on 09-09-2008 7:21 AM
As the description in the user guide, we could find that if there are 2
different Member Access Profile, the least restrictive profile between
the two, will be applied.
Here is our question:
Access Authorization Entity Account
Profile A "Read/Write" "Human Resource" "All of the accounts"
Profile B "Read/Write" "All of the entities" "1000-Salary"
We set an ahthorization with 2 different dimensions. If we assign the
both Profile A and Profile B to the user in HR department, what we
expected is he can write in all of the account in his own entity and
write in account 1000-salary for all of the entities in company, but in
fact he got the authorization to Read/Write all of account in all of
the entity.
Apparently it's not the result we expected.
Does anybody have any good idea on it?
The result of the security you provided to the User is correct. Since Profile A grants permission to ALL accounts, and Profile B Grants access to ALL Entities, the least restrictive profile by dimension wins. Which in this case is ALL for both. A possible scenario is to only use a profile to assign Entities to users (no other dimensions), and then provide an ALL profile to Accounts for those who require the access. I suggest building a MATRIX of all the required users/teams and their assignments to determine the best combinations by profiles that include 1 or both dimensions. For example, a key trick in setting Category security to minimize adminstration when you need to turn on and off access to a member of catgeory, is to build 1 or 2 profiles specifically for category that all users and teams are assigned. Then you can easily edit 1 profile to grant or restrict access.
A quick note; I past experience the settings for Entity or Account don't always need to be set to READ/WRITE access, but just check SECURED in an application. THis still provides secuity around the members, but the control of WRITING data is limited to 1 dimension, such as category. If you have more than 1 read/write dimension per application, the complexity of your security and administration efforts is compounded by each additional R/W dimension. Restricting accounts gets difficult if you expect the user to only enter a few accounts, but have access to a P&L or full report.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Unless thing have changed, BPC security can only be applied one dimension at a time. Meaning that the Data Access security is not applied by profile, but by dimension. So if you apply two different profiles to a user, this user will have the additions per dimension of each profile.
In other words, you cannot setup "intersection security".
If you find a way to do it, let me know... I'm interested
Cheers
Arnaud
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.