locked
PPS security problem RRS feed

  • Question

  • Hi all,

    I have two problems/questions concerning security in PPS Planning (using SP1, 3.0.3917):

    1. There are two roles in my modelsite:
      1. Role 1 "Contributors" is the basic role with default read+write access to all dimensions,
        and on role level the account dimension has restricted write access to those elements every contributor should plan on.
         
      2. Role 2 "Central Planning" has default no read+write access.
        In this role, some users should get read+write access to centrally planned accounts (which are not included in role 1 "Contributors").

        As far as I understand it, the model should reflect the CUMULATIVE security rights out of both roles.

        => Unfortunately, this is not the case. I double-checked model assignment and it should work but it doesn't. Any hints on this? Anybody had similar problems?
         
         
    2. Is there a documentation where security settings are stored in the application database?
      I found some "Sec_" tables which contain the MemberIDs to which a user has read+write permissions.
      => But while in PBM I can grant permissions to "AccountXY(LeafMembers)", I do not see any MemberId of the ParentMember in any table. Though when I open PBM again, I see to which ParentMember(LeafMembers) a user has access to. Where is this information stored?
       

    Thanks for any hint / advice!!

    Kind regards,
    Georg

    Friday, February 6, 2009 3:31 PM

Answers

  • Hi there,

    It's really non-intuitive.  See the modeler documentation for an explanation.

    Different roles can grant different permissions for the same member set. When a user belongs to more than one role, the user inherits the permissions from all roles to which he or she belongs. However, Read and Write permissions are calculated differently from each other.

    • Read permissions. Users can read all possible combinations of members (tuples) that they have been granted Read access to.

    • Write permissions. Users can only write to the specific tuples that they have been granted Write access to in each role.

    So I believe that if a user doesn't have write permissions in one of their roles it will trump all other grants for write permission.

    Needless to say, this could blow out the # of roles req'd for the solution.

    cheers,
    Andrew


    Andrew Sears, T4G Limited, http://www.performancepointing.com
    Tuesday, February 10, 2009 2:05 PM

All replies

  • Anybody any idea?

    Thanks,
    Georg
    Management Factory
    Tuesday, February 10, 2009 1:38 PM
  • Hi there,

    It's really non-intuitive.  See the modeler documentation for an explanation.

    Different roles can grant different permissions for the same member set. When a user belongs to more than one role, the user inherits the permissions from all roles to which he or she belongs. However, Read and Write permissions are calculated differently from each other.

    • Read permissions. Users can read all possible combinations of members (tuples) that they have been granted Read access to.

    • Write permissions. Users can only write to the specific tuples that they have been granted Write access to in each role.

    So I believe that if a user doesn't have write permissions in one of their roles it will trump all other grants for write permission.

    Needless to say, this could blow out the # of roles req'd for the solution.

    cheers,
    Andrew


    Andrew Sears, T4G Limited, http://www.performancepointing.com
    Tuesday, February 10, 2009 2:05 PM