Model and Version Security
You can apply security settings to models and dimensions, and you can also apply more detailed restrictions.
Models can be shared the same way that stories and folders can be shared. In the sharing dialog, you can choose the access level for the users or teams that the model is shared with: View, Edit, Full Control, or a Custom access level. Models that aren't shared can't be viewed or modified by anyone but the model owner.
For information about sharing files, see Sharing a File or Folder.
You can also apply security settings based on user roles. In the Roles.
area, you can assign general permissions for all planning and analytic models, but you can't assign permissions for individual models. For information on user roles, seeUsers must be assigned a role with the same overall model permission level as the model type they want to access. For example, someone assigned only Read access to Analytic Models in their role (and not also granted Update, Delete, or Maintain) will only ever be able to view data from the models they are allowed to read, even if they are additionally granted Update, Delete, or Maintain permissions on those models.
Think of it like a combination: to read a user's private planning model that has been shared with you, you'll need three things:
- Rights to read the model via the sharing rights that are set by the user when they share it.
- Read rights on the Planning Model application privilege.
- Read Rights on the Private Files application privilege.
If you don't have one of these three rights, you won't be able to read (open or use) the model.
Use data access control to restrict access to individual values in the model to specific users.
Security at the level of individual dimensions adds two extra Read and Write columns to the data table for the dimension where it has been activated. You can use these to control access (based on teams or individual user IDs) to specific cells or values. To enable dimension security, switch on Data Access Control in the Dimension Settings (see Dimension Settings).
The following example illustrates how the data permissions restrict what users can do with the model.
The model P&L Planning has the following permission on its dimensions:- Account: Access control enabled
- Organization: Access control enabled
- Version
- Date
Member ID | Read | Write |
---|---|---|
P00001 | MARTIN_BRODY | MARTIN_BRODY |
P00002 | MATT_HOOPER | MATT_HOOPER |
Member ID | Read | Write |
---|---|---|
EMEA | MARTIN_BRODY | MARTIN_BRODY |
Germany | - | - |
France | - | - |
APJ | MATT_HOOPER | MATT_HOOPER |
US | ||
China | - | - |
Organization | Public Version: Account.P00001 | Public Version: Account.P00002 |
---|---|---|
EMEA | 300 | 400 |
Germany | 200 | 300 |
France | 100 | 100 |
APJ | 400 | 500 |
US | 200 | 300 |
China | 200 | 200 |
Organization | Public Version: Account.P00001 |
---|---|
EMEA | 300 |
Germany | 200 |
France | 100 |
Adding version security to a model lets you restrict read, write, and delete access to public versions, to prevent other users or teams from changing them. Users who have read-only permission for public versions can still copy data to a private version that they can edit. Users who don't have write permissions can't publish into a public version. With delete permissions for a public version, a user can read, publish to, and delete a public version.
Similar to using Data Access Control (DAC) for other dimensions, you use DAC for Version dimensions to restrict access.
- Only users with the Update privilege (defined in ) can set DAC for a version dimension.
- Version security applies only to planning-enabled models.
- The default read/write/delete permission is “none”. You must explicitly enable read/write/delete access to users or teams, including yourself.
- The Version dimension was named the Category dimension in older versions of the application.
To restrict read and write access to a Version dimension:
- In the Modeler, open or create a model, and select the Version dimension.
- In the Dimension Settings panel, switch Data
Access Control on, and then select
OK.
The three additional columns Read, Write, and Delete appear.
- Select a cell under Read, and then select to choose users and teams who you want to grant read access to.
- Do the same for the Write and Delete cells, to grant write and delete access.
You can see details of your choices in the Preview panel.