Object Security

[RudiHendrix]

At the moment I'm experimenting with Object Security in FM.

But I'm seeing some strange behaviour.

At our project I am in the Active Directory group "Cognos_Technical_System_Maintenance". In Cognos we have created our own groups in Cognos; one of them is "Beheerders".
Further in Cognos we have set "Cognos_Technical_System_Maintenance" as member of "Beheerders".

Then I start applying object security in FM. There we have a structure like:
Sales (namespace)
  Opportunity (namespace)
     Some dimensions and measures
  Offer (namespace)
     Some dimensions and measures
  Contract (namespace)
     Some dimensions and measures
Billing (namespace)
  Some dimensions and measures

If I apply object security to the namespaces "Sales" and "Billing" and tell the system that only "Beheerders" should be able to see it and go to QS (if already open log out and log back in) and test it I see the following:
Sales (namespace)
  Opportunity (namespace)
  Offer (namespace)
  Contract (namespace)
Billing (namespace)

So, I am able to expand "Sales", but I'm not able to see anything below it. No dimensions nor measures.

If I return everything to what it was and tell the system that "Beheerders" are allowed to see only Opportunity, Offer and Billing it looks like this:
Opportunity (namespace)
Offer (namespace)
Billing (namespace)

Still nothing visible below the namespaces!

So, it does apply the security, but it seems that it is not automatically inherited.
I've also tried including all items of the presentation layer to grant the "Beheerders" explicitly access, but it doesn't work.

I'm applying this object security to the presentation layer where we have shortcuts to the items in the dimensional layer.

[MFGF]

Hi,

The issue is that you are granting access at the presentation layer, which is just namespaces and shortcuts.  The problem is you don't have access to the underlying query subjects/regular dimensions the shortcuts point to (so the shortcuts themselves are omitted).

Repeat this grant process at the dimensional layer, and you should have success.

Best regards,

MF.

[RudiHendrix]

Hmmm...

Ok, I'm going to try that. But it means that I'll have to change my complete model.

Just to be on the safe side...
In the following structure all namespaces (except for "Sales") had the "Account" dimension. Obviously I created one shortcut and copy-pasted it.
Sales (namespace)
  Opportunity (namespace)
     Some dimensions and measures
  Offer (namespace)
     Some dimensions and measures
  Contract (namespace)
     Some dimensions and measures
Billing (namespace)
  Some dimensions and measures

Now I will be recreating this structure in the dimensional layer. So I'm creating a "Sales" namespace and within it an "Opportunity", "Offer" and "Contract" namespace. And next to "Sales" I create a "Billing" namespace. Then I drag the "Account" dimension to the "Opportunity" namespace. Next I hold the  ctrl key and drag the "Account" dimension to both the "Offer" and the "Contract" namespace. And as last step I ctrl + drag the "Account" dimension to the "Billing" namespace. Will that still work?

Then I apply object security to the "Sales" namespace allowing group A access without denying group B access. And group B gets access to the "Billing" namespace without denying access for group A. Will the users from group B then still be able to see the "Account" dimension in the "Billing" namespace as they don't have access to the "Account" dimension from the "Sales" namespace?
In the end the data is coming from the same table.

I was under the impression that it would be best to create the structure with the presentation layer. Because it makes it easier to change a name of an attribute for example in one place only.

[MFGF]

Hmmm...

Ok, I'm going to try that. But it means that I'll have to change my complete model.

Just to be on the safe side...
In the following structure all namespaces (except for "Sales") had the "Account" dimension. Obviously I created one shortcut and copy-pasted it.
Sales (namespace)
  Opportunity (namespace)
     Some dimensions and measures
  Offer (namespace)
     Some dimensions and measures
  Contract (namespace)
     Some dimensions and measures
Billing (namespace)
  Some dimensions and measures

Now I will be recreating this structure in the dimensional layer. So I'm creating a "Sales" namespace and within it an "Opportunity", "Offer" and "Contract" namespace. And next to "Sales" I create a "Billing" namespace. Then I drag the "Account" dimension to the "Opportunity" namespace. Next I hold the  ctrl key and drag the "Account" dimension to both the "Offer" and the "Contract" namespace. And as last step I ctrl + drag the "Account" dimension to the "Billing" namespace. Will that still work?

Then I apply object security to the "Sales" namespace allowing group A access without denying group B access. And group B gets access to the "Billing" namespace without denying access for group A. Will the users from group B then still be able to see the "Account" dimension in the "Billing" namespace as they don't have access to the "Account" dimension from the "Sales" namespace?
In the end the data is coming from the same table.

I was under the impression that it would be best to create the structure with the presentation layer. Because it makes it easier to change a name of an attribute for example in one place only.

No - don't go down this route.  Leave your dimensional layer defined with one occurrence of each query subject/regular dimension etc or you will be introducing a huge maintenance headache later on if you create multiple copies.

Instead, define object security directly on the query subjects/regular dimensions at this level, or grant access to the entire Dimensional namespace and stick with the previously defined security in the presentation layer.

MF.

[RudiHendrix]

No - don't go down this route.  Leave your dimensional layer defined with one occurrence of each query subject/regular dimension etc or you will be introducing a huge maintenance headache later on if you create multiple copies.

True :)
Thanks for your swift response, but I have it almost finished in that way right now... I'll save it as a separate version :)

Instead, define object security directly on the query subjects/regular dimensions at this level, or grant access to the entire Dimensional namespace and stick with the previously defined security in the presentation layer.

MF.

Defining the object security directly on the regular dimension is not possible since the users should be able to look at the "Account" dimension in one namespace, but not in another namespace (since the other namespace is entirely invisible to them).
So what you're proposing is to allow both groups access to the entire dimensional layer namespace and then leave the security on the presentation layer to allow group A access to "Sales" and allow group B access to "Billing"?

That just might work! I'm going to give it a shot!

[MFGF]

So what you're proposing is to allow both groups access to the entire dimensional layer namespace and then leave the security on the presentation layer to allow group A access to "Sales" and allow group B access to "Billing"?

Yes.  Hopefully that will mean less work and maintenance later.

[RudiHendrix]

Yes, it worked!

And it definately saved me a lot of work! Thanks!

[MFGF]

Excellent!  Glad you got it sorted.