Skip to main content

OneStream

OneStream Security: How to Check Security Groups Assigned/Used or Not Used

Datasecurity

During the implementation of OneStream application, Implementation Consultants and Administrators create different security groups based on the client’s security access requirements. However, as the project progresses from one phase to another, these security groups may become obsolete or redundant.

Security groups are assigned to different objects in the application to enable users to access certain sets of data or reports, or execute tasks depending on the data access required to perform their tasks.

This article aims to help you identify the security groups assigned or used or not used within the OneStream application.

    • Login To OneStream Application as Administrator
    • Navigate to or Click on System Tab
    • Click on Security – Find a Group/User
    • Click on “Show All Groups in the Selected Group” – This will show you which groups are assigned to which Child/Parent Group if you select a group.
    • or “Show All Parent Groups for Selected User” – This will show you which user is assigned to which Child/Parent group.

If a security group is not assigned to a user or a parent group, it denotes that the group is not being utilized in the application.

Security groups are usually assigned to various objects within the OneStream Application, as listed below:

    1. Security Roles (Application/Security Roles)
    2. Dimensions (Application/Dimension Page – All Dimensions – Entity, Account, Scenario, Flow and User Defined (1-8)) 
    3. Cube Properties (Application/Cube/Cube Properties)
    4. Cube Data Access (Application/Cube/Cube Data Access)
    5. Workflow Profiles (Application/Workflow Profiles)
    6. Confirmation Rules 
    7. Certification Questions
    8. Data Sources
    9. Transformation Rules
    10. Form Templates
    11. Journal Templates
    12. Cube Views
    13. Dashboards

Security can be defined using several methods, such as Security Roles, Entity Security, Cube Security, and Workflow Security. However, to run a report, security group assignment must be applied to Cube View Profiles and Dashboard Profiles. Confirming security group assignment requires the Administrator to check all of the above, and it can be time-consuming to find where a security group is assigned. To simplify this search, the Administrator can use the following workaround or method:

    1. Log into Application
    2. Click on Application Tab
    3. Click on Tools Section
    4. Click on Load/Extract option.
    5. Click on Extract / Select an option from drop down list.
    6. Click on Dimension/Select a specific Dimension/ ex: Entity. or any other metadata object like Cube, Account, UD Dimensions)
    7. Click on Extract option on the header bar and save the file to your computer.
    8. Open the saved Xml file using an editor (Notepad or Notepad++ utility). Tip: Uncheck Wrap Text option
    9. Simply Search and Find the group in question.
    10. If you come across a group being used in the XML file as described below, it means the Security Group is being utilized. Verify the assignment and ensure that it is correctly assigned to users and controls data access.
      • “AccessGroup=”Everyone” (used in Cube View Profiles, Dashboard Profiles, Data Sources, Transformation Rule Profiles)
      • “maintenanceGroup=”Everyone” (used in Cube View Profiles, Dashboard Profiles, Data Sources, Transformation Rule Profiles)
      • “displayMemberGroup=”Everyone” (Entity, Account, Flow and UD Dimensions)
      • “readDataGroup=”Everyone” (used in Entity)
      • “readDataGroup2=”Nobody” (used in Entity)
      • “readWriteDataGroup=”Everyone” (used in Entity)
      • “readWriteDataGroup2=”Nobody” (used in Entity)
      • “ManageDataGroup=”Administrators” (used in Scenario)
      • “CalculateFromGridsGroup” value=”Everyone” (used in Scenario)

Each Security Group assigned will appear in the above group assignments. If a group does not exist in any of the above thirteen application setups, then one can safely assume that the security group in question is redundant and not being used. Before deactivating a group, make sure the group is unassigned from users and then take proper action to deactivate.

Note:

Please follow these guidelines when defining security groups:

  1. Use a standard naming convention that includes a prefix to identify groups specific to your client needs. For example, use WFE and WFC to denote Workflow Execution profiles and Certification profiles, respectively.
  2. Add your client’s company name (three-digit) as a prefix to ensure that the security group name is unique.
  3. Exercise caution when using the Extract feature to store data on your computer.
  4. Do not click on the Extract and Edit Button while extracting data, as this may result in saving an XML file with incorrect changes.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Venkata Putrevu, Lead Business Consultant

Venkata Putrevu is a technology and systems enthusiast, who is passionate about Financial Systems and Integrations and wants to share knowledge in this space. He is a Lead Business Consultant working at Perficient in their CPM Team. Venkata is a qualified Cost & Management Accountant with a Master's degree in Accounting. Nearly 25 years of insightful experience in various fields such as People Management, People Development, Program and Project Management, Mergers, Acquisitions & Divestiture (MA&D) System Integrations. He has implementation and firsthand experience in OneStream and Oracle Consolidations. He has experience in OneStream, Oracle E-Business Suite Implementations & Upgrades, along with experience in SAP FICO, and BaaN Financials implementations. In his free time, he loves to read, travel, visit new places, listen to various types of music, and relax with family and friends. Venkata looks forward to writing about his experiences and sharing his knowledge.

More from this Author

Categories
Follow Us