Setting Data Access Permissions on Dimensions
You can restrict access to data in stories by setting read and write permissions for individual members. You can activate this security feature for any dimension in the model.
Context
You can enable data access restrictions using the Data Access Control (DAC) setting. When DAC is on, two more columns (Read and Write) are added to the dimension grid so that you can apply individual settings to each row. For the Version dimension, a Delete column is added as well as Read and Write columns to control which users can delete each public version.
You can select one or more users (or simply all users) who will have access to the data.
When DAC is used with hierarchical data, you may want to switch Hide Parents on. Using this setting, you can restrict which dimension members can be seen in the Modeler or in Stories. If this option is enabled, users will see only the members that they have at least Read access to.
User Role | Expected Behavior |
---|---|
SystemOwner | Will be able to see all the members. |
Admin | Will be able to see all the members. |
BI Admin | Will be able to see all the members. |
BI Content Creator | Will be able to see all the members. |
BI Content Viewer | Will be able to see only the members that they have at least Read access to. |
Modeler | Will be able to see all the members. |
Planner Reporter | Will be able to see only the members that they have at least Read access to. |
Viewer | Will be able to see only the members that they have at least Read access to. |
Canada $110 British Columbia $50 (Read access) Vancouver $40 Kelowna $10 Alberta $60 Calgary $20 (Read access) Edmonton $10 (Read access) Lethbridge $30
DAC is used to restrict access to the members Alberta and Lethbridge.
If you switch on the Hide Parents setting, Alberta and Lethbridge are not shown, and Calgary and Edmonton are moved up to the top hierarchy level:
Canada $50 British Columbia $50 Vancouver $40 Kelowna $10 Calgary $20 Edmonton $10
If you turn off the Hide Parents setting, Calgary and Edmonton are displayed below their parent member Alberta:
Canada $80 British Columbia $50 Vancouver $40 Kelowna $10 Alberta $30 Calgary $20 Edmonton $10
Depending on which dimension members users are authorized to see, the aggregated value for Alberta can be different for different users, which could be misleading. For example, if User A has read access to Lethbridge, but User B does not, then User A would see an aggregated value of $60 for Alberta, while User B would see $30.
In the case you’ve been provided access on a node that is parent for more than one hierarchy, you won’t be able to view all members of the 2nd hierarchy: You’ll only see the members you were given access to the first hierarchy. Let’s take this example with the Parent “Locations”, which is parent of 2 hierarchies “Markets” and “Offices”:
As you can see “Global” is member of both hierarchies. If Data Access Control is ON and Hide Parent is OFF, you won’t be able to see the transactional data for member that are not child of “Global” in hierarchy “Markets”:
In the first hierarchy, the data access control cascades down: if you have access to the parent, you can see all children. But in the second hierarchy, this does not apply. Even if you have access to the parent, you will only see the children that are part of the first hierarchy and for which you have at least read authorizations.
Now if you switch the Hide Parent on ON, only the "Global" data will be shown: