Setting Data Access Permissions on Dimensions

You can restrict access to data in stories by setting read and write permissions for individual members. You can activate this security feature for any dimension in the model.

Context

You can enable data access restrictions using the Data Access Control (DAC) setting. When DAC is on, two more columns (Read and Write) are added to the dimension grid so that you can apply individual settings to each row. For the Version dimension, a Delete column is added as well as Read and Write columns to control which users can delete each public version.

You can select one or more users (or simply all users) who will have access to the data.

Note

When DAC is used with hierarchical data, you may want to switch Hide Parents on. Using this setting, you can restrict which dimension members can be seen in the Modeler or in Stories. If this option is enabled, users will see only the members that they have at least Read access to.

User Role Expected Behavior
SystemOwner Will be able to see all the members.
Admin Will be able to see all the members.
BI Admin Will be able to see all the members.
BI Content Creator Will be able to see all the members.
BI Content Viewer Will be able to see only the members that they have at least Read access to.
Modeler Will be able to see all the members.
Planner Reporter Will be able to see only the members that they have at least Read access to.
Viewer Will be able to see only the members that they have at least Read access to.
Example
Consider this example with one hierarchy:
Canada                  $110
     British Columbia   $50 (Read access)
          Vancouver     $40
          Kelowna       $10
     Alberta            $60
          Calgary       $20 (Read access)
          Edmonton      $10 (Read access)
          Lethbridge    $30

DAC is used to restrict access to the members Alberta and Lethbridge.

If you switch on the Hide Parents setting, Alberta and Lethbridge are not shown, and Calgary and Edmonton are moved up to the top hierarchy level:

Canada                  $50
     British Columbia   $50
          Vancouver     $40
          Kelowna       $10
Calgary                 $20
Edmonton                $10

If you turn off the Hide Parents setting, Calgary and Edmonton are displayed below their parent member Alberta:

Canada                  $80
     British Columbia   $50
          Vancouver     $40
          Kelowna       $10
     Alberta            $30
          Calgary       $20
          Edmonton      $10

Depending on which dimension members users are authorized to see, the aggregated value for Alberta can be different for different users, which could be misleading. For example, if User A has read access to Lethbridge, but User B does not, then User A would see an aggregated value of $60 for Alberta, while User B would see $30.

Example
Now, consider another example with 2 hierarchies:

In the case you’ve been provided access on a node that is parent for more than one hierarchy, you won’t be able to view all members of the 2nd hierarchy: You’ll only see the members you were given access to the first hierarchy. Let’s take this example with the Parent “Locations”, which is parent of 2 hierarchies “Markets” and “Offices”:

As you can see “Global” is member of both hierarchies. If Data Access Control is ON and Hide Parent is OFF, you won’t be able to see the transactional data for member that are not child of “Global” in hierarchy “Markets”:

In the first hierarchy, the data access control cascades down: if you have access to the parent, you can see all children. But in the second hierarchy, this does not apply. Even if you have access to the parent, you will only see the children that are part of the first hierarchy and for which you have at least read authorizations.

Now if you switch the Hide Parent on ON, only the "Global" data will be shown:

Procedure

  1. Open the dimension that you want to modify.
  2. In the Dimension Settings panel, switch Data Access Control on.
    The Read and Write columns are added to the dimension grid.
  3. Switch Hide Parents on if desired (see above note).
  4. You can now use the two new columns Read and Write to control access to all rows of the grid by selecting one or more users in either or both of the columns.

    Each user who is granted Write access for a member automatically receives permission to read the data as well. Likewise, a user who receives the Delete permission for a member of the Version dimension also receives Read and Write permissions for it.

    To see a summary of all data access settings for all dimensions in the model, select Start of the navigation path (Model Preferences) Next navigation step Access and PrivacyEnd of the navigation path. Note that the displayed list is read-only; the data access setting can be changed only in the Dimension Settings panel.