Controlling the Shared Folder in IBM Planning Analytics

Controlling the Shared Folder

In the past, it was possible to have control over who can access certain subfolders within the Planning Analytics shared folder and what their permissions would be. Going forward, with the implementation of Drive Explorer (in Planning Analytics Workspace modeling workbench) subfolder control doesn’t work the same way. That is,  adding folder permissions are not supported for Drive Explorer users.

If you do need to control folder permissions, one option is setting specific control for individual user ids using an IBM Planning Analytics SFTP Fileshare (turning OFF Drive Explorer for specific users and granting them access through an SFTP id), this way, the subfolder(s) security applied can be adhered to.

A Bit about using the SFTP Fileshare

An IBM Planning Analytics SFTP Fileshare is a secure, shared folder within the Planning Analytics system that allows users to transfer data files to and from their local computers using the Secure File Transfer Protocol (SFTP) protocol.

To set up FTPS to access an IBM Planning Analytics Cloud shared folder, you need to configure an FTP client (FileZilla is an excellent example and my favorite) then, use the provided path within the shared folder to navigate and transfer files between your local machine and the IBM Planning Analytics cloud shared folder.

You’ll find the required FTP client configuration information – including the host address, username, and password for the shared folder access – within your IBM Planning Analytics Cloud Welcome Kit. Some important points to remember:

• Make sure your FTP client is set to use passive mode (a connection method where the client initiates the connection to the server’s data port, instead of the server actively connecting to the client’s data port for the connection).
• The default FTPS port is 21, but since your specific Planning Analytics setup may vary, you should verify that port 21 is correct.
• Once connected, you can upload, download, and manage files within the IBM Planning Analytics shared folder.

ACL on SFTP

Access Control Lists – or ACLs – are a filesystem feature that is used to grant read, write, and/or execute permissions to specific user ids for specific folders. However, as stated, Planning Analytics shared folders access will not apply to Drive Explorer users, but you can submit a request that certain user permissions be applied to specific sub-folders in your IBM Planning Analytics shared folder for specific FTPS users.

To accomplish this, you can create a text file named shared_folder_acls.txt containing five columns separated by tabs. Each row represents a separate Access Control List (ACL). The column entries in the table represent the following properties:

• The first column entry is the Path and uses forward slashes (/). A single forward slash (/) indicates the root of the shared folder.
• The second column entry is the Username. It must start with “fs_”, followed by the environment name, followed by a final part that you can define. The entry is limited to 20 characters. (Tip: You should create a user with full permissions, such as “fs_rp2team4_admin” in the example).
• The third column entry is the Permissions – r (read), w (write) and delete (d). If no permission is specified, then rwd is assumed.
• The fourth column entry indicates whether the ACL should be Inherited (that is, child folders will inherit this ACL). The default is true. The options are “true” and “false”.
• The fifth column entry indicates the Type of permission, “allow” or “deny”. The default is “allow”.

Note that if the shared_folder_acls.txt file contains multiple entries for a single user, the last entry for any given folder takes precedence. Also, if you want to specify varying levels of permission to multiple folders for an individual user and want to use the true Inherited property, you should specify the ACLs in order of most general Path to most specific.

Bottom line: if you want folder permissions, then you must apply ACL via the SFTP Fileshare; basically, you must TURN OFF Drive Explorer for your users and only give them access through SFTP.

Another Option

Practically speaking, the above approach may “break down” for larger numbers of users and/or subfolders; since its frankly impractical to maintain a large “SFTP id to subfolder” matrix. Therefore, consider if the “Allow file upload” Action Button property can meet your needs. This feature lets you upload a file to a Planning Analytics database and run a process to use that file – without actually having access to the  Planning Analytics Cloud shared folder, eliminating the need for specific folder and subfolder access controls.

With this feature, (reviewed in an earlier post) you can perform drag and drop file uploads by dragging a file a from local folder using the Planning Analytics Workspace (PAW) interface, allowing you to import data without needing any additional applications or access to any cloud storage.

If you would like more information on the above or have specific questions about the use of Drive Explorer, implementing ACL folder security or the “Allow file Upload” feature, you can always contact the QueBIT team.