on 07-11-2011 9:10 AM
Dear Experts,
In one of our dimension master, many members are invalid. So our management has dicided to restrict certain users not to see these invalid mambers from CV(in excel and web). When we try to deny acces for these members in different profile(member access profile) it is not working as explained in security document.
Eg:Entiry dimension hierarchy is as below
H1
WorldWide
-Sales
---Sales Asia
-
Sales Korea
-
Sales Japan
---Sales Europe
-
Sales Italy
-
Sales France
**User1 does not belong to any team.
There are two member access profiles: ProfileA and ProfileB.
**Both the profiles are assigned to the user.
The member access profiles are described in the following table:
Member access profile| Access |Dimension |Member
-----------------------------------------------------------------
ProfileA |Denied |Entity |SalesAsia
ProfileB |Read Only |Entity |Sales
In this case, the least restrictive profile between the two, ProfileB (Read Only), is applied. As a result,
ProfileA is ignored by the system, and User1 is able to retrieve data from both SalesKorea and
SalesItaly.
If we define both in same profile as follows its working fine.
Member access profile| Access |Dimension |Member
-----------------------------------------------------------------
ProfileA |Denied |Entity |SalesAsia
ProfileA |Read Only |Entity |Sales
In this case User1 is able to see Sales Italy data but not Sales Asia.
We can achieve our requirement by maintaining all existing profiles by adding invalid members as denied. But we have to change many profiles(100+) . Thats why we are trying to include all invalid members under one profile (for easy maintainance) and assign this at team level.
Is there any way to acheive this with out changing existing profiles.
Thanks in advance...
regards,
Raju
Hi Raju,
Create a profile called "Denied". Put all the users who are all don't want to see some particular reports or what ever
it may be, put them all in a separate team Ex: Team - D. Put team D into Denied Profile so that nothing can be seen to these
users. Another Profile called "RO" put all the users who are can just read only in a particular team, and assign the team to
this profile. I hope in this way you can distinguish the users.
Raghu B.S.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raghu,
Thanks for the suggestion.
If we create a separate profile with denied for all invalid members and assign the same to users/teams. When system checks for members based on profiles attached to user/team it will pick least restricted profile. since the same members may assigned at other profile with R or R/W system still allow them to see those members even though its dinied in another profile.
thanks,
Raju
User | Count |
---|---|
12 | |
3 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.