OneStream Community

Thanks @JackLacava .  To put a little more structure around this, the requirement is to lock a scenario (using a button) for a period of time, then set it back to its original access with another button.

Use Case:
An all day meeting with the CFO commences to discuss and refine a forecast.  During this meeting the scenario needs to be locked down to prevent a potential moving target, changing values.  When the meeting is over the scenario is opened back up and FAs are given tasks to update the forecast.
The admin wants a simple set of on/off buttons to accomplish the locking/unlocking of the scenario.

Would locking/unlocking the workflow not be a valid approach for this?

I dont think so, we aren't trying to lock a scenario down. We are basically trying to change the write group on a scenario so certain users can't make any changes for a certain amount of time and then change it back after. I've tried using code to update the read and write group but id doesn't seem to update in OS, only on the backend.

Security changes will typically need a refresh of some sort - app refresh, page refresh, logout/login,  etc - before they are reflected consistently in every corner of the UI. Beyond that, it should all work; if there is some other problem with the API mentioned, maybe it should be reported to Support.

Only seems to update on backend and would need an IIS reset for it to be changed in OS which isn't ideal

I haven't done this myself, but hypothetically you could set up an exclusion group for your Scenario's Read & Write data group. Then you may be able to write an XFBR that toggles the Allow Access flag on the SecExclGroupChild database table.

Thanks @CJ  We did try several different approaches with changing things in the database. 
Here's the rub:  Those changes don't become effective until the application server on which all applications are running is restarted.  wut?

Our mystery here is locking and unlocking a scenario for a planning or strategic plan application should be a fairly ordinary task programmatically.   We're unable to find this magic. 

I'm assuming the difficulty in programmatically altering access to an application's elements via a BR is made difficult on purpose.  However, I think simply locking and unlocking a scenario should be procedural.

I get you, I was hoping because exclusion groups are on the System side and not inside the Application it wouldn't require the restart.

If your admin is comfortable/able to access security groups rather than doing it through a dashboard button, exclusion groups could be the simplest solution. I know they are underutilized in OS so I set up a sample one below. In this example your admin would be toggling the Base_User's Allow/Deny Access dropdown.

Interesting, do you know if its possible to update the deny/allow access in a BR? So instead of updating the security group on the scenario, use this exclusion group but have them both set to allow access. Then when the meeting starts, hit a button and it updates one group to deny access and then change it back after meeting is over.

That's not something I have done, but it doesn't feel too farfetched. The SecExclGroupChild database table has a flag for Allow Access. So maybe there is a way to modify that value without having to restart everything. 

I actually got something similar to work last night! This is great tho, thanks for sharing!