Locking (and Unlocking) OneStream Security
How often are you, as a consultant or OneStream administrator, scrambling before UAT or go-live to get all your business rules working, all your workflows setup and tying out data? And you completely forget about security (because you as an Administrator can see and do everything), until the final hour? Sound familiar? Do not let security be an afterthought to your OneStream implementation, project, or on-going maintenance. Security leaves a first impression and has a direct and tangible impact on your end users. So, getting security right from the get-go (UAT or go-live) can go a long way to user acceptance! Let’s talk about some common security strategies and things you need to consider before you get to the week prior to UAT! These things will help you think about security along the development cycle or even as you add in new elements to an already live application, so that you can layer security in as you go, avoiding that last minute scramble. User Roles During the design phase, get a list of everyone who will be end users of OneStream, whether you have 10 or 1,000+ users! Put those users into broad categories or types of roles those users will have in OS. These are some examples (Chapter 4 of the Security Essentials book 😊): VIEWERS: People who can view all data and reports with no restrictions DATA LOADERS: People who will be involved with bringing data into OS whether via Imports, Journals or Manual forms entry APPROVERS: People with oversight of a process with the ability to certify, lock or determine when the data is final FORECASTERS / PLANNERS: People who will be involved in inputting data and running calculations related to a forecast or budget process POWER USERS / LOCAL ADMINS: People who will have broader access than the average VIEWERS with the ability to perhaps modify reports, metadata, etc within OS Role Access For each role or type of user you will have, outline what each role should be allowed (or not) to do. For example: VIEWERS Ability to see all cube data meaning all entities, all scenarios, all cubes, etc Access reports for such data from: OnePlace Spreadsheet Dashboards Be allowed to view the dimension hierarchy page to understand how things roll up Be allowed to view FX rates Once you have determined a framework for what a given role or set of users is allowed to do, you are read to put the building blocks together to achieve that. Pre Security Build Before I start set up security and/or ahead of a UAT, I like to start by making all application objects (app roles & pages, cube views, metadata, dashboards, BRs, etc) set from “Everyone” to “Administrators”. Why do I do this? I like to keep things inside OneStream under lock and key and only grant access on an as-needed basis. In this way, as you start to put together your end user security groups users will only be allowed to see and do things to which you have granted them access. Not only does it help you control data access, but it also helps simplify the end user experience. You will only open up access as needed so as not to overwhelm your users. If you leave all doors and windows opened and unlocked (as with a house), well you can imagine what a security nightmare that could be! This approach works well for complex organizations or companies who have strict governance around data. If your company does not have strict security needs or your user base is small, then this approach of locking everything down to start, may not be the best approach for your security model. If you are early in build and/or because you have not done anything with security to-date, things will generally be wide open (“Everyone”). This is because as you add new elements to a OneStream application (cube views, entities, scenarios, etc) the default security group, if you do not change it, its “Everyone”. So before heading into a UAT I like to start by locking everything down (e.g. “Administrators”) and then proceed with putting groups in place to open things back up. What is the easiest and quickest way to lock everything down? I like to do a full application extract to XML. Then I methodically open each XML file: And make the following edit and replaces: CURRENT VALUE REPLACE WITH VALUE accessGroup="Everyone" accessGroup="Administrators" maintenanceGroup="Everyone" maintenanceGroup="Administrators" "WorkflowExecutionGroup" attributeValue="Everyone" "WorkflowExecutionGroup" attributeValue="Administrators" "CertificationSignOffGroup" attributeValue="Everyone" "CertificationSignOffGroup" attributeValue="Administrators" "JournalProcessGroup" attributeValue="Everyone" "JournalProcessGroup" attributeValue="Administrators" "JournalApprovalGroup" attributeValue="Everyone" "JournalApprovalGroup" attributeValue="Administrators" "JournalPostGroup" attributeValue="Everyone" "JournalPostGroup" attributeValue="Administrators" readDataGroup="Everyone" readDataGroup="Administrators" readWriteDataGroup="Everyone" readWriteDataGroup="Administrators" "CalculateFromGridsGroup" value="Everyone" "CalculateFromGridsGroup" value="Administrators" "ManageDataGroup" value="Everyone" "ManageDataGroup" value="Administrators" readDataGroup2="Everyone" readDataGroup2="Administrators" readWriteDataGroup2="Everyone" readWriteDataGroup2="Administrators" Then load each XML file back into your OneStream app. If you poke around within the application, you should generally see “Administrators” applied to everything. To test this you can set up a native user ID and log in as that user. If everything has been locked down, that user should not see any applications. Their drop down box at the log in screen will be empty. Goal achieved – every window and door in your OneStream castle is locked! Now what? Now you are ready to start putting user groups together and layering on the security that will allow your users to unlock and walk through certain doors (e.g. pages, objects or data in OneStream). Building Security Groups and Roles Create a user group 000_GRP_VIEWALL (see Chapter 3 of the Security Essentials book for security group naming conventions) Figure out the pages or application roles to which they will need access and create those groups (or decide to leave some open to “Everyone”) 3. Now that you have a user group (000_GRP_VIEWALL) and have allowed that group to get to certain pages within an application (001_APP_OPENPROD, 001_APP_VIEWALLDATA, 001_APP_DIMPAGE, 001_APP_FXPAGE, and 001_APP_SPREADSHEETPAGE), you are ready to move on to determine what, if any, other object or data security this user group needs. 4. Being that this is the View All user group and because you have granted 001_APP_VIEWALLDATA, this user group should not need any additional data access for 002 Cubes, 003 Scenarios, and 004 Entities. The View All app security role supersedes those things. However, you will likely still want to grant this view all user group access to a WF profile such as an actual WF group: 005_WF_ACTUAL. Testing The final step is to nest groups and test that user’s security role access. The easiest way to achieve this is to set up a native User ID, e.g. “Test1”, and log in as that user. For obvious reasons, you do not want to log in with your “Administrators” access because you can see and do everything. You want to mimic an end user by either logging in as a native user set up with a particular user group, or have yourself temporarily removed from “Administrators” and placed into whichever group you wish to test. Here are some basic steps to testing: Nest or combine the various 001 – 005 security groups into your 000 user group as shown below: Log in as Test1 user (or your own user ID if necessary) and test the end user security. Confirm that you can get to the screens for which this user group (000_GRP_VIEWALL) should have access as well as NOT get to pages and places for which you do not want them to. Part of your testing should be to focus on the end user experience and navigation options available to the end user. You want to confirm that the user can get to what is needed, but also not get to that which they do not need access or which could serve to confuse them. Conclusion You will want to repeat similar steps as you put together your additional user groups: 000_GRP_DATALOAD_ACTUALS 000_GRP_APPROVE_ACTUALS 000_GRP_FORECAST_WRITE 000_GRP_POWERUSER 000_GRP_LOCALADMIN_PROD The process should be to establish the user groups (000) listed above, determine what application roles (001), cubes (002), scenarios (003), entities (004), workflows (005) and other data objects to which they need access. Create these security groups and attach them to various application objects, embed them in your 000 user groups and then test. The same holds true if you have already established security and are making changes to your security model. You will want to log in as the user before you make changes, make the group changes, then log back in after and ensure you see the intended consequences of your changes. The same approach can be used whether you are establishing security for the first time, or making changes years down the road. They key with implementing or changing security is to test and retest. Only you, as the consultant or company OneStream administrator, knows to what each group should or should not have access. So who better to test than you?! Of course, your end users will ultimately test their security as a part of a UAT or parallels, but the hope is that you have worked out all, if not most, of the kinks before the end user logs in. This can go a long way to building end user confidence, acceptance, lessening frustration, and speeding adoption of OneStream. You could build the nicest house (OneStream application) on the block, but if you do not provide the right people the right keys to the front door, it will be for not! And, it will likely save you headaches in the long run. Security should not be an after thought. It should be considered as a part of the overall OneStream design, put in place during the build cycle and tested ahead of a UAT, go-live or before you turn things over to your end users. For more information on all these topics, please see the OneStream Security Essentials publication now available.
The OneStream Podcast: Author Series - OneStream Security Essentials out now!
On the new episode of The OneStream Podcast Peter Fugere is joined by Teresa Kress, author of the new OneStream Press offering, OneStream Security Essentials. The two discuss what users can find in this new mini-book, the importance of having a good plan for security during implementation and best practices for OneStream security settings.OneStream Security Essentials - Now Available
It’s here! OneStream Security Essentialsis now available. Take your security expertise to the next level with our first-ever mini book. Protecting your OneStream investment and data – while making your end-user experience optimal – is fundamental to getting the most out of OneStream. This OneStream mini-book offers practical guidance, analogies, and in-depth information to help you design, test, and maintain a robust security model. Whether your company is small, large, public, or private, this book delivers the background and tools to meet your company’s unique security and data requirements. Whether you are a consultant guiding implementations, a developer building solutions, or an administrator managing day-to-day operations, you’ll gain a deep understanding of: What’s possible with OneStream security How to define a Security Model tailored to your company’s needs Extending security with Custom Use Cases (aka Slice Security and more) Reporting off your Security Framework and Application Tables Effective Testing and Maintenance strategies for optimal results From practical advice on security group nesting and naming conventions to detailed information on database tables, API calls, and sample code, this mini-book is your one-stop shop for mastering OneStream security quickly and effectively! Order your copy todayPre-Order Today: OneStream Security Essentials
Coming October 14, OneStream Press is proud to announce the debut of our first ever mini book: OneStream Security Essentials. This OneStream mini-book offers practical guidance, analogies, and in-depth information to help you design, test, and maintain a robust security model. Whether your company is small, large, public, or private, this book delivers the background and tools to meet your company’s unique security and data requirements. Protecting your OneStream investment and data – while making your end-user experience optimal – is fundamental to getting the most out of OneStream. Pre-Order Today OneStream Security Essentials, written by Teresa Kress 📅 Launching October 14 📚 Explore our full lineup: onestreampress.comNew Press Publication Coming Soon!
OneStream Press is proud to unveil our first-ever mini book — OneStream Security Essentials. Launching October 14, this new publication is a compact yet content-rich addition to our technical lineup. A must have for Finance Professionals who crave depth without the bulk, this new release delivers expert insights in a smaller, more portable format. This marks the 8th publication in our growing catalog, continuing our goal to provide high-quality, practical and technically accurate resources. 📅 Launching October 14 📚 Explore our full lineup: onestreampress.com Stay tuned for more information, author podcasts and more!Win A Publication from OneStream Press
OneStream Press is giving away PDFs to 5 lucky winners that live in the APAC Region. Winners will be drawn at random Monday, October 6, 2025. Winners will be contacted via e-mail to select book title of choice. Entries close at 11:49 on October 5th so make sure you enter today if you're eligible. ENTER TO WIN Not located in APAC? PDFs are available for purchase 24/7 at onestreampress.com The Full Press Publication Lineup OneStream Foundation Handbook OneStream Planning: The Why, How and When OneStream Finance Rules and Calculations OneStream Financial Close Handbook OneStream Advanced Reporting and Dashboards OneStream Administrator Handbook OneStream Foundation Handbook, Second Edition PDF Book BundleLearn About the Updated OneStream Foundation Handbook on the Latest Episode of The OneStream Podcast
On this edition of the OneStream Podcast, Chul Smith joins Peter Fugere to discuss the newly released Second Edition of the OneStream Foundation Handbook. They'll discuss how this edition reflects platform updates, along with the ongoing development of the OneStream landscape. Listen now!
Tech Talks After Hours: Playing with (and by) the Rules #5 - Seeding!
Link: https://onestream.thoughtindustries.com/learn/video/tech-talks-after-hours-playing-with-and-by-the-rules-seeding Description: On this edition of Tech Talks After Hours, Jon Golembiewski and Tom Linton continue to review "StoogeCorp" rules line by line specifically looking at Chapter 8 from “OneStream Finance Rules and Calculations Handbook". Remember, you can get the StoogeCorp application FREE with your purchase of the “OneStream Finance Rules and Calculations Handbook” that Jon authored and is available at OneStreamPress.com! Remember, this video is a Passport Exclusive. Thanks!New Episode of The OneStream Podcast Available Now!
Listen to the latest episode of The OneStream podcast below! On this edition of The OneStream Podcast, Peter Fugere is joined by Jannesa Zhang, Matt Ha, and Eric Hanson to discuss their new book, OneStream Administrator Handbook. The authors discuss the inspiration for the book and how it can help OneStream administrators gain an appreciation of the OneStream application and provide the tools needed to tackle a wide variety of administrative actions that may surface.OneStream Administrator Handbook: Now Available!
The OneStream Administrator Handbook is now available! Physical and PDF copies are available and are sold separately. Order your copy today at OneStreamPress.com Administrators are integral to the day-by-day operations and overall wellbeing of a company’s financial ecosystem. Although each OneStream application is unique, the challenges that administrators face when managing the OneStream platform remain similar when it comes to processes and troubleshooting. Whether you are a novice or seasoned administrator, this book examines key concepts to help you understand and manage the financial and data processes of your OneStream application. Written for administrators, this book is filled with technical and functional contexts – whether syntax-related to business rules or general accounting concepts – and dives into practical examples and use cases that provide guidance and insights into commonly encountered themes.
