Data Cell Access Security - we don´t get it

Question

Hello,
we need to setup Data Cell Access Security based on our UD1 structure. UD1 defines our Business Unit structure and we need so setup security security on this. I spent days on this but I don´t get it to work the way we need it.
We have consolidation users on different levels in the UD1 hierarchy:
So some users are on to (group level - they need access on all data)
some on divisional level (they should see all data within their division, so divisional level and all business units below) but the need to be restricted to their own division and are not allowed to see data of another dvision or business units which are not part of their division.&nbsp;&nbsp;
some on business unit level (they need so see all data within their business unit but not from other business units)
and finally entity users: the only should have access to data on their entity/entities.
How can I setup this so that it´sconvenient to maintain and all security need get met?
&nbsp;
Regards Martin

KarlT · Answer

Something to remember is that if the users who need to be able to see the business units want to see all entities, they will need read access to those entities (on the entity security settings).
In effect, the data access security on the cube cannot give users&nbsp;more access than their entity security does. So if a user needs to see a single business unit across the entire company, you would need to:

Give them Read access to&nbsp;all entities (on entity settings)
As Henning notes, the first item on the Cube Data Access would effectively then remove this access.
Then you gradually add this access back as appropriate

I hope that makes sense

Henning · Answer

Hi Martin,&nbsp;
I am not sure I follow the request in its fullest. Maybe an Excel mock-up would help me understand. I understand this as a matrix setup where the main issue is that users need to see all data in a given entity in the entity dimension and other user see only their division (UD1) across all entities.
The way I have seen this being set up is by first put a No Access step for all users in place on cube security and then grant users access to the individual entities and UD1 divisions piece by piece as needed.
Keep in mind to use the "And Stop" option when appropriate so that the system does not unnecessarily continue to check. E.g.

&nbsp;

Martin_Gebhartl · Answer

Hi Henning,
thanks for you quick reply. Please find a screenshot of our UD1 structure below. Each base Element represents some kind of a business unit which contains at least one entity. Going up the tree there are parent business units, the 4 divisions and on top "group" which represents the holding company.&nbsp;
So there are users which need to be restricted to one or more base elements, other users which need to be restricted to a parent business units, others to a division and some to the group. And for each level, all levels below need to be within the access as well.
Regards
Martin

&nbsp;

Henning · Answer

Hi Martin, I think if you use the way I described (1) take away all access for entity and UD1 and then (2) step by step give back access to users might be what you need. You can test it with a single test user for a single entity-UD1 combination and then expand it from there.
Apologies, I do not have time at the moment to post screenshots and really detailed instructions.
(Just to add this for sake of completeness: If you open a support case with OneStream, the Remote Consulting team should be able to assist you with that or build it for you. However, that service is not for free.)

Forum Discussion

Data Cell Access Security - we don´t get it

Related Content

Member List Business Rule in Data Access Security

Data Cell Access Security (Slice Security) Not Working With Multiple UD Dimensions

Data cell Access security not working

Security

How to restrict write access to PLP register using Data cell access security.