/data buffer or even down to a more granular level of the data cell intersection.
The Data Access tab contains three sections:
-
Data Cell Access Security
-
Data Cell Conditional Input
-
Data Management Access Security
Data Cell Access Security
This section is also considered “Slice Security.” Here is where access rules can be created to decrease or increase access to data at a more granular level than Application > Cube > Entity > Scenario. No Access, Read Only, or All Access can be granted to a group of data cells down to a single data cell.
To get access to Entity data, you must have Read/Read Write access to the Entity through Entity security. See Entity Security for more information. When granted access to the Entity data, you get access to every single data cell for the Entity within the Cube. If there is a situation where the user should not have access to every data cell for the Entity, then Data Cell Access Security is where configuration would happen to control access to these data cells.
First, choose a User Group, the level of access, and then enter a Member Filter. For example, a User Group that includes Senior Management and Human Resources can have All Access to actual compensation figures (S#Actual, A#[Total Compensation].Tree), but everyone else will have No Access.
-
Category: This is an optional Category name by which access rules can be named and grouped. The naming convention for Category is free form and is limited to 100 characters. When a Cube is created, by default, the Data Cell Access Security section is blank.
If these categories are created, more than one can be applied to an Entity’s security settings. Enter an optional comma-separated list of Category names that will be used when processing the Cube’s slice-level Data Access algorithms. Use empty text to process all Categories. Include |Null| to represent nameless Categories.
To add a category toCube Data Cell Access Categories, theUse Cube Data Access Securitymust be changed to True.
-
Description: This is an optional free form field to add a description for the Data Access rule. The description is limited to 200 characters.
-
Access Group:This is a security group in which users are assigned to where Data Cell Access security roles apply.
The Access Group shows a selection list of security groups from Security framework. The Access Group can be either manually created security groups or system defined security groups such as EntityReadDataGroup, EntityReadWriteDataGroup, and so on.
Security groups are created through Security and each Security group is assigned a unique identifier. See Security for more information.
-
Member Filter:Member Filter is used to define the Dimensions and Dimension Members required as part of the Data Cell Access to secure or allow access.
The Member Filter could be a singular Dimension and Dimension Member or a combination of multiple Dimensions and Dimension Members. By using Member Filters, the Data Cell Access security roles control access to a subset of data. This is considered “Slice Security.”
The Member Filter uses the same Member Filter syntax as used throughout the application.
-
Action: The Action section is broken out into three different actions:
-
If the user is in Group and Data Cell is in Filter.
-
If the user is in Group and Data Cell is not in Filter.
-
If the user is not in Group and Data Cell is in Filter.
-
For each of these three Actions, the Behavior and Access Level can be defined for a Data Cell Access security role. Based on the Action case, a series of Behaviors and Access levels will apply.
In a Data Cell Access security role, the Behavior has eight available behaviors to choose from. Each Behavior has a unique role in how a user gains access to data or how a user is restricted from data. The eight behaviors are:
-
Skip Item and Continue:Default for If User is in Group and Data Cell is not in Filter or If User is not in Group and Data Cell is in Filter.
-
Skip Item and Stop: Choose this behavior to skip a Cube Data Access Item and stop evaluating the remaining Cube Data Access items.
-
Apply Access and Continue:Default for If User is in Group and Data Cell is in Filter
-
Apply Access and Stop:Choose this behavior to apply access to a Cube Data Access item and stop evaluating the remaining Cube Data Access items.
-
Increase Access and Continue:Choose this behavior to increase access to a Cube Data Access item and then continue evaluating the remaining Cube Data Access items.
-
Increase Access and Stop:Choose this behavior to increase access to a Cube Data Access item and then stop evaluating the remaining Cube Data Access items.
-
Decrease Access and Continue:Choose this behavior to decrease access to a Cube Data Access item and then continue evaluating the remaining Cube Data Access items.
-
Decrease Access and Stop:Choose this behavior to decrease access to a Cube Data Access item and then stop evaluating the remaining Cube Data Access items.
In conjunction with the eight behaviors, there are three different Access Levels associated with them. The Member Filters, Behaviors, and Access Level all work together to define data cell access.
-
No Access: This Access Level prevents users from Read or Write access to cells defined in the Member Filter.
-
Read Only: This Access Level allows users Read access to cells defined in the Member Filter.
-
All Access: This Access Level allows users Read and Write access to cells defined in the Member Filter.
All these components make the Data Cell Access Security. Data Cell Access Security is performed after access to Application > Cube > Entity > Scenario. See Security for more information.
Data Cell Conditional Input Security
This section provides the ability to conditionally provide behavior access for all users to input data for a group of data cells or a specific data cell.
Data Cell Conditional Input shares the same properties and behaviors as Data Cell Access Security. However, Data Cell Conditional Input does not have an Access Group property. When configuring the Member Filters for a Data Cell Conditional Input rule, all users will either have access or not have access to input data to the data cells defined in the Member Filter.
Structure of Data Cell Conditional Input Security
-
Category: This is an optional Category name by which access rules can be named and grouped. The naming convention for Category is free form and is limited to 100 characters. When a Cube is created, by default, the Data Cell Access Security section is blank.
If these categories are created, more than one can be applied to an Entity’s security settings. Enter an optional comma-separated list of Category names that will be used when processing the Cube’s slice-level Data Access algorithms. Use empty text to process all Categories. Include |Null| to represent nameless Categories.
To add a category toCube Conditional Input Categories, theUse Cube Data Access Securitymust be changed to True.
-
Description: (See Data Cell Access Security for information)
-
Action: (See Data Cell Access Security for information)
-
Member Filters: (See Data Cell Access Security for information)
Data Management Access Security
This section provides a level of Cube security when running processes from a Data Management Sequence or Step. See Data Management for more information.
Data Management Access Security shares the same properties and behaviors as Data Cell Access Security. The purpose of Data Management Access Security is to control who has access to read or modify Cube data when using a Data Management process. This could be a Data Management process intended for running a Data Management Sequence or Step from the Data Management screen, Workflow loading to the Cube, or running a Dashboard button with a Data Management Sequence assigned to call a Finance Business Rule. As with these processes, they are focused on Cube Data Unit or Workflow Data Unit and not individual data cells. These are some of the examples where Data Management processes may require Data Management Access Security but not limited to only these.
Structure of Data Management Access Security
Category: This is an optional Category name by which access rules can be named and grouped. The naming convention for Category is free form and is limited to 100 characters. When a Cube is created, by default, the Data Management Access Security section is blank.
If these categories are created, more than one can be applied to an Entity’s security settings. Enter an optional comma-separated list of Category names that will be used when processing the Cube’s slice-level Data Access algorithms. Use empty text to process all Categories. Include |Null| to represent nameless Categories.
To add a category toCube Data Management Access Categories, theUse Cube Data Access Securitymust be changed to True.
-
Description: See Data Cell Access Security for information.
-
Action: See Data Cell Access Security for information.
-
Member Filters:The difference between Member Filters in Data Management Access Security and Data Cell Access Security or Data Cell Conditional Access Security is Entity and Scenario Dimension Types are the only options. The Member Filter focus is not at the data cell level, the Data Management Access is Data Unit focused. See Data Unit, Data Cell Access Security, and Data Unit for more information.