Overview of One Model's Role Based Security

One Model’s Role Based Security consists of two different types of roles:

  • Application Access Roles. These permissions control the tools and the parts of the system that the user can access.
  • Data Access Roles. These permissions control the data elements a user can access. Permissions are controlled at both the column level (i.e. what data elements a user can see) and the row level (i.e. what records of the data element a user can access).

A user can belong to multiple Application Access and Data Access Roles.


Application Access Roles

Application Access Roles are defined in the system under Admin > Application Access Roles

To create a new role, click Create New.

The system will prompt the user to provide a Name and Description for the role.

Clicking the Create button will create the role. Once the role is created, it will appear in the list of roles. Clicking Edit, will allow Admins to later change the Name and Description for the role.

To add permissions to the role, click Permissions.

By default no permissions are assigned to the role. Permissions are either on or off. Clicking the Checkbox next to the permission will grant the permission to the role. 

Most permissions are Admin permissions. Key permissions for End Users to consume data, include:

  • CanFilterDashboard
  • CanViewDashboards
  • CanDrillthroughMetric
  • CanViewDimensionDetails
  • CanViewDimensions

For Data Analysts in the organization, Admins may also grant access to these permissions:

  • CanExploreData

To add users to a role, click Users.

A list of all users in the system will show up. Clicking the Checkbox will grant the permissions for the selected Application Access Role to the selected user(s). 

To save permissions for users, click the Update Users button at the bottom of the list of users.

Note: Permissions are cumulative for application permissions. This means if a user has access to multiple roles and one role has access to a permission, but another role does not, the user will have access to the permission.

To delete a role, click the Delete hyperlink.

Note: Roles can be deleted, even if associated with a user. 


Data Access Roles

Data Access Roles are defined in the system under Admin > Data Access Roles

To create a new role, click Create New.

The user will be prompted to provide a Name and Description for the role. For Data Access Roles, Admins can also copy users and rules from other roles to make the creation process more efficient.

Clicking the Create button will create the role. Once the role is created, it will appear in the list of roles. Clicking Edit, will allow Admins to later change the Name and Description for the role.

Access to specific metrics is controlled by the Metrics hyperlink. This is the aggregate data. Individual column level of access is controlled through the system configuration of drill through columns, as well as role permission at the Column level.

If a user should have access to all metrics on a site, the Select All button will make that selection more efficient. If the Admin needs to uncheck all selections, clicking Deselect All will accomplish this efficiently. 

Traditionally, most users will have access to a subset of metrics. Metrics will be organized by the Categories. Clicking on the > next the metric Category will expand it.

Clicking on the > next the metric Sub-Category will expand it. Admins can check the checkbox for the entire Category or metrics, entire Sub Category of metrics or an individual metric to provide access to the data.

Clicking Save will save permissions to metrics for the role. 

Note: Access to Metrics provides users access to the aggregate data elements. This access will work in conjunction with Rules permissions to provide access to specific populations in the data.

To grant access for roles to Dashboards, click the Dashboard hyperlink.

Dashboards will be organized as they are onsite. To permission Dashboards, click the > next to the category. It will show the individual dashboards. Dashboards permissions can be set to allows users to View or Edit the individual dashboards.

Note: To View or Edit a Dashboard, the user will have to have the appropriate Application Access Role permissions. (CanCreateDashboard or CanViewDashboards).

Clicking Save will save permissions to dashboards for the role.

Access to specific dimensions is controlled by the Dimensions hyperlink. This is the aggregate data. Individual column level of access is controlled through the system configuration of drill through columns, as well as role permission at the Column level.

If a user should have access to all dimensions on a site, the Select All button will make that selection more efficient. If the Admin needs to uncheck all selections, clicking Deselect All will accomplish this efficiently. 

Traditionally, most users will have access to a subset of dimensions. Dimensions will be organized by categories. Clicking on the > next to the dimension Category will expand it.

Admins can check the checkbox for the entire Category or an individual Dimension to provide access to the data element.

Clicking Save will save permissions to Dimensions. 

Note: Access to Dimensions provides users access to the data elements. This access will work in conjunction with Rules permissions to provide access to specific populations in the data.

Access to specific Columns for drill through is controlled by the Columns hyperlink.

If a user should have access to all columns on a site, the Select All button will make that selection more efficient. If the Admin needs to uncheck all selections, clicking Deselect All will accomplish this efficiently. 

Traditionally, most users will have access to a subset of columns. Columns will be organized by Tables. Clicking on the > next to the column Table will expand it.

Admins can check the checkbox for the entire Table or an individual Column to provide access to the data element.

Clicking Save will save permissions to columns for the role. 

Note: Access to Columns provides users access to the data elements. This access will work in conjunction with Rules permissions to provide access to specific populations in the data.

The Rules hyperlink, allows Admins to control access to the specific populations. This access for the Role works in conjunction with all of the data access permissions set in Metrics, Dashboards, Dimensions and Columns.

Rules allows the Admin to select a specific dimension and set the access level the user will have. In the example below, the role has access to Human Resources (in the Organisational Unit dimension), but none of the descendants. This means this role can see Human Resources in the aggregate, but if it has HR has children nodes (e.g. Organizational Development, Payroll and Benefits, Learning and Development, etc.), none of those will be visible in the aggregate or column level details.

Rules allow Admins to select any dimension available in the data for the Rule to be applied. 

Admins then select if the criteria for this dimension is or is not applicable

All nodes associated with the dimension selected, will be available when the Select Nodes box is selected.

The Admin will then need to check select or one of their descendants or but not one of their descendants.

Clicking Save will save the rule. 

A new rule can be added by clicking Add Rule. This Rule will work in conjunction with all of the other rules set for the role.

Contextual Rules for individual users (associated with the Person ID in the User account), can be set on Add User Contextual Rule. This allows for an automated process of setting access across a large population, such as Managers in the organization.

Contextual Rules also allow the Admin to select any dimension. The dimension selected will associate to the Person ID. Once the dimension is selected, the Admin will have the option to select just theirs or theirs or a sibling of theirs.

The admin will then need to check select or one of their descendants or but not one of their descendants.

Clicking Save will save the rule. 

To add users to a Data Access Role, click Users.

A list of all users in the system will show up. Clicking the Checkbox will grant the permissions for the Data Access Role to the selected user(s). 

To save permissions for users, click the Update Users button at the bottom of the list of users.

Note: Permissions are cumulative for Data Access Roles permissions, but exclusions for specific data elements defined in rules will take priority.

To delete a role, click the Delete hyperlink.

Note: Roles can be deleted, even if associated with a user. 

Did this answer your question?