Slice Security Alternatives
Hello Experts, We have requirements on having theaccess enabled/disabled for system dashboards/forms channelwise (UD2 members). For this multiple slice security rules were placed on the cube which has been a tedious maintenance task and is probably adding performance impact on the dashboards. We are thinking of replacing the slice security rules via a Finance rule which will set conditional input for selected Entity, Scenario, Time, UD1, UD2 members from super user dashboard, Admin can lock/unlock these intersections via a super user dashboard on a button click. Is there a better alternative for achieving this? Any leads would be appreciated.1.7KViews3likes2CommentsAutomated process to disable users based on Inactivity Threshold / Remaining Allowed Inactivity
We worked with OneStream to set the Inactivity Threshold to 90 days but discovered inactive users are not automatically Disabled after 90 days - only flagged as 0 days of "Remaining Allowed Inactivity". I'm assuming we could create a Business Rule or some other process that could query OneStream security data within the system to confirm users who meet the "Remaining Allowed Inactivity" = "0 Days" criteria. Manual review could work as well but not preferred. Any suggestions on how this could be automated in OneStream? Thanks in advance.2.5KViews3likes2CommentsAudit report/dashboard for object security
Hi all, I'm trying to figure out if there is a dashboard, marketplace solution, or custom report where I can view security groups/users and references where they are assigned to objects. Preferably with the ability to sort. For example: Security Group Name: "Security Group" Object: Application -> Workflow -> Workflow Profiles -> "Cube" -> "WorkflowProfile" -> Profile Properties -> Security -> Access Group Application -> Tools -> Business Rules -> Connector -> "Business Rule" -> Properties ->Security -> Maintenance Group Thank you!Solved2.4KViews2likes2CommentsSecurity Models
SOURCE: ONESTREAM CHAMPIONS Hi Everyone, Curious to hear others’ experience in the area of Security. At BDO, we currently have: 5k users configured, of which 4.5k are enabled. 3.6k are in our “basic” level security group, which we have automation to create and assign users to this group when they meet certain criteria. We have seen in our first year live about 50% of our enabled users utilizing our Production App at some point during the year. Primarily focus on Data Level Access (Cube Slice Security) to control access, which 1 of our 3 cubes has 137 slices configured in it, which is the most granular of our 3 cubes. For groups we are currently at 312, of which 150 have users directly assigned and the others are for nesting shared access across groups. For security, we do very little control by Entity or Workflows since most access to data is controlled in Cube Slices based on our U2 (Location) and U3 (Department), and outside of our automated loads, few users load data via workflows. Would like to hear other’s experience! How many users and groups do you have? Is your security model granular or more open and simple? Do you use any automation to manage your model? Anything unique about your model and processes for security? Thanks, Zach7KViews1like8CommentsExcluding Groups from Manage System Security Roles
I thought I knew how to solve this but it is not working as expected. We are trying to prevent a Child Group of users called "App_Administrators" from changing System Security. We want them to be able to still 'view' security roles, groups, and users -- just not be able to make any changes. The Group called App_Administrators is a child group in the Administrators Group (which is needed because we want application administrators to be able to run OSD System Snapshots on demand). Since the child group is part of Administrators, we thought all we needed to do was create an Exclusion Group that effectively takes App_Administrators back out of Administrators and apply it to the ManageSystemSecurity roles (there are three of them). After creating the Exclusion Group and applying it to the following Roles ManageSystemSecurityUsers, ManageSystemSecurityGroups, ManageSystemSecurityRoles, we found that the security group App_Administrators members could still modify security (after logging out and logging back in). This seems like it should not be the case. Thoughts? Are we doing something wrong here? If you belong to the Administrators group, even through a child group, do Exclusion Groups not apply to you?Solved2.2KViews1like11CommentsData Access Security & App Server Issues
Note: this post is a follow-up from a post I made previously:https://community.onestreamsoftware.com/t5/Application-Build/Member-List-Business-Rule-in-Data-Access-Security/m-p/34916#M3533 Hi all, Previously, I had asked about some details surrounding the running of a MemberList BR in a Data Access security filter; specifically, when the data access security runs (answer: every 24 hours unless IIS is reset) and if there's a way to force a re-run (answer: resetting IIS). After doing more work on this, we noticed that it looks like the data access security is applied on an app server-by-app server basis, and the app server that's used to handle the security is based on the app server that handles the user's log in. For example, if my log in action is handled by AppServer1, the data access security that's applied to my session is determined by the security that's currently applied in AppServer1. So it's therefore possible that one user, their logging-in being handled by AppServer1 (which in this example is currently up-to-date), could have a different data access security applied than another user whose login is handled by AppServer2 (which is not up-to-date) until the data access security on AppServer2 is re-run. Additionally, we haven't been able to use an IIS reset to re-run the data access security. We've tried resetting IIS in both the main app server and the specific app server that handles the user's login to no avail. There seems to be some sort of amount of time that has to pass in order for the data access security to run again, but sometimes this isn't even kicked off by the user attempting to access data - the actual security has to be changed and then saved and then reverted to kick off the re-run. My questions are therefore: 1. Is this observation of the data access security being tied to the app server that handles the user's login actually correct? Or am I missing something? 2. Does the "Recycle App Pool" button in the environment page equate to requesting an IIS reset in the OneStream ServiceNow catalog? Thanks in advance!609Views1like1CommentNamed User Vs Generic
Out of curiosity, are there any folks out there that have opted to have some "Generic" users/licenses versus specific named users in their environments? A couple of places where I think a generic would be relevant is when giving auditors view only access to the application. If there is a team of 3-4 auditors who need view only, would it not make sense to just create 1 generic user? On the flip side, what are big reasons people choose to go the named user route besides the obvious ones of audit trail for data loads and form completions and workflows? Just trying to get an idea of how popular generic users truly are when I personally have only seen the named user route.Solved2.4KViews1like2CommentsIs it possible to use 'Cell Data Access Security' to increase a user's access?
Hi We have a requirement where users need access to all entities in the organisation but only for a specific set of accounts. Currently we have a simple security model where users are restricted by Entity. I was hoping that I could create a Cell Data Access Security rule that will give them access to entities outside of their group for the specific set of accounts, but it feels as though the Entity access overrules the Cell Data Access Security? To be clear I have Group A and Group B, restrictions defined below. Group A : - Full access to all Group A Entities - Additional access to Group B Entities (for specific set of accounts) Group B : - Full access to all Group B Entities - Additional access to Group A Entities (for specific set of accounts) 1. Is it possible to grant access as I have described and am I just doing something wrong? 2. If the approach I am taking isn't the correct one, what is the best way to implement this kind of logic? Thanks, MarkSolved2KViews1like3CommentsPseudo Admin Role
We created a customized application support security group (Pseudo Admin role) which excludes the accesses of cube view form input, JE create/post and user security provisioning. This is required by internal control as segregation of duties. We updated maintenance group setting with this Pseudo admin group in all applicable components. e.g. Workflow profiles, Transformation rule, dimensions, confirmation rules, Forms/JE template, Dashboards etc. The limitations we confront are that the following components are accessible only to the default administrators. Can we enable the discrete security settings to those components instead of default to admin only? Thanks! System Diagnostic Dashboard CAT Extensibility business rules Database under System tab2.4KViews1like6Comments