BDA Security Manager
Application Summary
The BDA Security Manager comprehensively controls virtually all security properties in a code-free environment.
Solution Overview
The BDA Import/Export Security Manager provides administrators and implementers a simple, code free avenue to extract, modify, and upload OneStream security artifacts.
BDA’s Security Manager addresses User Groups and their generational inheritance, Users themselves, Application roles, System Security roles, Exclusion Groups, Users in Exclusion Groups, Groups in Exclusion Groups, Workflow, Cubes, Entity, Scenario, all other dimensions, Data Cell “Slice” security, Display Members, Cube Views, Cube View Profiles, Transformation Rules, Transformation Rule Profiles, Dashboard Maintenance Units, Dashboard Groups, and Dashboard Profiles security.
Common use cases are administrative review, documentation, implementation, maintenance, and migration between environments.
Setup and Installation
The installation process for all BDA Solutions is the same: download the install zip file from Partner Place, import, and run the BDA_FW_Dashboard_Setup dashboard using the purchased product keys. The zip file contains all BDA Solutions; the keys unlock the purchased Solutions.
See the BDA Installation Solution Guide SV1.0.0 for more information.
Security Manager Solution
There are four general functional areas:
1) Artifact selection by type
2) Wildcard filters for users, groups, and artifacts
3) Security export
4) Security import
Security Output
The extract process dynamically creates and opens an Excel workbook by selected security area and artifact.
Each security area has corresponding tabs; one or many or all may be selected, e.g., GroupsInGroups, Users, UsersInGroups, etc.
The workbook name is programmatically generated and follows a naming convention of “SecurityExtract.HHMMSS”, e.g., SecurityExtract.022227.xlsx, where the last six digits correspond to the server’s HHMMSS time.
Export Location
The Import/Export Security Utility creates Excel workbooks on export. These are located in the C:\Users\WindowsUserName\AppData\Local\Temp\OneStream folder.
Security Import
An extracted security file can be modified and imported into OneStream.
Some considerations around import functionality:
-
The data import process can add, edit, and delete (requires ActionType/ActionValue properties) artifacts.
-
Edits of core artifact properties, e.g., user renames, require a Rename/NewUserName ActionType/ActionValue.
-
Edits of dependent properties, e.g., User Type, require a valid value of Interactive, View, etc.
-
Some edits are merges, e.g., changing a UsersInGroups assignment performs a merge, not a delete of existing relationships.
-
Imports can be net new assignments, a mix of existing, new, and edited properties, or any combination of security definitions.
-
As a matter of practice, only update relevant sections, i.e., if modifying Dashboard access, do not export and then reimport (for instance) Cube View access. Technically this approach is valid, but functionally the opportunity for error is high unless great care is taken during the editing process.
Single, Multi, and Select All
Security artifact information can be exported individually, in explicit combination, or in total.
Wildcards
Wildcard member names are not supported.
Text within the filters is not case-sensitive.
Given a requirement to filter on users, the examples use this set:
Trailing
Wildcard
Result
Leading
Wildcard
Result
In line
Wildcard
Returns
Multiple
Wildcard
Returns
Artifacts
There are six security areas:
1) Users, groups, and roles
2) Workflow
3) Cubes and their access (Data Cell Conditional Input)
4) Dimensions
5) User interface: Cube Views and Dashboards
6) Transformation rules
Notes
Unless otherwise specified, adding a new row to a security export will, on import, add that definition to the OneStream application.
Users, Groups, and Roles
Users
Output
Export creates a two-tab workbook: User and UsersInGroups.
Purpose
Users are OneStream users as managed in the System Security module. They can be native (typically only for testing purposes during implementations or security configuration testing) or external.
Users and Groups (next section) are unique from other security artifacts in that they can be renamed (more likely in the case of groups) or deleted by using the ActionType and ActionValue properties.
UsersInGroups are as the name suggests. The assignments of users to existing groups.
Users
Sample Partial Export
Properties
| Property | Sample value | Possible values |
|---|---|---|
| User | Natalie Documentation | User name |
| Description | Documentation Natalie | Description |
| UserType | Interactive | Interactive, View, Restricted, Third Party Access, Financial Close |
| IsEnabled | True | True, False |
| ExternalAuthProviderName | OS365 | |
| ExternalUserName | email address (typically) | |
| Password | 9kSKQuVc3WNWr7iARAvxzw== | Encrypted by OneStream |
| email address | ||
| Culture | en-US | en-US, fr-FR |
| NumGridRows | 1000 | 10 to 90 in increments of 10, 100 to 1000 in increments of 100 |
| Text1 | FP&A Director | Custom text |
| Text2 | US | Custom text |
| Text3 | Custom text | |
| Text4 | Custom text | |
| ActionType | Rename | Rename, Remove |
| ActionValue | Natalie Doc | Rename value, Member |
UsersInGroups
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| User | Jessica Documentation | ExistingUserName and ExistingGroup |
| ParentGroup | Documentation LegalA | ExistingGroup |
Groups
Output
Export creates a two-tab workbook: Groups and GroupsInGroups.
Purpose
Adding a new row to the Groups tab results in a new group. The ActionType and ActionValue properties allow Renames and Removes of Groups.
GroupsInGroups assigns groups to parent groups. Adding a new row results in a new group/group parent child relationship.
Groups
Sample Partial Output
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Group | Documentation AllOrgs | ExistingGroupName |
| Description | All possible organizations | Text |
| ActionType | Rename | Rename, Remove |
| ActionValue | Doc AllOrgs | New Group, Member |
GroupsInGroups
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Group name | Documentation LegalD | ExistingGroup or new (requires a new group defined in the Groups tab if not manually added) Group. |
| ParentGroup | Documentation | Ibid. |
Export Roles
Output
Export creates a two tab workbook: AppRoles and SystemRoles.
Purpose
All security changes should be done with care; given the wide impact of these roles, exercise a high level of caution when changing these properties en masse. As a matter of practice, it is best to treat this export as documentation only.
AppRoles
Export Roles allows group edits only as Roles are predefined.
Sample Partial Export
Properties
| Property | Sample Value | Possible Value |
|---|---|---|
| AppRole | OpenApplication | AdministerApplication, AdministerDatabase, ApplicationLoadExtractPage, ApplicationPropertiesPage, ApplicationSecurityRolesPage, BookAdminPage, BusinessRulesPage, CertificationQuestionsPage, CertifyAndLockDescendants, ClientUpdaterPage, ConfirmationRulesPage, CreateAuditAttachments, CreateFootnoteAttachments, CubeAdminPage, CubeViewsPage, DashboardAdminPage, DataManagementAdminPage, DataSourcesPage, DimensionLibraryPage, EncryptBusinessRules, FormTemplatesPage, FxRatesPage, JournalTemplatesPage, LockFXRates, ManageApplicationDashboards, ManageApplicationDatabaseFiles, ManageApplicationProperties, ManageCertificationQuestions, ManageConfirmationRules, ManageCubeViews, ManageData, ManageDataSources, ManageFormTemplates, ManageFXRates, ManageJournalTemplates, ManageMetadata, ManageTaskScheduler, ManageTransformationRules, ManageWorkflowChannels, ManageWorkflowProfiles, ModifyData, OnePlacePane, OpenApplication, PreserveImportData, RestoreImportData, SpreadsheetPage, TaskScheduler, TaskSchedulerPage, TextEditor, TimeDimProfilesPage, TransformationRulesPage, UnlockAndUncertifyAncestors, UnlockFXRates, UnlockWorkflowUnit, ViewAllData, ViewSourceDataAudit, WorkflowChannelsPage, WorkflowProfilesPage |
| GroupName | Documentation | ExistingGroup |
SystemRoles
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| SystemRole | ErrorLogPage | AccessFileShareContents, ApplicationAdminPage, DatabasePage, EncryptSystemBusinessRules, EnvironmentPage, ErrorLogPage, FileExplorerPage, LogonActivityPage, ManageFileShare, ManageFileShareContents, ManageSystemDashboards, ManageSystemDatabaseFiles, ManageSystemSecurityGroups, ManageSystemSecurityRoles, ManageSystemSecurityUsers, RetrieveFileShareContents, SecurityAdminPage, SystemAdministrationLogon, SystemBusinessRulesPage, SystemDashboardAdminPage, SystemLoadExtractPage, SystemPane, TaskActivityPage, TimeDimensionsPage, ViewAllErrorLog, ViewAllLogonActivity, ViewAllTaskActivity |
| GroupName | Administrators | ExistingGroup |
Exclusion Groups
Output
Export creates a three tab workbook: ExGroup, UsersInExGroups, and GroupsInExGroups.
Purpose
ExGroup allow groups or users to be excluded from security assignments. ExGroup defines Exclusion Group names.
UsersInExGroups assigns users and groups to an Exclusion Group. Their order determines the exclusion behavior. UsersInExGroups defines user assignment to Exclusion Group. ProcessingOrder determines an order of operations. AllowAccess defines a True/False level of access to the relevant OneStream artifact.
GroupsInExGroups defines group assignment to Exclusion Group. Processing order determines an order of operations. AllowAccess defines a True/False level of access to the relevant OneStream artifact.
Note: to exclude users from group access, the typical practice is to assign their GroupsInExGroups first (ProcessingOrder) with an AllowAccess value of True and then assign the users with a subsequent ProcessingOrder in UsersInExGroups. Use unique ProcessingOrder values across the two tabs.
ExGroup
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| ExGroup | Documentation Exclusion | ExistingGroup |
| Description | Exclude specific Documentation group members. | Free form text |
UsersInExGroups
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| User | Jessica Documentation | ExistingUserName |
| ExGroup | Documentation Exclusion | ExistingGroup |
| ProcessingOrder | 3 | 0, 1, 2, 3, etc. |
GroupsInExGroups
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Group | Documentation | ExistingGroup |
| ExGroup | Documentation Exclusion | ExistingExclusionGroupName |
| ProcessingOrder | 0 | 0, 1, 2, 3, etc. |
Workflows
Output
One tab is created on export: Workflow.
Purpose
The Workflow export supports security at all levels of the Workflow Profile hierarchy.
The Workflow group properties can be edited. Workflows themselves cannot be deleted nor added: both of those actions must be performed within the OneStream application itself.
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Profile | Houston Expenses | Workflow Profile artifacts |
| AccessGroup | Everyone | ExistingGroup |
| MaintenanceGroup | Administrators | ExistingGroup |
| ExecGroup_Default | Administrators | ExistingGroup |
| CertifyGroup_Default | Administrators | ExistingGroup |
Cubes
Output
One tab is created on export: Cube.
Purpose
Defines the AccessGroup and MaintenanceGroup of Cubes. MaintenanceGroup is irrelevant unless the CubeAdminPage Security Role is changed to a value other than Administrator.
The Cube group properties can be edited. Cubes themselves cannot be deleted nor added: both of those actions must be performed within the OneStream application itself.
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Cube | GolfStream | ExistingCubeName |
| AccessGroup | Everyone | ExistingGroup |
| MaintenanceGroup | Everyone | ExistingGroup |
Cube Data Access
Output
One tab is created on export: CubeDataCellAccess.
Purpose
Note – Data Cell Access Security is commonly called “Slice Security”.
Befitting these properties’ security orientation, most properties can be added or edited; Category deletes and adds are not supported.
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Cube | GolfStream | ExistingCubeName |
| Type | Data Cell Access Security | Data Cell Access Security |
| ProcessingOrdering | 0-based | 0, 1, 2, 3, etc. |
| Description | Selling Group | CustomText |
| AccessGroup | Documentation LegalA | AnyExistingGroup |
| BehaviorInGrpInFilter | Apply Access and Continue | Skip Item And Continue, Skip Item And Stop, Apply Access And Continue, Increase Access And Continue, Increase Access And Stop, Decrease Access And Continue, Decrease Access And Stop |
| AccessLevelInGrpInFilter | All Access | No Access, Read Only, All Access |
| BehaviorInGrpNotInFilter | Skip Item and Continue | See BehaviorInGrpInFilter |
| AccessLevelInGrpNotInFilter | No Access | See AccessLevelInGrpInFilter |
| BehaviorNotInGrpInFilter | Skip Item and Continue | See BehaviorInGrpInFilter |
| AccessLevelNotInGrpInFilter | No Access | See AccessLevelInGrpInFilter |
| EntityMemberFilter | E#Top.Base | Comma-delimited Entity dimension member filter |
| ParentMemberFilter | E#Top | Comma-delimited Entity dimension member filter |
| ConsMemberFilter | C#Local | Comma-delimited Cons dimension member filter |
| ScenarioMemberFilter | S#Working | Comma-delimited Scenario dimension member filter |
| TimeMemberFilter | T#2023.Base | Comma-delimited Time dimension member filter |
| ViewMemberFilter | V#Periodic | Comma-delimited View dimension member filter |
| AccountMemberFilter | A#Sales | Comma-delimited Account dimension member filter |
| FlowMemberFilter | F#EndBal | Comma-delimited Flow dimension member filter |
| OriginMemberFilter | O#Forms | Comma-delimited Origin dimension member filter |
| ICMemberFilter | I#None | Comma-delimited IC dimension member filter |
| UD1MemberFilter | U1#None | Comma-delimited UD1 dimension member filter |
| UD2MemberFilter | U2#Top.DescendantsInclusive | Comma-delimited UD2 dimension member filter |
| UD3MemberFilter | U3#None | Comma-delimited UD3 dimension member filter |
| UD4MemberFilter | U4#None | Comma-delimited UD4 dimension member filter |
| UD5MemberFilter | U5#None | Comma-delimited UD5 dimension member filter |
| UD6MemberFilter | U6#None | Comma-delimited UD6 dimension member filter |
| UD7MemberFilter | U7#None | Comma-delimited UD7 dimension member filter |
| UD8MemberFilter | U8#None | Comma-delimited UD8 dimension member filter |
Entity
Output
One tab is created on export: Entity.
Purpose
The ReadGroup/2 and ReadWriteGroup/2 properties define read only and read write access.
UseCubeDataAccess enables Data Cell Access Security aka “Slice Security”.
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Entity | Birmingham | ExistingEntityName |
| ReadGroup | Augusta | ExistingGroup |
| ReadGroup2 | Nobody | ExistingGroup |
| ReadWriteGroup | Documentation LegalA | ExistingGroup |
| ReadWriteGroup2 | Documentation LegalC | ExistingGroup |
| UseCubeDataAccess | True | True, False |
Scenario
Output
One tab is created on export: Scenario.
Purpose
Scenario access is integral to OneStream users for Workflow, data, and all downstream functionality.
In addition to the expected read-only and read-write properties, Cube View calculations and Data Management access are also controlled by group.
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Scenario | Budget | ExistingScenarioName |
| ReadGroup | Everyone | ExistingGroup |
| ReadWriteGroup | Administrators | ExistingGroup |
| CalculateFromGridsGroup | Everyone | ExistingGroup |
| ManageDataGroup | Nobody | ExistingGroup |
Dimensions
Output
One tab is created on export: Dimensions.
Purpose
Allow access to and editing of the Dimensions Application functionality.
For this setting to take effect, the DimensionLibraryPage Security Role must be other than Administrators.
AccessGroup defines the visibility of the dimension. MaintenanceGroup enables dimension editing for all members.
Restricting access in upper level extended dimensions does not impact child dimensions.
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Dimension | CorpEntities | ExistingDimensionName |
| AccessGroup | Everyone | ExistingGroup |
| MaintenanceGroup | Everyone | ExistingGroup |
Display Members
Output
One tab is created on export: Dimensions.
Purpose
Displays/hides non-Scenario (as well as the non-editable Cons, IC, Parent, Time Data Unit dimensions) members.
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| Dimension | E | F, U1, etc., as per dimension references in business rules |
| Member | Clubs | ExistingMember |
Cube Views
Output
Export creates a two tab workbook: CubeViewGroups and CubeViewProfiles.
Purpose
Controls access to Cube View groups. Access Group will determine if child Cube Views can be accessed. Maintenance Group is meaningful only when the CubeViewsPage Security Role is set to a value other than Administrators.
CubeViewGroups
# Sample Partial Export
# Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| CVGroup | Data Entry | ExistingCubeViewGroupName |
| AccessGroup | Everyone | ExistingGroup |
| MaintenanceGroup | Administrators | ExistingGroup |
CubeViewProfiles
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| CVProfile | Data Entry | Valid text (no excluded characters, e.g., commas) |
| UIVisibility | Always | Always, Dashboards, DashboardsOnePlace, Excel, ExcelDashboards, ExcelDashboardsOnePlace, ExcelOnePlace, Forms, FormsDashboards, FormsDashboardsOnePlace, FormsExcel, FormsExcelDashboards, FormsExcelDashboardsOnePlace, FormsExcelOnePlace, FormsOnePlace, Never, OnePlace, Workflow, WorkflowDashboards, WorkflowDashboardsOnePlace, WorkflowExcel, WorkflowExcelDashboards, WorkflowExcelDashboardsOnePlace, WorkflowExcelOnePlace, WorkflowForms, WorkflowFormsDashboards, WorkflowFormsDashboards, WorkflowFormsDashboardsOnePlace, WorkflowFormsExcel, WorkflowFormsExcelDashboards, WorkflowFormsExcelOnePlace, WorkflowFormsOnePlace, WorkflowOnePlace |
| AccessGroup | Everyone | ExistingGroup |
| MaintenanceGroup | Administrators | ExistingGroup |
Dashboards
Output
Export creates a three tab workbook: DashboardMaintenanceUnits, DashboardGroups, and DashboardProfiles.
Purpose
Controls access to Dashboard Maintenance Units. Access Group will determine if descendant dashboard objects can be accessed. Maintenance Group is meaningful only when the DashboardAdminPage Security Role is set to a value other than Administrators.
DashboardMaintenanceUnits
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| DMMaintenanceUnit | Demo_Exec_Overview | ExistingDashboardMaintenanceUnit |
| AccessGroup | Everyone | ExistingGroup |
| MaintenanceGroup | Administrators | ExistingGroup |
DashboardGroups
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| DBGroup | ApplicationAnalysis | ExistingDashboardGroup |
| AccessGroup | Administrators | ExistingGroup |
DashboardProfiles
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| DBProfile | FinancialReview | ExistingDashboardProfile |
| UIVisibility | OnePlace | Never, Always, OnePlace, Workflow |
| AccessGroup | Everyone | ExisitingGroup |
| MaintenanceGroup | Administrators | ExisitingGroup |
Transformation Rules
Output
Export creates a two tab workbook: XformRules and XformProfiles.
Purpose
Enable access/maintenance to Transformation Rule Profiles and Lookup Groups. MaintenanceGroup is meaningful only when the TransformationRulesPage Security Group is set to a non-Administrators group.
XformRules
Sample Partial Export
Properties
| Property | Sample Value | Possible Values |
|---|---|---|
| XformRule | BudgetV1_CorpEntities | ExistingRuleProfile |
| AccessGroup | Everyone | ExistingGroup |
| MaintenanceGroup | Administrators | ExistingGroup |
XformProfiles
Sample Partial Export
Properties
| Property | Sample Value | Possible Valies |
|---|---|---|
| XformProfile | BudgetV1 | ExistingTransformationRuleProfile |
| AccessGroup | Everyone | ExistingGroup |
| MaintenanceGroup | Administrators | ExistingGroup |
Administration Tasks
As noted in the Overview section of this document, access to this Solution must be tightly controlled because of its wide data scope.
Once installed, there are no settings.
Data Structures
This Solution uses three tables: BDA_FW_Solution_Keys, BDA_FW_Task_EditHistory, and BDA_FW_Task_Status.
BDA_FW_Solution_Keys
Solution key(s) for the relevant BDA Solutions.
Sample Data
Table Schema
BDA_FW_Task_EditHistory
Tasks in Task Editor with 10 generations of audit.
Sample Data
Table Schema
BDA_FW_Task_Status
Tracks completed task status when feature is in use.
Sample Data
Task Schema
