Introduction to Role Based Security

This article provides an introduction to One Model's Role Based Security (RBS) model and granting permissions.

Overview of One Model's Role Based Security

One Model’s Role Based Security consists of two different types of roles:

  • Application Access Roles. These permissions control the tools and the parts of the system that the user can access.

  • Data Access Roles. These permissions control the data elements a user can access. Permissions are controlled at both the column level (i.e. what data elements a user can see) and the row level (i.e. what records of the data element a user can access).

A user can belong to multiple Application Access and Data Access Roles.

Application Access Roles

Application Access Roles are defined in the system under Admin > Application Access Roles

 

Create a new role

Go to Application Access Roles under the Admin tab

Click Create New

 

The system will prompt the user to provide a Name and Description for the role.

 

Clicking the Create button will create the role. Once the role is created, it will appear in the list of roles. Clicking Edit, will allow Admins to later change the Name and Description for the role.

Add permissions to a role

To add permissions to the role, click Permissions.

 

By default no permissions are assigned to the role. Permissions are either on or off. Clicking the Checkbox next to the permission will grant the permission to the role. 

 

Most permissions are Admin permissions. Key permissions for End Users to consume data, include:

  • CanFilterDashboard

  • CanViewDashboards

  • CanDrillthroughMetric

  • CanViewDimensionDetails

  • CanViewDimensions

For Data Analysts in the organization, Admins may also grant access to these permissions enabling access to create queries:

  • CanExploreData

Add users to a role

Cick Users

A list of all users in the system will show up. Clicking the Checkbox will grant the permissions for the selected Application Access Role to the selected user(s). 

 

To save permissions for users, click the Update Users button at the bottom of the list of users.

Note: Permissions are cumulative for application permissions. This means if a user has access to multiple roles and one role has access to a permission, but another role does not, the user will have access to the permission.

Delete a role

Click Delete 

 

Note: Roles can be deleted, even if associated with a user. 

Data Access Roles

Data Access Roles are defined in the system under Admin > Data Access Roles

 

Create a new role

Click Create New

 

The user will be prompted to provide a Name and Description for the role. For Data Access Roles, Admins can also copy the setup from other roles to make the creation process more efficient.

 

Clicking the Create button will create the role. Once the role is created, it will appear in the list of roles. Clicking Edit, will allow Admins to later change the Name and Description for the role.

Access to specific metrics is controlled by the Metrics link. This is the aggregate data. Individual column level of access is controlled through the system configuration of drill through columns, as well as role permission at the Column level.

 

If a user should have access to all metrics on a site, the Select All button will make that selection more efficient. If the Admin needs to uncheck all selections, clicking Deselect All will accomplish this efficiently. 

 

Traditionally, most users will have access to a subset of metrics. Metrics will be organized by the Categories. Clicking on the > next the metric Category will expand it.

Clicking on the > next the metric Sub-Category will expand it. Admins can check the checkbox for the entire Category or metrics, entire Sub Category of metrics or an individual metric to provide access to the data.

 

Clicking Save will save permissions to metrics for the role. 

Note: Access to Metrics provides users access to the aggregate data elements. This access will work in conjunction with Rules permissions to provide access to specific populations in the data.

To grant access to Storyboards

Click the Storyboard link.

 

Storyboards will be organized as they are onsite. To permission Storyboards, click the > next to the category and it will show the individual storyboards.

Storyboards permissions can be set to allows users to View or Edit the individual storyboards.

 

Note: To View or Edit a Storyboard, the user must also have the appropriate Application Access Role permissions. (CanCreateDashboard or CanViewDashboards).

Clicking Save will save permissions to storyboards for the role.

To grant access to dimensions

Access to specific dimensions is controlled by the Dimensions link. This is the aggregate data. Individual column level of access is controlled through the system configuration of drill through columns, as well as role permission at the Column level.

 

If a user should have access to all dimensions on a site, the Select All button will make that selection more efficient. If the Admin needs to uncheck all selections, clicking Deselect All will accomplish this efficiently. 

Traditionally, most users will have access to a subset of dimensions. Dimensions will be organized by categories. Clicking on the > next to the dimension Category will expand it.

 

Admins can check the checkbox for the entire Category or an individual Dimension to provide access to the data element.

Clicking Save will save permissions to Dimensions. 

Note: Access to Dimensions provides users access to the data elements. This access will work in conjunction with Rules permissions to provide access to specific populations in the data.

To grant access to columns

Access to specific Columns for drill through is controlled by the Columns link.

If a user should have access to all columns on a site, the Select All button will make that selection more efficient. If the Admin needs to uncheck all selections, clicking Deselect All will accomplish this efficiently. 

Traditionally, most users will have access to a subset of columns. Columns will be organized by Tables. Clicking on the > next to the column Table will expand it.

Admins can check the checkbox for the entire Table or an individual Column to provide access to the data element.

Clicking Save will save permissions to columns for the role. 

Note: Access to Columns provides users access to the data elements. This access will work in conjunction with Rules permissions to provide access to specific populations in the data.

About rules

The Rules hyperlink allows Admins to control access to the specific populations. This access for the Role works in conjunction with all of the data access permissions set in Metrics, Storyboards, Dimensions and Columns.

Rules allows the Admin to select a specific dimension and set the access level the user will have. In the example below, the role has access to Human Resources (in the Organisational Unit dimension), but none of the descendants. This means this role can see Human Resources in the aggregate, but if HR has children nodes (e.g. Organizational Development, Payroll and Benefits, Learning and Development, etc.), none of those will be visible in the aggregate or column level details.

Rules allow Admins to select any dimension available in the data for the Rule to be applied. 

Admins then select if the criteria for this dimension is or is not applicable

All nodes associated with the dimension selected, will be available when the Select Nodes box is selected.

The Admin will then need to check select or one of their descendants or but not one of their descendants.

Clicking Save will save the rule. 

A new rule can be added by clicking Add Rule. This Rule will work in conjunction with all of the other rules set for the role.

Contextual rules

Contextual Rules for individual users (associated with the Person ID in the User account), can be set on Add User Contextual Rule. This allows for an automated process of setting access across a large population, such as Managers in the organization.

Contextual Rules also allow the Admin to select any dimension. The dimension selected will associate to the Person ID. Once the dimension is selected, the Admin will have the option to select just theirs or theirs or a sibling of theirs.

The admin will then need to check select or one of their descendants or but not one of their descendants.

Clicking Save will save the rule. 

Add users to a Data Access Role

Click Users.

A list of all users in the system will show up. Clicking the Checkbox will grant the permissions for the Data Access Role to the selected user(s). 

To save permissions for users, click the Update Users button at the bottom of the list of users.

Note: Permissions are cumulative for Data Access Roles permissions, but exclusions for specific data elements defined in rules will take priority.

Publish to roles

The Publish to Roles link allows Admins to define which other Data Access Roles this user can publish storyboards to. E.g. an Admin role can publish to all other Data Access Roles (and therefore users), but an Analyst role may be limited to publishing only to Admin or their own Analyst role to allow vetting of content.

If a user should have permission to publish to all roles, the Select All button will make that selection more efficient. If the Admin needs to uncheck all selections, clicking Deselect All will accomplish this efficiently.

Clicking Save will save publishing permissions for the role.

Delete a role

Click Delete

Note: Roles can be deleted, even if associated with a user. 

 

Click here to view the complete list of roles and permissions. 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.