The result of the security you provided to the User is correct. Since Profile A grants permission to ALL accounts, and Profile B Grants access to ALL Entities, the least restrictive profile by dimension wins. Which in this case is ALL for both. A possible scenario is to only use a profile to assign Entities to users (no other dimensions), and then provide an ALL profile to Accounts for those who require the access. I suggest building a MATRIX of all the required users/teams and their assignments to determine the best combinations by profiles that include 1 or both dimensions. For example, a key trick in setting Category security to minimize adminstration when you need to turn on and off access to a member of catgeory, is to build 1 or 2 profiles specifically for category that all users and teams are assigned. Then you can easily edit 1 profile to grant or restrict access.

A quick note; I past experience the settings for Entity or Account don't always need to be set to READ/WRITE access, but just check SECURED in an application. THis still provides secuity around the members, but the control of WRITING data is limited to 1 dimension, such as category. If you have more than 1 read/write dimension per application, the complexity of your security and administration efforts is compounded by each additional R/W dimension. Restricting accounts gets difficult if you expect the user to only enter a few accounts, but have access to a P&L or full report.

Hi,

Unless thing have changed, BPC security can only be applied one dimension at a time. Meaning that the Data Access security is not applied by profile, but by dimension. So if you apply two different profiles to a user, this user will have the additions per dimension of each profile.

In other words, you cannot setup "intersection security".

If you find a way to do it, let me know... I'm interested

Cheers

Arnaud