Application Security Role update with Business Rules

mvalerio24
New Contributor III

Is it possible to update the Application Security roles with in an extender Business rule? I want to be able to update the Modifydata role with the push of a button.

1 ACCEPTED SOLUTION

photon
New Contributor III

I've been able to update security groups without an IIS reset using a BR, here are the relevant pieces:

Dim objMember As WritableMember = BRApi.Finance.Members.ReadWritableMemberNoCache(si, DimType.Entity.Id, memberName)

objMember.ReadDataGroupUniqueID = BRApi.Security.Admin.GetGroup(si,groupName).Group.UniqueID

BRApi.Finance.MemberAdmin.SaveMemberInfo(si, True, objMember, False, properties, False , descriptions, TriStateBool.FalseValue)

 We've had this running on a nightly schedule to keep our descriptions up to date with MDM but it could be hooked to a button press just the same. I don't know how it compares to Jack's method and his certainly looks simpler but maybe it will be of some use.

View solution in original post

13 REPLIES 13

JackLacava
Community Manager
Community Manager

It's OneStream, of course it's possible 😎

Check out BRApi.Security.Admin.GetRole and .SaveRole.

Thanks @JackLacava .  To put a little more structure around this, the requirement is to lock a scenario (using a button) for a period of time, then set it back to its original access with another button.

Use Case:
An all day meeting with the CFO commences to discuss and refine a forecast.  During this meeting the scenario needs to be locked down to prevent a potential moving target, changing values.  When the meeting is over the scenario is opened back up and FAs are given tasks to update the forecast.
The admin wants a simple set of on/off buttons to accomplish the locking/unlocking of the scenario.

Software Architect
MindStream Analytics
"Difficult done right away. Impossible takes a bit longer"

Would locking/unlocking the workflow not be a valid approach for this?

mvalerio24
New Contributor III

I dont think so, we aren't trying to lock a scenario down. We are basically trying to change the write group on a scenario so certain users can't make any changes for a certain amount of time and then change it back after. I've tried using code to update the read and write group but id doesn't seem to update in OS, only on the backend.

Security changes will typically need a refresh of some sort - app refresh, page refresh, logout/login,  etc - before they are reflected consistently in every corner of the UI. Beyond that, it should all work; if there is some other problem with the API mentioned, maybe it should be reported to Support.

Only seems to update on backend and would need an IIS reset for it to be changed in OS which isn't ideal

cjohnson
New Contributor III

I haven't done this myself, but hypothetically you could set up an exclusion group for your Scenario's Read & Write data group. Then you may be able to write an XFBR that toggles the Allow Access flag on the SecExclGroupChild database table.

Thanks @CJ  We did try several different approaches with changing things in the database. 
Here's the rub:  Those changes don't become effective until the application server on which all applications are running is restarted.  wut?

Our mystery here is locking and unlocking a scenario for a planning or strategic plan application should be a fairly ordinary task programmatically.   We're unable to find this magic. 

I'm assuming the difficulty in programmatically altering access to an application's elements via a BR is made difficult on purpose.  However, I think simply locking and unlocking a scenario should be procedural.

Software Architect
MindStream Analytics
"Difficult done right away. Impossible takes a bit longer"

I get you, I was hoping because exclusion groups are on the System side and not inside the Application it wouldn't require the restart.

If your admin is comfortable/able to access security groups rather than doing it through a dashboard button, exclusion groups could be the simplest solution. I know they are underutilized in OS so I set up a sample one below. In this example your admin would be toggling the Base_User's Allow/Deny Access dropdown.

cjohnson_0-1690819613480.png

 

mvalerio24
New Contributor III

Interesting, do you know if its possible to update the deny/allow access in a BR? So instead of updating the security group on the scenario, use this exclusion group but have them both set to allow access. Then when the meeting starts, hit a button and it updates one group to deny access and then change it back after meeting is over.

cjohnson
New Contributor III

That's not something I have done, but it doesn't feel too farfetched. The SecExclGroupChild database table has a flag for Allow Access. So maybe there is a way to modify that value without having to restart everything. 

photon
New Contributor III

I've been able to update security groups without an IIS reset using a BR, here are the relevant pieces:

Dim objMember As WritableMember = BRApi.Finance.Members.ReadWritableMemberNoCache(si, DimType.Entity.Id, memberName)

objMember.ReadDataGroupUniqueID = BRApi.Security.Admin.GetGroup(si,groupName).Group.UniqueID

BRApi.Finance.MemberAdmin.SaveMemberInfo(si, True, objMember, False, properties, False , descriptions, TriStateBool.FalseValue)

 We've had this running on a nightly schedule to keep our descriptions up to date with MDM but it could be hooked to a button press just the same. I don't know how it compares to Jack's method and his certainly looks simpler but maybe it will be of some use.

mvalerio24
New Contributor III

I actually got something similar to work last night! This is great tho, thanks for sharing!