Forum Discussion

kmd's avatar
kmd
Contributor II
23 hours ago

Security: Question - Control access to a Scenario

Hi all,
I'm hoping someone can see what I'm doing wrong here.
First a question:
     Is Scenario access cube specific?  Let's say I have 4 cubes.  Currently all 4 cubes give a user access to all Scenarios.  If I restrict access to a specific scenario for that user in one cube, does that restriction apply across all cubes?  I would assume No - am I wrong?

I've been trying to set up restricted scenario access to a group of users in a certain cube.  I don't want to touch overall security for the Scenario because there are multiple regions that need access.  I've tried to set this up via Slice security (Data Access directly on the Cube) by using a Where clause in the Scenario definition for every group identified in the Data Access (i.e. Planning.Base.Where(Name DoesNotContain X).  This doesn't appear to be working.
The User themself, has access to multiple cubes and there is no restriction to that scenario in those other cubes.

So is it all or nothing?  Like do I have to go into the slice security for EVERY cube and restrict access to that scenario in order for this to work?  Can't think of another way to resolve this but to modify the Scenario access for every Data Access group in every cube will be a lot of work.

Hopefully my question makes sense and thanks in advance for any guidance here.

 

2 Replies

  • kmd's avatar
    kmd
    Contributor II

    I believe I've figured it out.  It would appear that it's not enough to specify just the Scenario in the Data Access dialog boxes.  When I include all accounts as well, the security restriction works.

    But if anyone out there would like to contribute additional ideas, I'd love to hear them.  Thanks

  • T_Kress's avatar
    T_Kress
    Valued Contributor

    There are a lot of questions in here.  

    First, if all your cubes are sharing the same scenario dimension, then it is true that any security groups you put here on any scenario:

     

     

     

    Are not cube specific.  The security groups above apply to all cubes in which those scenarios are used.

    Are you saying that you have for example S#Actuals which has a security group of "003_SCN_ACTUAL_READ" by example, and in CB#Cube1 :S#Actuals certain people can read actuals but in CB#Cube2:S#Actuals, those same people should not be able to read actuals?

    One option is to control security at the cube level.  For example, either grant or deny cube access here:

     

     

     

     

     

     

     

    But if those people need access to both cubes, and should just not have read to Actuals in one cube but should have it in another cube, then this will not work.

    Then your next option is slice security.  Slice is specific to the entity dimension and cubes.  If your two cubes do not share the same entity dimension, then you can turn on slice for the cube in which you want to restrict people from reading Actuals by setting all entities in that cube to True here:

    And then set up slices on that cube to restrict people's read access to Actuals.

    If they share the same entity dimension, you would still set the above to True, but then only set up slices on the cube to which you are trying to restrict.

    I hope that helps, hard to explain all the layers to security in a single post!