cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Data Cell Access Security - we don´t get it

Martin_Gebhartl
New Contributor III

‎07-31-2024 08:59 AM - last edited 2 weeks ago by Community Manager

Hello,

we need to setup Data Cell Access Security based on our UD1 structure. UD1 defines our Business Unit structure and we need so setup security security on this. I spent days on this but I don´t get it to work the way we need it.

We have consolidation users on different levels in the UD1 hierarchy:

So some users are on to (group level - they need access on all data)

some on divisional level (they should see all data within their division, so divisional level and all business units below) but the need to be restricted to their own division and are not allowed to see data of another dvision or business units which are not part of their division.  

some on business unit level (they need so see all data within their business unit but not from other business units)

and finally entity users: the only should have access to data on their entity/entities.

How can I setup this so that it´sconvenient to maintain and all security need get met?

 

Regards Martin

Labels:
0 Kudos
4 REPLIES 4

Henning
Valued Contributor

‎07-31-2024 09:41 AM

Hi Martin, 

I am not sure I follow the request in its fullest. Maybe an Excel mock-up would help me understand. I understand this as a matrix setup where the main issue is that users need to see all data in a given entity in the entity dimension and other user see only their division (UD1) across all entities.

The way I have seen this being set up is by first put a No Access step for all users in place on cube security and then grant users access to the individual entities and UD1 divisions piece by piece as needed.

Keep in mind to use the "And Stop" option when appropriate so that the system does not unnecessarily continue to check. E.g.

Henning_0-1722433238773.png

 

0 Kudos

Martin_Gebhartl
New Contributor III
In response to Henning

‎07-31-2024 10:19 AM

Hi Henning,

thanks for you quick reply. Please find a screenshot of our UD1 structure below. Each base Element represents some kind of a business unit which contains at least one entity. Going up the tree there are parent business units, the 4 divisions and on top "group" which represents the holding company. 

So there are users which need to be restricted to one or more base elements, other users which need to be restricted to a parent business units, others to a division and some to the group. And for each level, all levels below need to be within the access as well.

Regards

Martin

Martin_Gebhartl_0-1722435294437.png

 

0 Kudos

Henning
Valued Contributor
In response to Martin_Gebhartl

‎07-31-2024 11:28 AM

Hi Martin, I think if you use the way I described (1) take away all access for entity and UD1 and then (2) step by step give back access to users might be what you need. You can test it with a single test user for a single entity-UD1 combination and then expand it from there.

Apologies, I do not have time at the moment to post screenshots and really detailed instructions.

(Just to add this for sake of completeness: If you open a support case with OneStream, the Remote Consulting team should be able to assist you with that or build it for you. However, that service is not for free.)

0 Kudos

KarlT
Contributor II
In response to Martin_Gebhartl

‎08-01-2024 04:24 AM

Something to remember is that if the users who need to be able to see the business units want to see all entities, they will need read access to those entities (on the entity security settings).

In effect, the data access security on the cube cannot give users more access than their entity security does. So if a user needs to see a single business unit across the entire company, you would need to:

  1. Give them Read access to all entities (on entity settings)
  2. As Henning notes, the first item on the Cube Data Access would effectively then remove this access.
  3. Then you gradually add this access back as appropriate

I hope that makes sense

Please sign in! Martin_Gebhartl
Community Resources
Training and Documentation
Additional Resources