Security Configurations

Restrict Users to an Application

Setting up access to an application can be done within the application security roles. When an application is first created, the OpenApplication defaults to Everyone. If specific people have access to log into OneStream, but only need access to specific applications, then security groups can be assigned to the OpenApplication role. Once the security group is created, users can be assigned to it. This can be done by performing the following steps:

  1. Go to System > Administration > Security.

  2. Create a new security group.

  3. Assign all users who should have access to the application to the new security group.

  4. Refresh the application in order for this new security group to appear in all drop down menus.

  5. Go to Application > Tools > Security RolesOpenApplication.

  6. Click the drop-down and select the new security group.

  7. Click Save.

Restrict Data Input by Origin

There may be times where data should be loaded through the Import origin but should not be loaded using the Forms origin. This can be handled in the data cell conditional input. For example, users may be able to load trial balance data through the Import origin, but other users submit statistical data through the Forms origin. The data cell conditional input ensures the statistical data does not overwrite the Trial Balance data in Actual. Perform the following steps to do this:

  1. Go to Application > Cube > Cubes > Data Access.

  2. Go to Data Cell Conditional Input.

  3. Click to create a new line.

  4. Click , or double click on the cell to make changes to the member filter. Add the dimension intersection to restrict data loading. In this case it restricts users from loading to the Trial Balance account through the Forms origin.

  5. In the In Filter field, choose a behavior and choose the Read Only Access level. 

Omitting Data Cell Conditional Input by Scenario

Data cell conditional input restricts access to certain intersections or slices of the cube. This behavior might not be desired for all scenarios, time periods or other elements, so this is a simple way to omit these rules for specific elements. The following method is useful when there are many data cell conditional input rules not defined by a scenario at the time of creation. After these rules are created, however, a scenario becomes a factor for historical data.

For example, there may be many read-only intersections in Actual to which users should not load data. These rules are setup in the data cell conditional input section within Application| Cube|Cube|Data Access. However, for historical purposes, there may be data in these intersections that was there prior to the filters being applied. The scenario to which the data is being copied needs to allow access because the historical data in these intersections may need to be copied for analysis. 

Create a new data cell conditional input rule for the entire scenario, set the behavior to Increase Access And Stop, set the Access Level to Read Only.

Position this new rule at the top of the Data Cell Conditional Input for the scenario.

The behavior option Increases Access And Stop is being used because if the current cell matches the filter, access is being increased and all subsequent data access rules are being ignored below.  In this case, the Preserve Scenario has access to everything, and the subsequent Data Cell Conditional access rules are ignored or not applied for Preserve.