Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0
Wiki Markup
{scrollbar}

----
When a cube is published in *{_}O3 Server{_}*, it is necessary to assign access to them so that users can start using it.

Depending on each user's requirements it may be necessary to restrict access to some dimensions and measures. It is also possible to restrict access to specific elements of each dimension in a parametric way, facilitating the implementation of complex security requirements.

h2. *Cube Access Simple Assignment*

O3 Server security in its simplest way lets you give or deny access permissions to the cubes for each one of the roles defined in the server. This permissions configuration is done for each cube, listing the roles that will have access to such cube. The way to assign access to the cubes is by adding users as role players.

When a user tries to access a cube, O3 Server checks if they play any of the roles assigned to the cube. If the server finds one of the user's roles assigned to the cube, they will have permission to access the cube in that role. If a user is associated to more than one authorized role to the cube, the users will use the first role in the list.

To assign authorized roles to a cube:
# Start the O3 Server Administrator component.
# Expand the Services \| Cubes \| Available Cubes branch in the Administration Tree
# Select the cube you wish to assign a role to and click on the General Tab of the Properties Pane.
At the bottom of this tab you will see the list of authorized roles.
# Click on the _Add_ button. A new entry will be added to the list of authorized roles.
The _Administrators_ role is added by default.
# To select a role, double click on the Role column in the new list entry.
A list will drop down with the defined roles.
If no profile is indicated, (default value (none)) all users in the selected role will have access to all the dimensions and measures of the cube.
# Click on the _Apply_ button in the Properties Pane.
The cube will be accessible to the users in that role.

To remove an authorized role from a cube:
# Start the O3 Server Administrator component.
# Expand the Services \| Cubes \| Available Cubes branch of the Administration Tree.
# Select the cube you wish to remove a role from and click on the _General_ tab in the Properties Pane.
At the bottom of this tab you will find the list of authorized roles. 
# Select the role to remove from the list and click on the _Remove_ button.
# Click on the _Apply_ button in the Properties Pane.
Bear in mind that a user may play more than one role and so that they do not have access to a cube it is necessary to remove all the roles the user plays or to remove the user from the roles that do not apply anymore.
{quote}
(!) Note
Before making any change a cube's properties, such as authorized roles, it is advisable to press the _Refresh_ button to make sure you have the updated list of roles.
{quote}

h2. *Cube Access Advanced Assignment: Access Profiles*

Besides basic security, which enables role authorization to the cubes, it is possible to associate an Access Profile to the roles to indicate the parts of the cube that can be accessed. 

Through access profiles, restrictions on dimensions and measures in a cube are defined.

Access Profiles are defined within each cube, as they refer to dimensions and measures that are specific to it.

An authorized role to a cube can have an associated access profile, which means that users accessing it through this role will have the restrictions on dimensions and measures defined by the profile. If a role has no profile, users accessing through it will not have restrictions on dimensions and measures, they will have full access to all dimensions and measures.

To define an access profile in a cube:
# Start O3 Server Administrator.
# Expand the Services \| Cubes \| Available Cubes branch in the Administration Tree.
# Select the cube for which you wish to define an access profile to restrict a dimension or measures.
# Select the Access Profiles tab in cube Properties Pane.
If the cube is not available to users, this tab will appear as disabled. In the cube General tab the _Available_ property must be selected.
If you change this property to enable the Access Profile tab, you must previously click on the _Apply_ button, for the change to take place.
By default, when a cube is first published it is not made available to users. 
# To add a new Access Profile, click on the _Add_ button.
At the top of the tab there is a list with the already defined profiles.
When you press the _Add_ button, a new profile will be added to the list under the name Name_Profile_#.
Below this list of profiles, you will be able to change the new profile's name.
Below the new profile's name, there are two sub-tabs: Dimensions Access and Measures Access. It is there that restrictions on the profile are defined.
By default all dimensions and measures are made accessible.
# To define restrictions on dimensions in an Access Profile, select the profile from the list.
The profile name will appear in the box below the list and the Dimensions Access Sub tab will show list of the cube's dimensions.
To define restrictions on a dimension you may: 
#* Uncheck the _Accessible_ column to restrict the entire dimension.
Dimensions checked as not accessible are not shown in the dimensions bar and users will not be able to analyze the cube through that dimension.
#* Indicate the range of levels in which users will be able to analyze the cube through that dimension.
To do so, it is necessary to indicate the range of levels in the From Level and To Level columns.
#* Define a logical expression to filter the elements of a level.
To do so it  is necessary to indicate the level to be filtered in the From Level column and enter the logical expression in the Restriction column.
# In order to define restrictions on the measures of a profile, select the profile from the list and click on the Measures Access sub-tab.
This tab contains a list of the measures defined in the cube and in the _Accessible_ column you will be able to select the measures that will be available to users through the selected profile.
# To confirm the security changes made click on the Apply button in the Properties Pane.

!O3ServerAdministrator-Security-Profiles-Dimensions.png|align=center,vspace=10,hspace=10!\\

!O3ServerAdministrator-Security-Profiles-Measures.png|align=center,vspace=10,hspace=10!\\

To assign an access profile to an authorized role in the cube:
# Start O3 Server Administrator.
# Expand the Services \| Cubes \| Available Cubes branch in the Administration Tree.
# Select the cube in which you wish to assign an access profile to an authorized role.
# Click on the General Tab in the Properties Pane. At the bottom of this section you will see the list of authorized roles.
# Select the authorized role to which you wish to assign an access profile. If it is necessary to add a new role press the Add button to the right of the list.
# In the Profile column corresponding to the selected role, you will be able to select the defined access profiles from a drop-down list.
Apart from the defined profiles, this list contains the (none) option.
If you select this option, the role will have no associated profile and users related to it will have access to all dimensions and measures.
# To confirm these security changes made, click on the Apply button in the Properties Pane.
!O3ServerAdministrator-Security-Profiles-Assignment.png|align=center,vspace=10,hspace=10!

h3. Scope of restrictions on Access Profiles

Usando perfiles de acceso el administrador podrá especificar:
* Las medidas del cubo que podrán ser accedidas.
* Las dimensiones del cubo que podrán ser accedidas.
* Desde qué nivel y hasta qué nivel de cada dimensión podrán ser accedidos.
La raíz de la dimensión es representada por el nivel 0.
* Filtrar en forma parámetrica los elementos de un nivel de una dimensión definiendo una expresión lógica.

El uso de expresiones lógicas para filtrar elementos de un nivel permite implementar requerimientos de seguridad complejos.

La expresión lógica es evaluada para cada elemento del nivel especificado y se mostrarán solamente los elementos para los cuales la expresión es verdadera.

Esto se usa, por ejemplo, para que un vendedor solo pueda ver las ventas de los clientes que tiene asignados.

En la definición de las expresiones lógicas es posible usar los siguientes identificadores para referirse a los elementos de un nivel (nodos de la jerarquía de cada dimensión):
|| *{_}Identifier{_}* \\ || *{_}Function{_}* \\ ||
| NodeKey | It returns the value of the key of the element being evaluated. |
| NodeLabel | It returns the value of the label of the element being evaluated |
| NodeLongLabel | It returns the value of the long label of the element being evaluated. |
| NodeDescription | It returns the value of the description of the element being evaluated. \\ |
{quote}
(!) Note
These identifiers are defined in *{_}O3 Designer{_}* to build dimensions.
{quote}
It is also possible to use the following identifiers to refer to the user's identification and their role:
|| Identificador || *{_}Function{_}* ||
| userName | It returns identifier of the user currently logged in and consulting the cube. |
| roleName | It returns the name of the role of the user who opened the cube.  |
Additionally, you may define attribute for each user or role and use them in the logical expressions.

For instance, by defining a Department attribute, whose value is the name of the department the user belongs in, it is possible to restrict users so they can only see information about their department.

Access to the attributes value from the expressions is obtained by means of the following functions.
|| *{_}Function{_}* || *{_}Description{_}* ||
| getUserValue(<attribute name>) | It returns the value assigned to the attribute for the user who access the cube. |
| getRoleValue(<attribute name>) | It returns the value assigned to the attribute for the role of the user who is accessing the cube. |

----
{children}

...

When a cube is published in O3 Server, it is necessary to assign access to them so that users can start using it.

Depending on each user's requirements it may be necessary to restrict access to some dimensions and measures. It is also possible to restrict access to specific elements of each dimension in a parametric way, facilitating the implementation of complex security requirements.

Cube Access Simple Assignment

O3 Server security in its simplest way lets you give or deny access permissions to the cubes for each one of the roles defined in the server. This permissions configuration is done for each cube, listing the roles that will have access to such cube. The way to assign access to the cubes is by adding users as role players.

When a user tries to access a cube, O3 Server checks if they play any of the roles assigned to the cube. If the server finds one of the user's roles assigned to the cube, they will have permission to access the cube in that role. If a user is associated to more than one authorized role to the cube, the users will use the first role in the list.

To assign authorized roles to a cube:

  1. Start the O3 Server Administrator component.
  2. Expand the Services | Cubes | Available Cubes branch in the Administration Tree
  3. Select the cube you wish to assign a role to and click on the General Tab of the Properties Pane.
    At the bottom of this tab you will see the list of authorized roles.
  4. Click on the Add button. A new entry will be added to the list of authorized roles.
    The Administrators role is added by default.
  5. To select a role, double click on the Role column in the new list entry.
    A list will drop down with the defined roles.
    If no profile is indicated, (default value (none)) all users in the selected role will have access to all the dimensions and measures of the cube.
  6. Click on the Apply button in the Properties Pane.
    The cube will be accessible to the users in that role.

To remove an authorized role from a cube:

  1. Start the O3 Server Administrator component.
  2. Expand the Services | Cubes | Available Cubes branch of the Administration Tree.
  3. Select the cube you wish to remove a role from and click on the General tab in the Properties Pane.
    At the bottom of this tab you will find the list of authorized roles. 
  4. Select the role to remove from the list and click on the Remove button.
  5. Click on the Apply button in the Properties Pane.
    Bear in mind that a user may play more than one role and so that they do not have access to a cube it is necessary to remove all the roles the user plays or to remove the user from the roles that do not apply anymore.

    (warning) Note
    Before making any change a cube's properties, such as authorized roles, it is advisable to press the Refresh button to make sure you have the updated list of roles.

Cube Access Advanced Assignment: Access Profiles

Besides basic security, which enables role authorization to the cubes, it is possible to associate an Access Profile to the roles to indicate the parts of the cube that can be accessed. 

Through access profiles, restrictions on dimensions and measures in a cube are defined.

Access Profiles are defined within each cube, as they refer to dimensions and measures that are specific to it.

An authorized role to a cube can have an associated access profile, which means that users accessing it through this role will have the restrictions on dimensions and measures defined by the profile. If a role has no profile, users accessing through it will not have restrictions on dimensions and measures, they will have full access to all dimensions and measures.

To define an access profile in a cube:

  1. Start O3 Server Administrator.
  2. Expand the Services | Cubes | Available Cubes branch in the Administration Tree.
  3. Select the cube for which you wish to define an access profile to restrict a dimension or measures.
  4. Select the Access Profiles tab in cube Properties Pane.
    If the cube is not available to users, this tab will appear as disabled. In the cube General tab the Available property must be selected.
    If you change this property to enable the Access Profile tab, you must previously click on the Apply button, for the change to take place.
    By default, when a cube is first published it is not made available to users. 
  5. To add a new Access Profile, click on the Add button.
    At the top of the tab there is a list with the already defined profiles.
    When you press the Add button, a new profile will be added to the list under the name Name_Profile_#.
    Below this list of profiles, you will be able to change the new profile's name.
    Below the new profile's name, there are two sub-tabs: Dimensions Access and Measures Access. It is there that restrictions on the profile are defined.
    By default all dimensions and measures are made accessible.
  6. To define restrictions on dimensions in an Access Profile, select the profile from the list.
    The profile name will appear in the box below the list and the Dimensions Access Sub tab will show list of the cube's dimensions.
    To define restrictions on a dimension you may: 
    • Uncheck the Accessible column to restrict the entire dimension.
      Dimensions checked as not accessible are not shown in the dimensions bar and users will not be able to analyze the cube through that dimension.
    • Indicate the range of levels in which users will be able to analyze the cube through that dimension.
      To do so, it is necessary to indicate the range of levels in the From Level and To Level columns.
    • Define a logical expression to filter the elements of a level.
      To do so it  is necessary to indicate the level to be filtered in the From Level column and enter the logical expression in the Restriction column.
  7. In order to define restrictions on the measures of a profile, select the profile from the list and click on the Measures Access sub-tab.
    This tab contains a list of the measures defined in the cube and in the Accessible column you will be able to select the measures that will be available to users through the selected profile.
  8. To confirm the security changes made click on the Apply button in the Properties Pane.

Image Added

Image Added

To assign an access profile to an authorized role in the cube:

  1. Start O3 Server Administrator.
  2. Expand the Services | Cubes | Available Cubes branch in the Administration Tree.
  3. Select the cube in which you wish to assign an access profile to an authorized role.
  4. Click on the General Tab in the Properties Pane. At the bottom of this section you will see the list of authorized roles.
  5. Select the authorized role to which you wish to assign an access profile. If it is necessary to add a new role press the Add button to the right of the list.
  6. In the Profile column corresponding to the selected role, you will be able to select the defined access profiles from a drop-down list.
    Apart from the defined profiles, this list contains the (none) option.
    If you select this option, the role will have no associated profile and users related to it will have access to all dimensions and measures.
  7. To confirm these security changes made, click on the Apply button in the Properties Pane.
    Image Added

Scope of restrictions on Access Profiles

Usando perfiles de acceso el administrador podrá especificar:

  • Las medidas del cubo que podrán ser accedidas.
  • Las dimensiones del cubo que podrán ser accedidas.
  • Desde qué nivel y hasta qué nivel de cada dimensión podrán ser accedidos.
    La raíz de la dimensión es representada por el nivel 0.
  • Filtrar en forma parámetrica los elementos de un nivel de una dimensión definiendo una expresión lógica.

El uso de expresiones lógicas para filtrar elementos de un nivel permite implementar requerimientos de seguridad complejos.

La expresión lógica es evaluada para cada elemento del nivel especificado y se mostrarán solamente los elementos para los cuales la expresión es verdadera.

Esto se usa, por ejemplo, para que un vendedor solo pueda ver las ventas de los clientes que tiene asignados.

En la definición de las expresiones lógicas es posible usar los siguientes identificadores para referirse a los elementos de un nivel (nodos de la jerarquía de cada dimensión):

Identifier

Function

NodeKey

It returns the value of the key of the element being evaluated.

NodeLabel

It returns the value of the label of the element being evaluated

NodeLongLabel

It returns the value of the long label of the element being evaluated.

NodeDescription

It returns the value of the description of the element being evaluated.

(warning) Note
These identifiers are defined in O3 Designer to build dimensions.

It is also possible to use the following identifiers to refer to the user's identification and their role:

Identificador

Function

userName

It returns identifier of the user currently logged in and consulting the cube.

roleName

It returns the name of the role of the user who opened the cube. 

Additionally, you may define attribute for each user or role and use them in the logical expressions.

For instance, by defining a Department attribute, whose value is the name of the department the user belongs in, it is possible to restrict users so they can only see information about their department.

Access to the attributes value from the expressions is obtained by means of the following functions.

Function

Description

getUserValue(<attribute name>)

It returns the value assigned to the attribute for the user who access the cube.

getRoleValue(<attribute name>)

It returns the value assigned to the attribute for the role of the user who is accessing the cube.

...

Child pages (Children Display)
Wiki Markup
{scrollbar}