Setting Data Access Permissions on Dimensions

You can restrict access to data in stories by setting read and write permissions for individual members. You can activate this security feature for any dimension in the model.

Context

You can enable data access restrictions using the Data Access Control (DAC) setting. When DAC is on, two more columns (Read and Write) are added to the dimension grid so that you can apply individual settings to each row. For the Version dimension, a Delete column is added as well as Read and Write columns to control which users can delete each public version.

You can select one or more users (or simply all users) who will have access to the data.

Note

When DAC is used with hierarchical data, you may want to switch Hide Parents on. Using this setting, you can restrict which dimension members can be seen in the Modeler. If this option is enabled, users will see only the members that they have at least Read access to.

User Role Expected Behavior
SystemOwner Will be able to see all the members.
Admin Will be able to see all the members.
BI Admin Will be able to see all the members.
BI Content Creator Will be able to see all the members.
BI Content Viewer Will be able to see only the members that they have at least Read access to.
Modeler Will be able to see all the members.
Planner Reporter Will be able to see only the members that they have at least Read access to.
Viewer Will be able to see only the members that they have at least Read access to.

Consider this example hierarchy:

Canada                  $110
     British Columbia   $50 (Read access)
          Vancouver     $40
          Kelowna       $10
     Alberta            $60
          Calgary       $20 (Read access)
          Edmonton      $10 (Read access)
          Lethbridge    $30

DAC is used to restrict access to the members Alberta and Lethbridge.

If you switch on the Hide Parents setting, Alberta and Lethbridge are not shown, and Calgary and Edmonton are moved up to the top hierarchy level:

Canada                  $50
     British Columbia   $50
          Vancouver     $40
          Kelowna       $10
Calgary                 $20
Edmonton                $10

If you turn off the Hide Parents setting, Calgary and Edmonton are displayed below their parent member Alberta:

Canada                  $80
     British Columbia   $50
          Vancouver     $40
          Kelowna       $10
     Alberta            $30
          Calgary       $20
          Edmonton      $10

Depending on which dimension members users are authorized to see, the aggregated value for Alberta can be different for different users, which could be misleading. For example, if User A has read access to Lethbridge, but User B does not, then User A would see an aggregated value of $60 for Alberta, while User B would see $30.

Procedure

  1. Open the dimension that you want to modify.
  2. In the Dimension Settings panel, switch Data Access Control on.
    The Read and Write columns are added to the dimension grid.
  3. Switch Hide Parents on if desired (see above note).
  4. You can now use the two new columns Read and Write to control access to all rows of the grid by selecting one or more users in either or both of the columns.

    Each user who is granted Write access for a member automatically receives permission to read the data as well. Likewise, a user who receives the Delete permission for a member of the Version dimension also receives Read and Write permissions for it.

    To see a summary of all data access settings for all dimensions in the model, select Start of the navigation path (Model Preferences) Next navigation step Access and PrivacyEnd of the navigation path. Note that the displayed list is read-only; the data access setting can be changed only in the Dimension Settings panel.