Security Models

ZachK
New Contributor II

SOURCE: ONESTREAM CHAMPIONS

Hi Everyone,

Curious to hear others’ experience in the area of Security. At BDO, we currently have:

  1. 5k users configured, of which 4.5k are enabled. 3.6k are in our “basic” level security group, which we have automation to create and assign users to this group when they meet certain criteria. We have seen in our first year live about 50% of our enabled users utilizing our Production App at some point during the year.
  2. Primarily focus on Data Level Access (Cube Slice Security) to control access, which 1 of our 3 cubes has 137 slices configured in it, which is the most granular of our 3 cubes.
  3. For groups we are currently at 312, of which 150 have users directly assigned and the others are for nesting shared access across groups.
  4. For security, we do very little control by Entity or Workflows since most access to data is controlled in Cube Slices based on our U2 (Location) and U3 (Department), and outside of our automated loads, few users load data via workflows.

Would like to hear other’s experience! How many users and groups do you have? Is your security model granular or more open and simple? Do you use any automation to manage your model? Anything unique about your model and processes for security?

Thanks,
Zach

8 REPLIES 8

kyagla
New Contributor

Hi Zach,
The security model at JELD-WEN is much different than BDO. It is driven by entity and workflow; with no cube slice security. We have a couple hundred users and 400 groups. During implementation, we chose to keep it open and simple. Nearly three years in and I am thrilled that it’s served us well. No major updates have been needed; on occasion a bit of maintenance is required for the groups. We maintain security manually. With solid naming conventions and nested groups, it’s relatively easy to add new users to the system by making them members of just a couple of groups.

Regards,
Kimberly

Hi all,
We have about 140 users and 114 groups, many of which are nested depending on the access type. We use slice security with data access groups between entity and UD2 product segment. We also defined security groups around:
-Cubes
-Dashboard groups: Acct recs, RequestIt/ACM, copy/clear dashboards, export dashboards, etc.
-Scenarios
-Various roles: Mostly based on the Security Roles page for example, data management access to the file explorer structure, manage cube views, manage fx rates, manage data management groups, task activity screen
-WF channels: Import, forms, journal entries

Hope that’s useful!
-Nicole

ZachK
New Contributor II

Hi Nicole,

That is helpful information, and has some similarities to our model.

How frequent are changes to your model for cube slices?
How would you classify the level of effort maintaining your model for changes (High, Medium, Low)?

Thanks,
Zach

Hi Zach,
Not often - I just updated the slices recently because we split out a segment from one to two so we needed a new group. That happens once every 3-5 years 

 

 


I’d classify the level of effort as low because the groups are already set up the way we need to so we’re just moving people around as roles changes or new folks are hired. I’d guess ~95% of users have clearly defined roles but we edit that ~5% of more involved users more often as we add new things into OS (ie. parcel service, specific data mgmt/dashboarding etc.). We have ~3 people very familiar with security also so that makes it easier if new things pop up, like the segment split mentioned above.

ZachK
New Contributor II

Thanks Nicole, that is helpful. Agree splitting is low effort when we need to, and that is great that you have 3 people familiar with your model.

 

ZachK
New Contributor II

Thank you Kimberly. This does sound very different from BDO, great to hear your experience that your number of groups is not driving high level of maintenance.

Zach

Sathish
New Contributor III

Hi Zach,

I am surprised to hear the model your team has chosen to implement at BDO. I am curious to know about the security setup. At Flex, our security access is a combination of WF and security group combination in addition to RCM for Account reconciliation product. This process is currently manual, we are facing lot of challenges in maintaining it.

Can you please brief about your implementation method for security model. At Flex, currently 200+ users for 80 + work profiles which will grown to 700+ users with 400+ WF entities by next year. How to automate the security model.

ZachK
New Contributor II

Hi Sathish,
We chose this model as we needed our Legal Entity in the Entity Dimension for Intercompany Eliminations, but we manage the business primarily by Location and Department, which is our U2 and U3 respectively.
Our route to getting where we are today was not straight forward. We went live last year with a very simple model, with almost no security by U2 and U3. However, management once using the system and to provide more self service to data, which includes employee comp, decided we needed more granular restrictions. This lead us to our current model over the last year.
We do little workflow security since most data is loaded by automated processes, or entered via forms.
For maintaining our growing 4.5k user base, our IT group used an API to auto create each night users meeting certain criteria and auto assign them to a specific group. Do not know specifics how they accomplished this. This has been a game changer from something that was going to be manually maintained.
Hope this helps!
Agree security has been a challenge for us too, especially with how granular we have gotten, which requires new groups and slices rather frequently with our growing business.
Does Flex have two environments? Have found that to be critical for developing a model like we have.