In this session, we’ll look at managing various types of users and restricting access to different pieces of the application. We’ll begin by adding some sample Users to our Application, then we’ll look at ways we can secure access to data, and lastly, we’ll look at restrictions we can place on accessing different areas of the Application.
In this session, we’ll look at managing various types of users and restricting access to different pieces of the application.
We’ll begin by adding some sample Users to our Application and examining the three pre-defined security roles in Kepion, then we’ll look at ways we can secure access to data with Model and Dimension permissions, and lastly, we’ll look at restrictions we can place on accessing different areas of the Application
To add new Users, select User & Group, and then click Add. Here we can add an authenticated user from our environment by specifying their domain and username, or we can add a Custom User that only exists locally in the Application. Custom Users are useful for testing our Application, so let’s add a couple. We can name one John Smith, and the other one Mary Smith.
In the permission section we can configure each user’s permissions individually. However, if we were managing a large corporation, with hundreds of users, configuring each person individually would not be feasible.
This is why Kepion also allows you to configure permissions at the group level. Let’s return to User & Group and click Add. Kepion supports both Active Directory groups, if you’re managing authenticated users, or Roles for managing a custom set of users or groups within Kepion.
Let’s add a new Role called US Dept. In the Membership section, we can configure the role and add both of our Users as members.
At the top, you can see there are three default roles that users can be added to as well: Administrator, Model Designer, and Advanced Contributor. The Administrator role manages both user security and workflow. This role can grant users access to models and dimension members, and manage workflow configurations such as adding Contributors, Approvers, and Reviewers.
The Model Designer role manages the core modeling aspects of an application, including the ability to create new Dimensions, Models, Forms, Dashboards, and more. Model Designers can also deploy the Application. And then the Advanced Contributor role has the privilege to use advanced features, such as transactional drill-through.
If we return to the Permission section, we can configure the Model permissions for the Custom Role we created. Let’s give these users full read access, but only write permissions to the Assumption Model. Now if we switch to John or Mary, we can see that they’ve automatically inherited the same read/write permissions.
Now let’s test their permissions in the app. First, let’s add this role as a contributor to our Dashboard App and then save. Clicking on the name in the top-right allows us to impersonate another user. In the app, the Deflator % and Trade Spend Forms are now read-only. If I right-click and examine the cell details, we can see that IsWriteable has been set to False.
In addition to restricting access by Models, we can also limit users by specific Dimension Members, however, Dimension Permissions work differently from Model permissions.
By default, users in Kepion cannot Read or Write to any Model—they need to be given Explicit Access. Once permission has been granted, they’re allowed to access all Dimensions in the Model. However, if we define permissions on a particular Dimension Member, the User will lose their implicit access to the other members.
In Kepion, if we click on the Dimension Permissions, there’s nothing to select. Before we can restrict by Dimensions, we need to turn on Dimension Security. Let’s return to the Modeler. Check the “Security” option for the Entity Dimension. This is disabled by default to increase performance.
Now let’s save and deploy. If we return to the Administrator tab, let’s select Dimension, and then switch to the Read/Write tab and add the United States.
If we navigate to the App, we can no longer see the other Entities. However, if we select North America, we can still see the Aggregated totals from the US and Canada. We can change this behavior as well by checking the Dimension Security Visual Totals option in the All Dimensions node.
The last method of applying security in Kepion is completely restricting access to different sections of the application and dashboard apps. In the Restriction section here, we can configure a user to only have access to certain areas of the Modeler and Administrator Modules. For example, this user would only be able to work on Dashboards in the Application.
Within a Dashboard App, we have a Page Restriction and Write Restriction tab. Page Restrictions prevent specific users or groups from accessing a certain page in a Dashboard. Let’s configure John Smith to be able to access every page except the Deflator %.
In Write Restrictions, we can constrain users to only write to a particular Dimension Member. The difference between this and Dimension Permissions, is that Write Restrictions constrain all users to write to only the selected Members, within this particular App. Dimension Permissions constrain a single user or group from reading or writing from a Dimension Member in any App.
Let’s switch to Entity and then select United States. In the Dashboard App, we can longer access the Deflator % page. In addition, all Members other than United States are now read-only.
In this session, we added some sample Users to our Application and examined the three pre-defined security roles in Kepion, then we looked at ways to secure access to data with Model and Dimension permissions, and lastly, we restricted access to different areas of the Application and Dashboard Apps.
In the final video of this series, we’ll design a workflow process to submit and approve user submissions.