cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Member List Business Rule in Data Access Security

Go to solution
adykes
New Contributor III

4 weeks ago

Hi All,

We are implementing some updates to the security model in our application, and we are coming across some unfamiliar territory, so we're looking for some input. We are using OneStream version 7.2.4.

We are trying to prevent the user from seeing data for certain Flow members based on information in the Text1 value of the Flow member. Because we don't want the user to be able to see the data for certain Flow members, we decided to use Data Access Security on the cube, with the idea being that if the user tried to access data they weren't supposed to see, it would return "No Access" in the cell. However, the Text1 values for the Flow members vary based on the scenario and time, so we aren't able to use a simple member expansion formula in the Data Access Member Filter, like F#ParentMember.Base.Where(Text1 Contains 'Valid'). We couldn't get XFBRs to work either, leading us to use a Member List BR. We determined that we can get the Data Access security to call the Member List BR... but only once in a set period of time. We're not sure what that set period of time is, but we've been able to run it once a day. Obviously, this is untenable for a solution since we're not able to test the Member List BR in a reasonable amount of time. Therefore, my questions are as follows: 

1. Is there a way to "trigger" the Data Access security to run, or change how often it's triggered, in order to be able to test the Member List BR?

1a. When does the Data Access security run? I.e. when is it "triggered"?

1b. Why doesn't the Data Access security run every time a user attempts to access data? The obvious answer is server performance but I wasn't sure.

2. Is there another way to go about this that might be easier to develop and test? We acknowledge the possibility that in order to achieve our goal, we may need to update all cube views to include a Member List BR on the Flow dimension that will filter out the invalid Flow members, but we're trying to avoid that until we have no other options.

Thank you in advance for all responses!

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Henning
Valued Contributor
In response to Henning

3 weeks ago

I ran a quick test. Using a memberlist BR works and applies when you first save it. When you then change something in the BR, this is not reflected in the security access right away when you refresh e.g. your cube view. Your observation that this only refreshes every 24 hours is in line with IIS resetting every 24 hours. I restarted IIS myself after a change in the BR and the new security access was then applied in my test cube view.

The answers to your questions are as follows:

1. Yes, when changing the memberlist BR, you need to restart IIS (please note that this might log off active users)

1a. When you press save on the cube, except when you only change something in a BR, as the 'cube save button' does not account for that. For this you need to restart IIS.

1b. Yes, you are correct, the answer is: Performance.

2. Work locally on your laptop or your private cloud and restart IIS as needed. Migrate the final solution to the customers app in the end when testing is no longer required or kept to a minimum.

 

To restart IIS, I use the Internet Information Services (IIS) Manager on my laptop and press restart.

Henning_1-1717510825864.png

SAAS customer can press this button (Recycle App Pool) to restart IIS on a given server under System >> Environment:

Henning_0-1717510805870.png

 

View solution in original post

9 REPLIES 9

Go to solution
Henning
Valued Contributor

3 weeks ago

Hi, may I ask for a rule sample and how you execute this from Data Access Security on the cube? If I have time I could have a look at that.

Thank you for trying to use Data Access Security. Conditional Input Rules in Finance Rules should only be used if not to be avoided otherwise as those impact performance more than the solution you are working on.

0 Kudos

Go to solution
Henning
Valued Contributor
In response to Henning

3 weeks ago

I ran a quick test. Using a memberlist BR works and applies when you first save it. When you then change something in the BR, this is not reflected in the security access right away when you refresh e.g. your cube view. Your observation that this only refreshes every 24 hours is in line with IIS resetting every 24 hours. I restarted IIS myself after a change in the BR and the new security access was then applied in my test cube view.

The answers to your questions are as follows:

1. Yes, when changing the memberlist BR, you need to restart IIS (please note that this might log off active users)

1a. When you press save on the cube, except when you only change something in a BR, as the 'cube save button' does not account for that. For this you need to restart IIS.

1b. Yes, you are correct, the answer is: Performance.

2. Work locally on your laptop or your private cloud and restart IIS as needed. Migrate the final solution to the customers app in the end when testing is no longer required or kept to a minimum.

 

To restart IIS, I use the Internet Information Services (IIS) Manager on my laptop and press restart.

Henning_1-1717510825864.png

SAAS customer can press this button (Recycle App Pool) to restart IIS on a given server under System >> Environment:

Henning_0-1717510805870.png

 

Go to solution
adykes
New Contributor III
In response to Henning

Tuesday

Thank you very much! The information you provided here is in line with what we're seeing - other than the fact that we can't get the IIS reset to actually refresh the data access security. I just made another forum post with some additional information: https://community.onestreamsoftware.com/t5/Application-Build/Data-Access-Security-amp-App-Server-Iss...

 

Go to solution
FredLucas
Contributor II

3 weeks ago

Hi @adykes,

I don't think the current Data Cell Security functionality was designed to allow for a dynamic set up hence it does not accept the use of XFBR rules etc.
I believe it currently refreshes on save of the Data Cell Access Security config.

Thanks,

Fred

 

Go to solution
adykes
New Contributor III
In response to FredLucas

Tuesday

Hey Fred, we actually got it working with a MemberList BR, but not an XFBR. I'm not sure why!

0 Kudos

Go to solution
FredLucas
Contributor II
In response to adykes

yesterday

Hi @adykes, when you say that you got it working with a MemberList BR I'm assuming you got it to work for the initial set up but it does not automatically refresh if, for example, your flow members get updated right?

If I remember correctly the security will only update (re-run the MemberList BR) when you reset IIS or re-save the Data Cell Access Security set up. This means that we can't set it up in a dynamic way.

However, if all your set up is meant to be static and the use of the memberlist is only to ease the set up then you should be ok with that approach. In this case, bear in mind that in case of potential changes that could cause the memberlist BR to return a different list that's likely to only be taken into account the following day post the overnight IIS refresh.

0 Kudos

Go to solution
aformenti
Contributor II

3 weeks ago

Hi @adykes,

Are you sure the member expansion F#ParentMember.Base.Where(Text1 Contains 'Valid') wouldn't work with varying properties by Scenario and Time? I would expect the filter giving you the right results based on your Scenario and Time Data Unit POV.

 

 

 

Go to solution
adykes
New Contributor III
In response to aformenti

Tuesday

Hey! Thanks so much for your response. When you say Data Unit POV, are you referring to the Workflow POV?

0 Kudos

Go to solution
aformenti
Contributor II
In response to adykes

yesterday

Hi @adykes  - No, I am referring to the Data Unit POV of your Data Access Query : Scenario/Entity/Time of the cells you are testing through the Data Access rule. 

0 Kudos
Please sign in! adykes
Community Resources
Training and Documentation
Additional Resources