This should be controversial. A customer recently asked about Access Security and the tree reports (Measures - Rolling 5 Periods, Measures - Previous v. Current, Measures - Prior v. Current, Objectives - Previous vs. Current).
[customer] is using row-level security [e.g, access security - bjf]. They have configured the security for the different users and roles, that they can only see the data for a particular dimension.
The problem is obvious in their organization dimension. Specific users are only authorized for a certain level in the hierarchie. But these users still can see the level above their dimension, that they are authorized.
The customers expectation was, that if they restrict it to a specific level the user won't be able to see the level above. Is there an option to achieve this?
Our response:
The problem they are having is specific to the tree report but it is not a violation of the security.
You are looking at a top-to-bottom level tree and therefore you have to be given the chain to get to the level where you have access to data. You can see the whole chain all the way down to the level where you have access, but the values displayed all along the chain are only taken from the level and value where your security starts. You cannot see peer chains or peer data until you’re at the level you have access.
So if you could see all the data and had no access limitation, you’d see:
(Country > City)
GERMANY [100.00]
BERLIN [50.00]
DUSSELDORF [50.00]
FRANCE [50.00]
PARIS [25.00]
NICE [25.00]
ITALY [20.00]
ROME [10.00]
FLORENCE [10.00]
If you had access limited to Berlin, you’d see:
GERMANY [50.00]
BERLIN [50.00]
PMF has to show you Germany so it can show you Berlin. But notice that for Germany you only see aggregates taken from Berlin. You don’t see the values from Dusseldorf. And you don’t see France or Italy at all. So security is working.
Likewise if you write an analysis designer report that starts at the top level, they will have to drill all the way down but the data will only come from the level where they have access. You can design the Analysis Designer report to start at the second level, but not the tree.
Comments? How much do people want this changed and what do they want to see in the resulting change?
Bob Jude Ferrante
Director of Business and Development
WebFOCUS Performance Management
Bob_Ferrante@ibi.com
917-339-5105
I'll take any questions about PMF - business or technical - anytime!