New Contributor II

Security is at the top of everyone’s minds these days. It should be - sensitive financial data is well… sensitive. But at the same time, administering security doesn’t need to be complex.

Our customers asked OneStream to allow specific users to manage security roles while blocking these same users from accessing sensitive financial applications and data.  We heard you and added new security roles with OneStream version 6.6 in 2021!

For Blog.PNG

With the addition of three new roles, you can allow specific people to be responsible for security while blocking access to financial applications and data. These three new roles are:

  • System Security Role: ManageSystemSecurityUsers
  • System Security Role: ManageSystemSecurityGroups
  • System Security Role: ManageSystemSecurityRoles

The easiest method to administer security is to add groups to roles. When using this method, you need only give access to the first two roles (Users/Groups) to grant a User the ability to add and remove users from the system.

Add the System Security Role: ManageSystemSecurityRoles if part of a User’s duties are adding and removing roles. The person performing these duties should be well versed in OneStream roles.

The key is to create new security groups in OneStream:

  • One group could be named "OS_Security." Assign the roles needed here.
  • A second group named “Everyone_Except_Security” should be created as an exclusion group. For this group, allow "Everyone" and deny "OS_Security."

By using this solution:

  • When roles such as "OpenApplication" or "OnePlacePane" –which are normally set to “Everyone” – are used, access is explicitly denied and blocks users from opening apps and getting access to data. This ensures that security is completely locked down.

  • Once a user with the “OS_Security” role logs in, they now only see the system administration application in the drop-down and can only access the manage users and groups area. This same user cannot add themselves to the "Administrator" group as this intelligence is built into the platform (a user in control of security should not have the ability to grant themselves more rights has already been assigned).

This simple, yet elegant solution allows you to set your security roles in such a way that allows non-finance security ownership while protecting unauthorized personnel from accessing financial applications and data.