Member List Business Rule in Data Access Security

Hi All,

We are implementing some updates to the security model in our application, and we are coming across some unfamiliar territory, so we're looking for some input. We are using OneStream version 7.2.4.

We are trying to prevent the user from seeing data for certain Flow members based on information in the Text1 value of the Flow member. Because we don't want the user to be able to see the data for certain Flow members, we decided to use Data Access Security on the cube, with the idea being that if the user tried to access data they weren't supposed to see, it would return "No Access" in the cell. However, the Text1 values for the Flow members vary based on the scenario and time, so we aren't able to use a simple member expansion formula in the Data Access Member Filter, like F#ParentMember.Base.Where(Text1 Contains 'Valid'). We couldn't get XFBRs to work either, leading us to use a Member List BR. We determined that we can get the Data Access security to call the Member List BR... but only once in a set period of time. We're not sure what that set period of time is, but we've been able to run it once a day. Obviously, this is untenable for a solution since we're not able to test the Member List BR in a reasonable amount of time. Therefore, my questions are as follows:

1. Is there a way to "trigger" the Data Access security to run, or change how often it's triggered, in order to be able to test the Member List BR?

1a. When does the Data Access security run? I.e. when is it "triggered"?

1b. Why doesn't the Data Access security run every time a user attempts to access data? The obvious answer is server performance but I wasn't sure.

2. Is there another way to go about this that might be easier to develop and test? We acknowledge the possibility that in order to achieve our goal, we may need to update all cube views to include a Member List BR on the Flow dimension that will filter out the invalid Flow members, but we're trying to avoid that until we have no other options.

Thank you in advance for all responses!

Cubes

Metadata

Security

Henning
7 months ago
I ran a quick test. Using a memberlist BR works and applies when you first save it. When you then change something in the BR, this is not reflected in the security access right away when you refresh e.g. your cube view. Your observation that this only refreshes every 24 hours is in line with IIS resetting every 24 hours. I restarted IIS myself after a change in the BR and the new security access was then applied in my test cube view.

The answers to your questions are as follows:

1. Yes, when changing the memberlist BR, you need to restart IIS (please note that this might log off active users)

1a. When you press save on the cube, except when you only change something in a BR, as the 'cube save button' does not account for that. For this you need to restart IIS.

1b. Yes, you are correct, the answer is: Performance.

2. Work locally on your laptop or your private cloud and restart IIS as needed. Migrate the final solution to the customers app in the end when testing is no longer required or kept to a minimum.

To restart IIS, I use the Internet Information Services (IIS) Manager on my laptop and press restart.

SAAS customer can press this button (Recycle App Pool) to restart IIS on a given server under System >> Environment:

FredLucas
Contributor III
7 months ago
Hi adykes,

I don't think the current Data Cell Security functionality was designed to allow for a dynamic set up hence it does not accept the use of XFBR rules etc.
I believe it currently refreshes on save of the Data Cell Access Security config.

Thanks,

Fred
- adykes
  New Contributor III
  7 months ago
  Hey Fred, we actually got it working with a MemberList BR, but not an XFBR. I'm not sure why!
  - FredLucas
    Contributor III
    7 months ago
    Hi adykes, when you say that you got it working with a MemberList BR I'm assuming you got it to work for the initial set up but it does not automatically refresh if, for example, your flow members get updated right?
    
    If I remember correctly the security will only update (re-run the MemberList BR) when you reset IIS or re-save the Data Cell Access Security set up. This means that we can't set it up in a dynamic way.
    
    However, if all your set up is meant to be static and the use of the memberlist is only to ease the set up then you should be ok with that approach. In this case, bear in mind that in case of potential changes that could cause the memberlist BR to return a different list that's likely to only be taken into account the following day post the overnight IIS refresh.
aformenti
Contributor II
7 months ago
Hi adykes,

Are you sure the member expansion F#ParentMember.Base.Where(Text1 Contains 'Valid') wouldn't work with varying properties by Scenario and Time? I would expect the filter giving you the right results based on your Scenario and Time Data Unit POV.
- adykes
  New Contributor III
  7 months ago
  Hey! Thanks so much for your response. When you say Data Unit POV, are you referring to the Workflow POV?
  - aformenti
    Contributor II
    7 months ago
    Hi adykes - No, I am referring to the Data Unit POV of your Data Access Query : Scenario/Entity/Time of the cells you are testing through the Data Access rule.
Henning
Valued Contributor II
7 months ago
Hi, may I ask for a rule sample and how you execute this from Data Access Security on the cube? If I have time I could have a look at that.

Thank you for trying to use Data Access Security. Conditional Input Rules in Finance Rules should only be used if not to be avoided otherwise as those impact performance more than the solution you are working on.
- Henning
  Valued Contributor II
  7 months ago
  I ran a quick test. Using a memberlist BR works and applies when you first save it. When you then change something in the BR, this is not reflected in the security access right away when you refresh e.g. your cube view. Your observation that this only refreshes every 24 hours is in line with IIS resetting every 24 hours. I restarted IIS myself after a change in the BR and the new security access was then applied in my test cube view.
  
  The answers to your questions are as follows:
  
  1. Yes, when changing the memberlist BR, you need to restart IIS (please note that this might log off active users)
  
  1a. When you press save on the cube, except when you only change something in a BR, as the 'cube save button' does not account for that. For this you need to restart IIS.
  
  1b. Yes, you are correct, the answer is: Performance.
  
  2. Work locally on your laptop or your private cloud and restart IIS as needed. Migrate the final solution to the customers app in the end when testing is no longer required or kept to a minimum.
  
  To restart IIS, I use the Internet Information Services (IIS) Manager on my laptop and press restart.
  
  SAAS customer can press this button (Recycle App Pool) to restart IIS on a given server under System >> Environment:
  - adykes
    New Contributor III
    7 months ago
    Thank you very much! The information you provided here is in line with what we're seeing - other than the fact that we can't get the IIS reset to actually refresh the data access security. I just made another forum post with some additional information: https://community.onestreamsoftware.com/t5/Application-Build/Data-Access-Security-amp-App-Server-Issues/td-p/35931

Forum Discussion

Member List Business Rule in Data Access Security

Related Content

Security Group Update with Business Rule

Application Security Role update with Business Rules

Security

How to derive Member ID from a Member Name in a Business Rule?

Updating Scenario Security in a Business Rule