Prior to the 2019.3 release, security was restricted to level access control in conjuncture with account, version, and sheet settings .  Limited no longer!  Security is more robust and now includes access rules on accounts and custom dimensions in order to limit specific intersections of data that users and groups can view or edit.  Levels, accounts, and up to three custom dimensions can be secured.

One must submit a support ticket and fill out the proper form to turn on access rules.  Once access rules are enabled in an instance, a new option titled “Access Rules” in the Users and Roles section of the Administration page will be available.

Regardless of the Owned Levels that are assigned in the “Users” section of Administration, once Access Rules are turned on, if a user is not included in the Access Rules, whether it be as an individual user or part of a group, that person will not have access to view any data.  (one-time setup when you first turn on access rules).

Creating Access Rules

The first step in applying access rules is selecting/adding the dimensions you want to secure.  This can include Levels, Accounts and custom Dimensions, with a few exceptions.

 Exceptions include:

  • There are already three secured custom dimensions
  • “Use on Level” or “Data import automatically creates dimension values” dimension settings are enabled
  • Modeled or Cube sheets that contain the dimension has the setting enabled to “Edit dimension on sheet”
  • The dimension has more than 10,000 values

The next step is to export the existing access rules or template (can be found by clicking Import), and add/update rows (access rules) as needed with the appropriate columns filled in.

Access Type – determines how data can be accessed and provides three options:  Limited View, Full View, and Edit.  Limited View prevents you from seeing supporting details such as splits, modeled sheet rows, and transactions.  Full View allows you to see all data details and Edit allows you to view all data and make changes.

Username or Group Name – will be the user ID or group name.  If multiple users have the same access, add them to a single group and write one access rule.

Level – is critical for users to access data and can include a mix of parents and children; including a parent level will assume access to all it’s descendants.  Can grant or exclude access.

Account or Custom Dimension columns – can be left blank (which assumes full access) or can grant or exclude access.

The final step is importing your access rules.  You can choose from the options:  “Update and Append” or “Replace All”.

 

Navigating the Access Rules Table

Type – refers to either User or Group and will autogenerate.  By clicking on “User” or “Group” in the Type column you can view the specific rule details.

More Options – all column headers except Level gives you additional options by hovering over them.  Type, Name, and Access provide sorting capabilities and Account and custom dimensions have a Remove option.

Search – quickly search for keywords to find specific rules

 

Rule Precedence

Many times, a user will have multiple access rules.  Be aware that access follows the most permissive rule.  For example, assume a scenario where a user is part of a group rule that has top level access and that user has an individual rule that limits access to only a couple child Levels.  That user will be able to access data at all levels because the group they are part of has top level access.

Example

In the Example above: 

  • User Test1 has Edit Access to Corporate and All Products
  • User Test2 has Edit Access to West Region, Bicycles and Skateboards
  • User Test3 has Full View Access to Southeast Region and All Products EXCEPT Snowplows
  • All users in the “Read Users” group have Limited View Access to All Levels EXCEPT Corporate and All Products