Overview
In this session, we’ll look at managing various types of users and restricting access to different pieces of the application. We’ll begin by adding some sample users to our application, then we’ll look at ways we can secure access to data, and lastly, we’ll look at restrictions we can place on accessing different areas of the application.
Transcript
[transcript]
In this session, we'll look at managing various types of users and restricting access to different pieces of the application.
We'll begin by adding some sample users to the application and examining the three predefined security roles in Kepion. Then we'll look at ways we can secure access to data with model and dimension permissions. And lastly, we'll look at restrictions we can place on accessing different areas of the application.
To add new users, select user and group, and then click add user. Here, we can add an authenticated user from our environment by specifying their domain and username, or we can add a custom user that only exists locally in the application. Custom users are useful for testing our application, so let's add a couple.
In the permission section, we can configure each user's permissions individually. However, if we were managing a large corporation with hundreds of users, configuring each person individually would not be feasible. This is why Kepion allows you to configure permissions at the group level.
Let's navigate to the roles section and click add role. Kepion supports both active directory groups, if you're managing authenticated users, or roles, for managing a custom set of users or groups within Kepion.
Let's add a new role called US department.
In the membership section, we can configure the role and add both of our users as members.
At the top, you can see there are two default roles that users can be added to as well: application admin and application modeler.
The application admin manages user security, permissions, and workflow settings within the application, ensuring the right users can view and interact with the appropriate components. The application modeler builds and maintains the core structure of the application by creating dimensions, models, forms, dashboards, and rules.
If we return to the permissions section, we can configure the model permissions for the custom role we created. Let's give these users full read access, but only write permissions to the assumption model.
Now if we switch to John or Mary, we can see that they've automatically inherited the same read and write permissions.
Now let's test the permissions in the app. First, let's add this role as a contributor to our dashboard app and then save.
System admins have the ability to impersonate other users. Clicking on the name in the top right allows us to do so.
In the app, the deflator percent and trade spend forms are now read only. If I right click and examine the cell details, we can see that is writable has been set to false.
In addition to restricting access by models, we can also limit users by specific dimension members. However, dimension permissions work differently from model permissions.
By default, users in Kepion cannot read or write to any model. They need to be given explicit access. Once permission has been granted, they're allowed to access all dimensions in the model. However, if we define permissions on a particular dimension member, the user will lose their implicit access to the other members.
In Kepion, if we click on the dimension permissions, there's nothing to select. Before we can restrict by dimensions, we need to turn on dimension security.
Let's return to the modeler.
Check the security option for the entity dimension. This is disabled by default to increase performance. Now let's save and deploy.
If we return to the administrator tab, let's select dimension, and then in both the read and write tabs add the United States.
If we navigate to the app, we can no longer see the other entities. However, if we select North America, we can still see the aggregated totals from the US and Canada. We can change this behavior as well by checking the dimension security visual totals option in the all dimensions node.
The last method of applying security in Kepion is completely restricting access to different sections of the application and dashboard apps.
In the module restriction section, we can configure a user to only have access to certain areas of the modeler and administrator modules. For example, this user would only be able to work on dashboards in the application.
Within a dashboard app, we have a page restriction and write restriction tab. Page restrictions prevent specific users or groups from accessing a certain page in a dashboard.
Let's configure John Smith to be able to access every page except the deflator percent.
In write restrictions, we can constrain users to only write to a particular dimension member. The difference between this and dimension permissions is that write restrictions constrain all users to write to only the selected members within this particular app. Dimension permissions constrain a single user or group from reading or writing from a dimension member in any app.
Let's switch to scenario and then select forecast.
In the dashboard app, we can no longer access the deflator percent page.
In addition, all members other than forecast are now read only.
In this session, we added some sample users to our application and examined the three predefined security roles in Kepion.
Then we looked at ways to secure access to data with model and dimension permissions.
And lastly, we restricted access to different areas of the application and dashboard app.
In the final video of this series, we'll design a workflow process to submit and approve user submissions.
[/transcript]