If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Data security issue on combination of dimensions, FWM

Started by globalbear, 10 Jun 2010 04:58:59 AM

Previous topic - Next topic

globalbear

Lets say I have to set security on two dimensions - region and store type.

I have these transactions:

Trans_id              Region                Store type
1                        North Europe        Clothing store
2                        North Europe        Shoe store
3                        South Europe       Clothing store
4                        South Europe       Shoe store
5                        North America      Clothing store
6                        North America      Shoe store


Bill is region manager for North Europe and Ann is region manager for South Europe.

I set up two groups in my namespace: NEurope and SEurope.
I put Bill in the NEurope group an Ann in the SEurope group.

I then setup data security in FWM on the region dimension that gives group NEurope access to region North Europe and group SEurope access to region South Europe.

If I publish my package to the portal Bill should be able to pull data for region North Europe and Ann for region South Europe.

Bill would be able to see transactions 1 and 2 and Ann would be able to see transactions 3 and 4. None of them would be able to see transactions 5 and 6.

Quite straight forward so far.

Now, Adam is sales manager for clothing stores (all clothing stores regardless of their location). He should be able to see all data for all clothing stores.

How do I setup data security for Adam?

Say that I setup a security group called Clothing and then setup data security in FWM on the store type dimension that gives group Clothing access to store type Clothing Store. I then put Adam in the security group Clothing.

Adam would be granted access to transaction 1,3 and 5 based on his membership of group Clothing but denied access to the same transactions because he is not a member of any region group.

Bill would be granted access to transaction 1 and 2 based on his membership of group NEurope but denied access to the same transaction because he is not a member of any store type group.

Ann would be granted access to transaction 3 and 4 based on her membership of group SEurope but denied access to the same transaction because she is not a member of any store type group.

How do I solve this multi dimensional security problem?

Is there a best practice for these kind of questions?

globalbear

I think this quote from http://download.boulder.ibm.com/ibmdl/pub/software/dw/dm/cognos/modeling/security/security_in_framework_manager.pdf
solves my problem: (page 10)

"If a user or group is not listed in the security filter then that user or group has unrestricted access to that query subject."

This would be the case in my example. Bill and Adam and would be granted unrestricted access to the store type dimension since they are not listed in the security filter for that dimension. Adam would be granted unrestricted access to the region dimension since he is not listed in the security filter for that dimension.

Am I right? I hope so...