Data Access

These are security settings that control access to the Entity:

Data Cell Access Security

Blocking a User Group from knowing the existence of a certain Entity or Account can be accomplished right on the Member in the Dimension Library. Data Cell Access Security is where that access rule can be made more granular than the Application/Cube/Entity/Scenario level. Here, No Access, Read Only or All Access can be granted to an intersection of data.

A typical use case is to use the Read-Only and Read-Write security group settings on Entities and Scenarios to specify the users that need access to any data for those Dimensions. Then, Cube Data Access Security can be used to further refine which data certain users can access. For example, if restricting read and write access by Cost Center (which may be set up as UD1 in the application) is wanted, this can be done by having entries in Cube Data Access Security that specify which users have access to certain cost centers.

If security needs to be controlled for combinations of Members involving multiple Dimensions, “slices” can be defined using Member Filters when providing access. For example, an Entity typically has a primary group of people responsible for that Entity, but an administrator might also want to provide limited access to that Entity for another larger group of people. If the larger group of people is only allowed to view data for summary level accounts and only for a specific product segment set up in UD2, Member Filters can be used to provide access only to the corresponding data cell intersections. In addition, the ability to reference the current Entity’s name and text properties using Substitution Variables can also be used to simplify security maintenance when product segments and users are different for each Entity.

First, choose a User Group, the level of access, and then enter a Member Filter. For example, a User Group that includes Senior Management and Human Resources can have All Access to actual compensation figures (S#Actual, A#[Total Compensation].Tree), but everyone else will have No Access.

Note that each of these Data Cell Access Security rules either grants or takes away access. This depends on the Action, Behavior and Access Level and the order in which the rule appears in the list.

General

Security

Access Group

This is the group of users to which particular security roles apply. It can be an actual named security group or refer to an Entity or Scenario group. The first four options refer to the Entity’s Read Data Group, Read Data Group 2, Read Write Data Group or Read Write Data Group 2. The 5^th and 6^th group are the Scenario Read Data Group or Read Write Data Group. For example, if a user is in the Read Data Group for an Entity, and he/she needs to be given access to Product Sales data for that Entity, the rule would be set up as follows:

Further down in the dialog:

All Access groups from the 7^th Access Group down are the full list of security groups from the specific Framework database.

Action

Actions

There are three cases that will drive different behaviors and access levels for this particular Data Cell Access Security rule in relation to other rules that came before or after it in the list. First, it depends on whether the user trying to query or update data is in a particular User Group and second, it depends on if the cell of data in question falls within a certain Member Filter. These are the three cases:

If User is in Group and Data Cell is in Filter
If User is in Group and Data Cell is NOT in Filter
If User is NOT in Group and Data Cell is in Filter

Behavior

There are eight possible behaviors that coincide with the three action cases. For example, the Increase Access…” rules will increase support while going down the list of rules. The rules in the list will continue until it either reaches the end of the list or it reaches a Behavior that includes the word “…Stop.”

Skip Item and Continue

Default for If User is in Group and Data Cell is NOT in Filter or If User is NOT in Group and Data Cell is in Filter

Skip Item and Stop

Choose this behavior to skip a Cube Data Access Item and stop evaluating the remaining Cube Data Access Items.

Apply Access and Continue

Default for If User is in Group and Data Cell is in Filter

Apply Access and Stop

Choose this behavior to apply access to a Cube Data Access Item and stop evaluating the remaining Cube Data Access Items.

Increase Access and Continue

Choose this behavior to increase access to a Cube Data Access Item and then continue evaluating the remaining Cube Data Access Items.

Increase Access and Stop

Choose this behavior to increase access to a Cube Data Access Item and then stop evaluating the remaining Cube Data Access Items.

Decrease Access and Continue

Choose this behavior to decrease access to a Cube Data Access Item and then continue evaluating the remaining Cube Data Access Items.

Decrease Access and Stop

Choose this behavior to decrease access to a Cube Data Access Item and then stop evaluating the remaining Cube Data Access Items.

Access Level

No Access

Cannot read or write to the cell.

Read Only

Can read the cell.

All Access

Can read and write to the cell.

These properties work in conjunction with the security that is placed on an Entity. Refer to the Security section under Entity Dimension to get a better understanding of how this works.

Data Cell Conditional Input

Data Cell Conditional Input is not a security setting, i.e., the same setting applies to all users. A good use of Data Cell Conditional Input is when a Dimension Member is intended to be used for input sometimes, but used for a calculation elsewhere. For example, if users want to manually type in F#OpeningBalance in the Budget Scenario, but use a formula in the Actual Scenario, Data Cell Conditional Input could be used to enable write access to the data cell appropriately.

Data Management Access Security

Data Management Access Security helps determine what areas of a Cube can be modified through a Data Management Sequence or step being launched by a user.