Data Cell Access Security - we don´t get it
Hello,
we need to setup Data Cell Access Security based on our UD1 structure. UD1 defines our Business Unit structure and we need so setup security security on this. I spent days on this but I don´...
Forum Discussion
Hi Martin,
I am not sure I follow the request in its fullest. Maybe an Excel mock-up would help me understand. I understand this as a matrix setup where the main issue is that users need to see all data in a given entity in the entity dimension and other user see only their division (UD1) across all entities.
The way I have seen this being set up is by first put a No Access step for all users in place on cube security and then grant users access to the individual entities and UD1 divisions piece by piece as needed.
Keep in mind to use the "And Stop" option when appropriate so that the system does not unnecessarily continue to check. E.g.
Hi Henning,
thanks for you quick reply. Please find a screenshot of our UD1 structure below. Each base Element represents some kind of a business unit which contains at least one entity. Going up the tree there are parent business units, the 4 divisions and on top "group" which represents the holding company.
So there are users which need to be restricted to one or more base elements, other users which need to be restricted to a parent business units, others to a division and some to the group. And for each level, all levels below need to be within the access as well.
Regards
Martin
Something to remember is that if the users who need to be able to see the business units want to see all entities, they will need read access to those entities (on the entity security settings).
In effect, the data access security on the cube cannot give users more access than their entity security does. So if a user needs to see a single business unit across the entire company, you would need to:
- Give them Read access to all entities (on entity settings)
- As Henning notes, the first item on the Cube Data Access would effectively then remove this access.
- Then you gradually add this access back as appropriate
I hope that makes sense
Hi Martin, I think if you use the way I described (1) take away all access for entity and UD1 and then (2) step by step give back access to users might be what you need. You can test it with a single test user for a single entity-UD1 combination and then expand it from there.
Apologies, I do not have time at the moment to post screenshots and really detailed instructions.
(Just to add this for sake of completeness: If you open a support case with OneStream, the Remote Consulting team should be able to assist you with that or build it for you. However, that service is not for free.)
