Metadata and Fact Data

proCube Security Manager automatically handles metadata for the functional areas and makes sure that any changes are sent to the proper database. proCube Security Manager handles the running of multiple applications and databases, and as the starting point for any modifications, proCube Security Manager reads the current security settings with the selected application database.

Fact data is handled manually on a per-rule basis from within proCube Security Manager. Fact data rules are easier to write and apply in proCube Security Manager than they are in proCube because, from a single dialog, you can click your way through your dimensions, users, groups, qualifiers, and access levels to build rules and then apply them across multiple functional areas. proCube Security Manager writes fact data security rules into the proCube database using the member alias for the selected members. If an alias does not exist, the security rule uses the member name. Each security rule within a cube is automatically given a sequential number and manually given a unique name. If the security rule changes, it will have to be updated with a new name.

Users may belong to one or more groups. If a user is a member of multiple groups and security is applied to each group, the user inherits the maximum level of security. When applying fact data security, the fewer the number of members and dimensions that are specified, the greater area the user or group will have access to. Each fact data security rule can have only one range, but each rule can have multiple users and groups assigned to it.

Security — database, cubes and dimensions

From proCube Security Manager, you can set security for your database, restrict cube access, and set security on a per-cube and a per-dimension basis.

To set database security:

  1. From the Database ribbon's Security Group, click Database Privileges to open the Database Security dialog.

DatabaseSecurityDialog.png

Figure 1.    Database Security Dialog

  1. To secure the database select Secure Database.

  2. Click OK to save changes and dismiss the dialog.

To set cube access:

  1. From the Database ribbon's Security Group, click Cube Access to open the Cube Access dialog.

CubeAccessDialog.png

Figure 2.    Cube Access Dialog

  1. Select the cubes for which accessed is restricted. The top part of this dialog lists the restrictions for access.

  2. Click OK to save changes and dismiss the dialog.

To set cube security:

  1. From the Functional Areas work space, navigate to and highlight a cube (e.g., Master Budget).

  2. From the Database ribbon's Security Group, click Metadata to open the Cube Security dialog. Here you will set security for a specific cube.

CubeSecurityDialog.png

Figure 3.    Cube Security Dialog

  1. Click Add to open the Select Users & Groups dialog.

  2. Highlight users and/or groups and click OK to dismiss that dialog and import your selections into the Cube Security dialog.

  3. [Optional] Selecting a user/group activates the Access Level: field. Here you can change the access level (e.g., from Read to Design). Available options are: None, Read, Add, and Design. You can also remove a user/group by selecting it and clicking Delete.

  4. Click OK to save your changes and dismiss the dialog.

To set or dimension security:

  1. From the Functional Areas work space, navigate to and highlight a dimension (e.g., Office).

  2. From the Database ribbon's Security Group, click Metadata to open the Dimension Security dialog. Here you will set security for a specific dimension.

DimensionSecurityDialog.png

Figure 4.    Dimension Security Dialog

  1. Click Add to open the Select Users & Groups dialog.

  2. Highlight users and/or groups and click OK to dismiss that dialog and import your selections into the Dimension Security dialog.

  3. [Optional] Selecting a user/group activates the Access Level: field. Here you can change the access level (e.g., from Read to Design). Available options are: None, Read, Add, and Design. You can also remove a user/group by selecting it and clicking Delete.

  4. Click OK to save your changes and dismiss the dialog.

Using a key alias

A key alias is a unique identifier for a dimension member name. Using a key identifier when writing security rules is beneficial because a change in the name of the dimension member referenced by the rule can't cause the rule to break. For example, an office dimension member is named '01 Los Angeles' and its key alias is '01'. The dimension member's key alias is used to write a security rule. Changing the dimension member name from '01 Los Angeles' to '01 City of Angels' will not affect the security rule because the rule was written using the key alias.

To use the key alias for a dimension member:

  1. From the Functional Area Work space, expand a functional area node to display its dimensions.

  2. Highlight a dimension, right-click, and select that dimension's key alias (e.g., Office_Alias). The key alias displays as the last item in the right-click menu.

KeyAliasRCMenu.png

Figure 5.    Key Alias Menu

  1. Write a security rule (see below) using that key alias.

Apply and use the key alias for all dimension members when writing your security rules.

Writing fact data security rules

The Build Fact Data Security dialog is used to write, edit, and reuse fact data rules. This dialog cuts down on much of the guesswork with syntax and formatting by doing that work for you. All you need to write a fact data security rule is to select the extent of the security rule and the objects it will affect.

To save any changes and write them to the proCube database, click Save.

The following figure shoes the available ribbon commands you will use to work with your security rules.

FunctionalAreaRibbonCommands.png

Figure 6.    Functional Area Ribbon Commands

To create a fact data security rule:

  1. From the Functional Area ribbon, click Build Rule to open the Build Fact Data Security dialog.

BuildFactDataSecurityDialog.png

Figure 7.    Build Fact Data Security Dialog

Here you will define:

  • Rule name: — A unique name for the security rule. If the rule is edited, a new name must be created. You can't save a rule without giving it a name.

  • Qualifier — Affects the dimension members. Choose from: All, Details, Aggregates, None.

  • Access Level — Sets the permission level. Choose from Read, Write, Reserve, Lock, Commit.

  • Functional Areas — Select a functional area where the security rule will be applied.

  • Dimensions — Select the dimensions where the security rule will be applied.

  • Users — Select the users for which the security permissions will apply.

  • Groups — Select the group for which the security permissions will apply.

As you define your rule, it gets built and appears in the lower part of the dialog.

  1. Click Validate to check the syntax.

  2. Click OK to save.

Example fact data security rule

This example shows first a security rule and then the Build Fact Data Security dialog prior to saving that security rule.

All and {'Office.02 New York'} allows {'New York'} to Read;

BuildFactDataSecurityDialogWithSecurityRule.png

Figure 8.    Sample Fact Data Security Rule

In the Dimension list (below the Functional Areas), the Office dimension is selected but not shown. The 26 New York member is selected.

More information on writing security rules is found in the proCube V8 online help.

Copying, modifying, deleting security rules

Security rules can be copied, changed, renamed, or deleted.

To copy/modify a security rule:

  1. From the Functional Area work space, navigate to a security rule and highlight it.

  2. If you want to copy a rule and change it into a new rule, click Copy Rule. If you want to modify an existing rule, click Edit Rule. The Build Fact Data Security dialog opens.

  3. Make your changes as needed. If you are copying a security, in the Rule Name field, enter a new name.

  4. Click Validate to check the syntax.

  5. Click OK to save and exit the dialog. From the Functional Area work space, navigate to your new/changed security role. This rule applies to each of the cubes within the assigned functional area.

To delete a security rule, navigate to that security rule within the Functional Area work space, highlight it, and click Delete Rule.

Synchronizing security rules

This functionality lets you take a security rule created for one cube and apply it to all other cubes within the functional area. If the rule does not exist in the cube, it will be created. If the rule exists in the cube, it will be updated in accordance with the functional area rule definition.

To synchronize security rules for a functional area:

  1. Create the security rule or modify an existing rule for a functional area. Make sure to validate the new/changed rule.

  2. Click Synchronize Rules to open the Synchronize Rules dialog.

SynchronizeRulesRevenueFA.png

Figure 9.    Synchronize Rules Dialog

  1. Select the target Functional Area and click OK to apply the new/changed rule to all cubes within the functional area.

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk