Slice Security Alternatives
Hello Experts, We have requirements on having theaccess enabled/disabled for system dashboards/forms channelwise (UD2 members). For this multiple slice security rules were placed on the cube which has been a tedious maintenance task and is probably adding performance impact on the dashboards. We are thinking of replacing the slice security rules via a Finance rule which will set conditional input for selected Entity, Scenario, Time, UD1, UD2 members from super user dashboard, Admin can lock/unlock these intersections via a super user dashboard on a button click. Is there a better alternative for achieving this? Any leads would be appreciated.
Automated process to disable users based on Inactivity Threshold / Remaining Allowed Inactivity
We worked with OneStream to set the Inactivity Threshold to 90 days but discovered inactive users are not automatically Disabled after 90 days - only flagged as 0 days of "Remaining Allowed Inactivity". I'm assuming we could create a Business Rule or some other process that could query OneStream security data within the system to confirm users who meet the "Remaining Allowed Inactivity" = "0 Days" criteria. Manual review could work as well but not preferred. Any suggestions on how this could be automated in OneStream? Thanks in advance.
Security Models
SOURCE: ONESTREAM CHAMPIONS Hi Everyone, Curious to hear others’ experience in the area of Security. At BDO, we currently have: 5k users configured, of which 4.5k are enabled. 3.6k are in our “basic” level security group, which we have automation to create and assign users to this group when they meet certain criteria. We have seen in our first year live about 50% of our enabled users utilizing our Production App at some point during the year. Primarily focus on Data Level Access (Cube Slice Security) to control access, which 1 of our 3 cubes has 137 slices configured in it, which is the most granular of our 3 cubes. For groups we are currently at 312, of which 150 have users directly assigned and the others are for nesting shared access across groups. For security, we do very little control by Entity or Workflows since most access to data is controlled in Cube Slices based on our U2 (Location) and U3 (Department), and outside of our automated loads, few users load data via workflows. Would like to hear other’s experience! How many users and groups do you have? Is your security model granular or more open and simple? Do you use any automation to manage your model? Anything unique about your model and processes for security? Thanks, Zach
Data Access Security & App Server Issues
Note: this post is a follow-up from a post I made previously:https://community.onestreamsoftware.com/t5/Application-Build/Member-List-Business-Rule-in-Data-Access-Security/m-p/34916#M3533 Hi all, Previously, I had asked about some details surrounding the running of a MemberList BR in a Data Access security filter; specifically, when the data access security runs (answer: every 24 hours unless IIS is reset) and if there's a way to force a re-run (answer: resetting IIS). After doing more work on this, we noticed that it looks like the data access security is applied on an app server-by-app server basis, and the app server that's used to handle the security is based on the app server that handles the user's log in. For example, if my log in action is handled by AppServer1, the data access security that's applied to my session is determined by the security that's currently applied in AppServer1. So it's therefore possible that one user, their logging-in being handled by AppServer1 (which in this example is currently up-to-date), could have a different data access security applied than another user whose login is handled by AppServer2 (which is not up-to-date) until the data access security on AppServer2 is re-run. Additionally, we haven't been able to use an IIS reset to re-run the data access security. We've tried resetting IIS in both the main app server and the specific app server that handles the user's login to no avail. There seems to be some sort of amount of time that has to pass in order for the data access security to run again, but sometimes this isn't even kicked off by the user attempting to access data - the actual security has to be changed and then saved and then reverted to kick off the re-run. My questions are therefore: 1. Is this observation of the data access security being tied to the app server that handles the user's login actually correct? Or am I missing something? 2. Does the "Recycle App Pool" button in the environment page equate to requesting an IIS reset in the OneStream ServiceNow catalog? Thanks in advance!
Pseudo Admin Role
We created a customized application support security group (Pseudo Admin role) which excludes the accesses of cube view form input, JE create/post and user security provisioning. This is required by internal control as segregation of duties. We updated maintenance group setting with this Pseudo admin group in all applicable components. e.g. Workflow profiles, Transformation rule, dimensions, confirmation rules, Forms/JE template, Dashboards etc. The limitations we confront are that the following components are accessible only to the default administrators. Can we enable the discrete security settings to those components instead of default to admin only? Thanks! System Diagnostic Dashboard CAT Extensibility business rules Database under System tab