07-11-2022 01:47 PM
Description of Problem
Any individual who is placed in the native “Administrators” group will have full system access to the tables and data that will reside in People Planning. If you do not want your native OneStream Administrator or certain individuals to see salary, compensation or employee data in the People Planning Register solution there are a few options to control.
Options / Solutions / Comments
There has to be at least one overall “Administrator” who can do “everything” inside of OneStream. That is unavoidable.
One option you may have is to striate individuals into sub-admin groups other than the native “Administrators” group. In this way you could grant those individuals access to ‘everything’ except the Database page on the System tab itself. This could perhaps be achieved through exclusion groups too. However, this only eliminates access to seeing all tables from the system tab. If that same person has write access to application dashboards they can write a SQL data adaptor and query this table information. So you are right in that if a SQL can be written to that table and presented on a dashboard, there is no security around displaying those rows in a dashboard.
Another option is to not use names/titles in your PLP register. Use a unique identifier for this data so confidentiality is maintained.
If that is not an option, another options include segregating the PLP data into it’s own HR app. Only grant people access to that app that can see salary data. You will still need one overall “Administrator” but you can greatly limit those who can get in to this app. You will still need sub-admin groups other than the default native “Administrators” group and/or use exclusion groups to limit access to this secondary app.
Those are described in this One Community post here:
People planning security - OneStream Community (onestreamsoftware.com)
Possibly, there may be some potential to use an XFBR or custom cube BR that checks a users security group(s) and if not a part of specific security group(s), not present certain dashboard info. But this would need to be vetted and tested as we have not used that as an option for this specific problem. I have example XFBRs that pull a users security group and only presents certain info in parameter boxes on dashboards that may be a starting point for tackling this issue. But again, native Administrators can ‘see it all’ so this would not prevent them from getting to the data, which I think is your primary question.
Lastly, if they are an on-prem customer, there may be a way for their database admin in IT (a DBA) to restrict access to specific OneStream tables on the back-end. But this would have to be vetted with their IT and only applies to on-prem customer, not Cloud customers.
07-12-2022 05:03 AM
There is another technology option to use Dynamic Data Masking (DDM) to limit exposure of sensitive data. DDM can be implemented as a schema change on the underlying database tables and simple changes in queries to display the result sets and supported in the latest versions of SQL Server and all instances of Azure SQL Databases.
Privileged users (Admins etc) who has access to query the database tables directly can still obtain sensitive information but this could be mitigated using robust audit features to monitor the database activity.
Has OneStream already looked into this DDM features?
07-15-2022 02:25 PM
I am not aware of this solution. This sounds like this would work for customers who manage their own database environment, but I am not sure how this would work for customers hosted in the OS Cloud since it requires underlying database schema changes. I am not familiar with the underlying technology nor how that would work for Cloud customers.
07-16-2022 04:58 AM
The PLP solution is packaged and the database tables are created when installed. This is when the table schemas for DDM can be created. Customers cloud or on prem will never touch the table design. The queries to display the register data will be inside the dashboard data adapters. So DDM can be easily applied. I suggest to talk to your tech people and they would know of the possibilities.