Security - View only user

L_OS
New Contributor II

Hi All,

Hope you are having a great time with OneStream!

I am trying to provide only View Access to some users but it looks like I can't. 

I have set for a specific user the User Type as View and assigned this user to the group "View Only". I then placed the group "View Only" to the Security Role "DimensionLibraryPage". 

The user is only able to see the DimensionLibraryPage, but he can still delete members in the dimension library.

Any idea what of what I am doing wrong? Is it actually feasible to provide view access only?

 

Thank you very much!

 

1 ACCEPTED SOLUTION

TonyToniTone
Contributor II

When you say "View Only" access, that can be interpreted as View Only data or View Only metadata.  I'm assuming from the rest of your question, you are trying to give a subset of users access to see metadata Dimension members in the Dimension Library.  

1st step is to give the users in the security groups access to the DimensionLibraryPage

2nd step is to give them access to the individual Dimension objects that you want to grant access to.  This security is controlled on the DImensions itself under Dimension Properties.  There is an Access and Maintenance Group for each Dimension.  So Administrators and/or Power Users should only have access to Maintenance Group.  The Access Group is the security group that those subset of users should have access to.  

Side note - The ManageMetadata security role gives users the access rights to access and maintain all Metadata objects.  So getting access to this group would trump any other security you would have on the Dimensions. 

Recap - Give access to DimensionLibraryPage, set security group on Access Group for each Dimension under Dimension Properties, and assign user to security group assigned to Access Group for each Dimension.  Access to ManageMetadata will give users Access and Maintenance rights for all Dimensions and Dimension members. 

 

If this doesn't work and you do not get anymore responses, I recommend that you submit a ticket to OneStream support.  There may be other pieces to your security model that may require more attention.   

View solution in original post

9 REPLIES 9

NidhiMangtani
Contributor III

Hi,

There is another security role "ManageMetadata", please ensure that user doesn't have this role. Or assign only technical team group to have this role.

BhartiParyani_0-1654703176249.png

Hope this helps.

Thanks,
Nidhi Mangtani

L_OS
New Contributor II

Unfortunately all the other roles are set to Administrators except OpenApplication and OnePlacePane.

TonyToniTone
Contributor II

When you say "View Only" access, that can be interpreted as View Only data or View Only metadata.  I'm assuming from the rest of your question, you are trying to give a subset of users access to see metadata Dimension members in the Dimension Library.  

1st step is to give the users in the security groups access to the DimensionLibraryPage

2nd step is to give them access to the individual Dimension objects that you want to grant access to.  This security is controlled on the DImensions itself under Dimension Properties.  There is an Access and Maintenance Group for each Dimension.  So Administrators and/or Power Users should only have access to Maintenance Group.  The Access Group is the security group that those subset of users should have access to.  

Side note - The ManageMetadata security role gives users the access rights to access and maintain all Metadata objects.  So getting access to this group would trump any other security you would have on the Dimensions. 

Recap - Give access to DimensionLibraryPage, set security group on Access Group for each Dimension under Dimension Properties, and assign user to security group assigned to Access Group for each Dimension.  Access to ManageMetadata will give users Access and Maintenance rights for all Dimensions and Dimension members. 

 

If this doesn't work and you do not get anymore responses, I recommend that you submit a ticket to OneStream support.  There may be other pieces to your security model that may require more attention.   

NolanPopow
New Contributor II

I have a similar question - I think when I upgraded to platform 7.0 from 6.4, there was a new field for users in their security profile that had a dropdown with View, Interactive, Restricted, Third Party Access. Since we already had security setup before this, I'm unsure of what changing this setting actually does for user access. It seems like it doesnt change anything. I've tried reading through the patch notes but I haven't found anything about this. If someone could explain to me what this setting actually does that would be great!

TonyToniTone
Contributor II

Currently, this setting is primarily used to align users with the OneStream license types purchased.  The intention is to report on the number of users by User Type matches the number of OneStream user licenses purchased.  Setting the user to a specific User Type doesn't impact Security at all.  This setting does not add or remove user rights given throughout the Security model.   

Thanks for the info! I just looked into our licenses and we have 90 Interactive and 30 View, how can I decide at what point someone becomes Interactive rather than View? If a user has the ability to run a cubeview would that be considered interactive? 

According to the Design and Reference Guide, it states that the View User Type "Allows users to view all data, reports, and dashboards in the production environment and the derived database. The View user privileges do not permit the authorized user to load, calculate, consolidate, certify, or change data."

Will the View User Type ever be used as a true "View Only" type or is the Design and Reference Guide inaccurate?

TonyToniTone
Contributor II

A good rule of thumb.....if a user requires access to a Workflow to complete any Workflow steps ( submitting data and/or commentary, validating data, processing the Cube, confirming Cube data, certifying Cube data or Workflow process ) or administer any part the application or process, they would be considered interactive.  If a user uses OneStream to only render Cube Views or other reports to analyze data/commentary with no other action within OneStream, they would be considered a View user.  If the user uses the Cube Views or Dashboards to then execute other objects within OneStream, then they would be considered Interactive.  

TonyToniTone
Contributor II

@THENDRICK

I understand your point of view reading the snippet from the Design and Reference Guide.  IMO, I feel that it is correct but the wording certainly can be interpreted in a different way.  The language is describing the characteristics of activities that would be included in that User Type role and what's not included in that role.  This allows more clarity on the User Type roles.  I certainly can see an opportunity to reword the language in the Design and Reference Guide to avoid some ambiguity.  

To address your question "Will the View User Type ever be used as a true "View Only" type", I would suggest add this to IdeaStream, along with improving the language in the Design and Reference Guide for User Types.  The ability to use the User Type selection on a User to drive Security would be a great idea.  There is a lot of moving parts to address this in the current Security model and framework.