Automated process to disable users based on Inactivity Threshold / Remaining Allowed Inactivity
We worked with OneStream to set the Inactivity Threshold to 90 days but discovered inactive users are not automatically Disabled after 90 days - only flagged as 0 days of "Remaining Allowed Inactivity". I'm assuming we could create a Business Rule or some other process that could query OneStream security data within the system to confirm users who meet the "Remaining Allowed Inactivity" = "0 Days" criteria. Manual review could work as well but not preferred. Any suggestions on how this could be automated in OneStream? Thanks in advance.
Slice Security Alternatives
Hello Experts, We have requirements on having the access enabled/disabled for system dashboards/forms channelwise (UD2 members). For this multiple slice security rules were placed on the cube which has been a tedious maintenance task and is probably adding performance impact on the dashboards. We are thinking of replacing the slice security rules via a Finance rule which will set conditional input for selected Entity, Scenario, Time, UD1, UD2 members from super user dashboard, Admin can lock/unlock these intersections via a super user dashboard on a button click. Is there a better alternative for achieving this? Any leads would be appreciated.
Environment Management
Hi All, In your OneStream implementation, how many environments do you have? Dev, UAT and Prod? Or do you also have Pre-Prod environment that is common in ERP systems? Also, in the UAT environment do you also have copy of data so that when testing happens or developers need to test the changes - there is enough sample data to test? Would you consider brininging data from Prod, randomize it and load into UAT env so that UAT env data at all intersections as Prod? Thanks!
Security Models
SOURCE: ONESTREAM CHAMPIONS Hi Everyone, Curious to hear others’ experience in the area of Security. At BDO, we currently have: 5k users configured, of which 4.5k are enabled. 3.6k are in our “basic” level security group, which we have automation to create and assign users to this group when they meet certain criteria. We have seen in our first year live about 50% of our enabled users utilizing our Production App at some point during the year. Primarily focus on Data Level Access (Cube Slice Security) to control access, which 1 of our 3 cubes has 137 slices configured in it, which is the most granular of our 3 cubes. For groups we are currently at 312, of which 150 have users directly assigned and the others are for nesting shared access across groups. For security, we do very little control by Entity or Workflows since most access to data is controlled in Cube Slices based on our U2 (Location) and U3 (Department), and outside of our automated loads, few users load data via workflows. Would like to hear other’s experience! How many users and groups do you have? Is your security model granular or more open and simple? Do you use any automation to manage your model? Anything unique about your model and processes for security? Thanks, ZachCube | Data Access | Data Cell Access Security/Slice Security by U1#Geography
Data Management Access Security Please share your expertise to set up a Cube's Data Cell Access Security / Slice Security to limit data read access as outlined below: Dimension: U1# - Geography Total_Geography = Child 1 + Child 2 = Total / Top North_America = Child 1 / NA International = Child 2 / Int'l Slice Security: Access Level - Read Data by Geography - in a CV and a QV Total_Geo_Data = Read Total data | Read NA data and Read Intl data NA_Data = Read NA data | no data access = International and Total Intl_Data = Read Int'l data | no data access = North America and Total TY for your practical advice - SMEs.Security "Reset" When Prod is Copied to Dev
Is it normal for certain security settings to be "reset" when a copy of production is made to dev? Every time we make a copy of production into the development environment certain security fields within Security Roles, Entity dimension, Scenario dimension, Workflow Profiles and Data Management Groups are set to "(Not Found)" instead of the correct security group. Is this normal? If so, what's the easiest way to update this? Thanks!
Excluding Groups from Manage System Security Roles
I thought I knew how to solve this but it is not working as expected. We are trying to prevent a Child Group of users called "App_Administrators" from changing System Security. We want them to be able to still 'view' security roles, groups, and users -- just not be able to make any changes. The Group called App_Administrators is a child group in the Administrators Group (which is needed because we want application administrators to be able to run OSD System Snapshots on demand). Since the child group is part of Administrators, we thought all we needed to do was create an Exclusion Group that effectively takes App_Administrators back out of Administrators and apply it to the ManageSystemSecurity roles (there are three of them). After creating the Exclusion Group and applying it to the following Roles ManageSystemSecurityUsers, ManageSystemSecurityGroups, ManageSystemSecurityRoles, we found that the security group App_Administrators members could still modify security (after logging out and logging back in). This seems like it should not be the case. Thoughts? Are we doing something wrong here? If you belong to the Administrators group, even through a child group, do Exclusion Groups not apply to you?
