During the implementation of OneStream application, Implementation Consultants and Administrators create different security groups based on the client’s security access requirements. However, as the project progresses from one phase to another, these security groups may become obsolete or redundant.
Security groups are assigned to different objects in the application to enable users to access certain sets of data or reports, or execute tasks depending on the data access required to perform their tasks.
This article aims to help you identify the security groups assigned or used or not used within the OneStream application.
-
- Login To OneStream Application as Administrator
- Navigate to or Click on System Tab
- Click on Security – Find a Group/User
- Click on “Show All Groups in the Selected Group” – This will show you which groups are assigned to which Child/Parent Group if you select a group.
- or “Show All Parent Groups for Selected User” – This will show you which user is assigned to which Child/Parent group.
If a security group is not assigned to a user or a parent group, it denotes that the group is not being utilized in the application.
Security groups are usually assigned to various objects within the OneStream Application, as listed below:
-
- Security Roles (Application/Security Roles)
- Dimensions (Application/Dimension Page – All Dimensions – Entity, Account, Scenario, Flow and User Defined (1-8))
- Cube Properties (Application/Cube/Cube Properties)
- Cube Data Access (Application/Cube/Cube Data Access)
- Workflow Profiles (Application/Workflow Profiles)
- Confirmation Rules
- Certification Questions
- Data Sources
- Transformation Rules
- Form Templates
- Journal Templates
- Cube Views
- Dashboards
Security can be defined using several methods, such as Security Roles, Entity Security, Cube Security, and Workflow Security. However, to run a report, security group assignment must be applied to Cube View Profiles and Dashboard Profiles. Confirming security group assignment requires the Administrator to check all of the above, and it can be time-consuming to find where a security group is assigned. To simplify this search, the Administrator can use the following workaround or method:
-
- Log into Application
- Click on Application Tab
- Click on Tools Section
- Click on Load/Extract option.
- Click on Extract / Select an option from drop down list.
- Click on Dimension/Select a specific Dimension/ ex: Entity. or any other metadata object like Cube, Account, UD Dimensions)
- Click on Extract option on the header bar and save the file to your computer.
- Open the saved Xml file using an editor (Notepad or Notepad++ utility). Tip: Uncheck Wrap Text option
- Simply Search and Find the group in question.
- If you come across a group being used in the XML file as described below, it means the Security Group is being utilized. Verify the assignment and ensure that it is correctly assigned to users and controls data access.
- “AccessGroup=”Everyone” (used in Cube View Profiles, Dashboard Profiles, Data Sources, Transformation Rule Profiles)
- “maintenanceGroup=”Everyone” (used in Cube View Profiles, Dashboard Profiles, Data Sources, Transformation Rule Profiles)
- “displayMemberGroup=”Everyone” (Entity, Account, Flow and UD Dimensions)
- “readDataGroup=”Everyone” (used in Entity)
- “readDataGroup2=”Nobody” (used in Entity)
- “readWriteDataGroup=”Everyone” (used in Entity)
- “readWriteDataGroup2=”Nobody” (used in Entity)
- “ManageDataGroup=”Administrators” (used in Scenario)
- “CalculateFromGridsGroup” value=”Everyone” (used in Scenario)
Each Security Group assigned will appear in the above group assignments. If a group does not exist in any of the above thirteen application setups, then one can safely assume that the security group in question is redundant and not being used. Before deactivating a group, make sure the group is unassigned from users and then take proper action to deactivate.
Note:
Please follow these guidelines when defining security groups:
- Use a standard naming convention that includes a prefix to identify groups specific to your client needs. For example, use WFE and WFC to denote Workflow Execution profiles and Certification profiles, respectively.
- Add your client’s company name (three-digit) as a prefix to ensure that the security group name is unique.
- Exercise caution when using the Extract feature to store data on your computer.
- Do not click on the Extract and Edit Button while extracting data, as this may result in saving an XML file with incorrect changes.