This page is in development!
Purpose
The purpose of this page is to show 2 things:
- Given a security setting what workflows does it enable
- Given a workflow what are the minimal security settings required
Documentation links
Settings to workflows
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right (click to sort) | Setting | Needed for workflow: (click to sort) | |
|---|---|---|---|---|---|---|---|
 | Analytic Model | Maintain |
| Analytic Model Export to File | |||
Model property | Restricted Export |  | Analytic Model Export to File | ||||
Model file | Read - View | | Analytic Model Export to File | ||||
| Analytic Model | Maintain | | Analytic Model Export to File | |||
| Dimension | Read | | Analytic Model Export to File | |||
| Other Datasources | Execute | | Analytic Model Export to File | |||
| Private Files | Create | | Analytic Model Export to File | |||
| Private Files | Read | | Analytic Model Export to File | |||
| Planning Model | Maintain |
| Analytic Model Export to File | |||
Model property | Restricted Export | | Planning Model Export to File | ||||
Model file | Read - View | | Planning Model Export to File | ||||
| Model file | Maintain - Edit | | Planning Model Export to File | ||||
| | | Analytic Model | Maintain | | Planning Model Export to File | ||
| | | Dimension | Read | | Planning Model Export to File | ||
| | | Other Datasources | Execute | | Planning Model Export to File | ||
| | | Private Files | Create | | Planning Model Export to File | ||
| | | Private Files | Read | | Planning Model Export to File | ||
| Public Files | Read | | Analytic Model Export to File | |||
| | Public Files | Read | | Planning Model Export to File | ||
| Connection | Maintain | | Analytic Model Export to File | |||
| Connection | Read | | Analytic Model Export to File | |||
| | Connection | Maintain | | Planning Model Export to File | ||
| | Connection | Read | | Planning Model Export to File | ||
| Model file | Read - View | | Publish a Version to Public | ||||
| Model file | Edit - Maintain | | Publish a Version to Public | ||||
| | Dimension | Read | | Publish a Version to Public | ||
| | Planning Model | Read | | Publish a Version to Public | ||
| | Planning Model | Maintain | | Publish a Version to Public | ||
| | Public Files | Read | | Publish a Version to Public | ||
| Model property | Restricted Export | | Create Planning Model off Data Source Export to File (Owner) | ||||
Model file | Read - View | | Create Planning Model off Data Source Export to File (Owner) | ||||
| Planning Model | Create | | Create Planning Model off Data Source Export to File (Owner) | |||
| Analytic Model | Create | | Create Planning Model off Data Source Export to File (Owner) | |||
| Planning Model | Maintain | | Create Planning Model off Data Source Export to File (Owner) | |||
| Dimension | Read | | Create Planning Model off Data Source Export to File (Owner) | |||
| Read | Create | | Create Planning Model off Data Source Export to File (Owner) | |||
| Other Datasources | Execute | | Create Planning Model off Data Source Export to File (Owner) | |||
| Connection | Maintain | | Create Planning Model off Data Source Export to File (Owner) | |||
| Connection | Read | | Create Planning Model off Data Source Export to File (Owner) | |||
| Public Files | Read | | Create Planning Model off Data Source Export to File (Owner) | |||
| Public Files | Create | | Create Planning Model off Data Source Export to File (Owner) | |||
| Private Files | Read | | Create Planning Model off Data Source Export to File (Owner) | |||
| Private Files | Create | | Create Planning Model off Data Source Export to File (Owner) | |||
Model file | Read - View | | View Story based on Analytical Model with Live Connection | ||||
Story file | Read - View | | View Story based on Analytical Model with Live Connection | ||||
| | | Analytic Model | Read | | View Story based on Analytical Model with Live Connection | |
| | | Public Files | Read | | View Story based on Analytical Model with Live Connection | |
Model file | Read - View | | Share Analytical Model with Users/Teams | ||||
Model file | Full Control - Share | | Share Analytical Model with Users/Teams | ||||
| | | Analytic Model | Read | | Share Analytical Model with Users/Teams | |
| | | Public Files | Read | | Share Analytical Model with Users/Teams | |
| | | User | Read | | Share Analytical Model with Users/Teams | |
| | | Team | Read | | Share Analytical Model with Users/Teams | |
Model file | Read - View |
| Move an Analytic Model in the Public Folders to another folder | ||||
Model file | Edit - Update |
| Move an Analytic Model in the Public Folders to another folder | ||||
|
|
| Analytic Model | Read |
| Move an Analytic Model in the Public Folders to another folder | |
|
|
| Analytic Model | Update |
| Move an Analytic Model in the Public Folders to another folder | |
|
|
| Public Files | Create |
| Move an Analytic Model in the Public Folders to another folder | |
|
|
| Public Files | Read |
| Move an Analytic Model in the Public Folders to another folder | |
Model file | Read - View |
| View Story based on Analytical Model with Acquired data (Import Connection) | ||||
Story file | Read - View |
| View Story based on Analytical Model with Acquired data (Import Connection) | ||||
|
|
| Analytic Model | Read |
| View Story based on Analytical Model with Acquired data (Import Connection) | |
|
|
| Dimension | Read |
| View Story based on Analytical Model with Acquired data (Import Connection) | |
|
|
| Public Files | Read |
| View Story based on Analytical Model with Acquired data (Import Connection) | |
|
|
| Public Files | Manage |
| View Story based on Analytical Model with Acquired data (Import Connection) | |
Model file | Read - View |
| Open an Analytic Model with Acquired Data (import connection) | ||||
Story file | Read - View |
| Open an Analytic Model with Acquired Data (import connection) | ||||
|
|
| Analytic Model | Read |
| Open an Analytic Model with Acquired Data (import connection) | |
|
|
| Dimension | Read |
| Open an Analytic Model with Acquired Data (import connection) | |
|
|
| Public Files | Read |
| Open an Analytic Model with Acquired Data (import connection) | |
|
|
| Other Datasources | Execute |
| Create a new connection | |
|
|
| Connection | Create |
| Create a new connection | |
|
|
| Connection | Read |
| Create a new connection | |
| Model file | Read - View | | Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles) | ||||
| Model file | Edit - Maintain | | Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles) | ||||
| Model file | Model Preferences - Model Data Privacy | | Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles) | ||||
| | Role - Model | Limited Access - Write Access 'Version=xxx' |
| Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles) | ||
| | Dimension | Read | | Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles) | ||
| | Planning Model | Read | | Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles) | ||
| | Planning Model | Maintain | | Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles) | ||
| | Public Files | Read | | Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles) | ||
| Model file | Read - View | | Publish booked Versions to Public (managed with Model Data Access Control) | ||||
| Model file | Edit - Maintain | | Publish booked Versions to Public (managed with Model Data Access Control) | ||||
| Model file | Model Preferences - Data Access Control - Version | | Publish booked Versions to Public (managed with Model Data Access Control) | ||||
| Model file | Version Dimension - 'Write' right for a given Version |
| Publish booked Versions to Public (managed with Model Data Access Control) | ||||
| | Dimension | Read | | Publish booked Versions to Public (managed with Model Data Access Control) | ||
| | Planning Model | Read | | Publish booked Versions to Public (managed with Model Data Access Control) | ||
| | Planning Model | Maintain | | Publish booked Versions to Public (managed with Model Data Access Control) | ||
| | Public Files | Read | | Publish booked Versions to Public (managed with Model Data Access Control) | ||
| | | | Role | Read | | Change System Owner |
| | | | System Information | Read | | Change System Owner |
| | | | System Information | Update | | Change System Owner |
| | | | User | Read | | Change System Owner |
| | | | User | Update | | Change System Owner |
Rights Granting other Rights
This list the Rights that are automatically granted once another right has been granted. These rights are 'mandatory' and and dependent on the other.
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Other Rights granted automatically (which can not be de-selected) | ||
|---|---|---|---|---|---|---|---|
| Planning Model | Create | Analytic Model | Create | |||
| | | | Connection | Maintain | Connection | Read |
| | | | Lifecycle | Share | Lifecycle | Maintain |
Workflows to settings
This section shows the minimal rights required for a given workflow.
Missing workflows?
If you would like another workflow added please contact me and I will endeavour to incorporate your feedback as best I can. I can't always reply to all messages in a timely fashion.
Workflow: Analytic Model Export to File
- Export Analytic Model data
- to a CSV file to be created in the Private user folder
- when model is held in public folder
- The user is not the owner of the model
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
Model property | Restricted Export | | ||||
Model file | Read - View |
| ||||
| Analytic Model | Read |
| |||
| Analytic Model | Maintain |
| |||
| Dimension | Read |
| |||
| Other Datasources | Execute |
| |||
| Connection | Maintain | | |||
| Connection | Read | | |||
| Public Files | Read | | |||
| Private Files | Create | | |||
| Private Files | Read |
|
Workflow: Planning Model Export to File
- Export Planning Model data
- to a CSV file to be created in the Private user folder
- when model is held in public folder
- The user is not the owner of the model
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
Model property | Restricted Export | | ||||
Model file | Read - View |
| ||||
| Model file | Maintain - Edit | | ||||
| | Planning Model | Read |
| ||
| | Planning Model | Maintain |
| ||
| | Dimension | Read |
| ||
| | Other Datasources | Execute |
| ||
| | Connection | Maintain | | ||
| | Connection | Read | | ||
| | Public Files | Read | | ||
| | Private Files | Create | | ||
| | Private Files | Read |
|
Workflow: Browse Samples Folder
- Browse the 'samples' folder and list Stories in that folder
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
No rights are needed at all. The user just needs a login to SAC.
The stories are listed and they can be opened, but no data will be shown with any of the visualisations.
Templates are listed but they can not be opened.
Workflow: Publish a Version to Public
- Browse and open a story in the Public Folders
- Where the story is based off a Planning Acquired Model
- Open the story, select 'Version Management" and publish a private version to the 'Public Versions'
- The user is not the owner of the model
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
| Model file | Read - View | | ||||
| Model file | Edit - Maintain | | ||||
| | Dimension | Read | | ||
| | Planning Model | Read | | ||
| | Planning Model | Maintain | | ||
| | Public Files | Read | |
This also gives the right to create a new private version
Workflow: Publish only booked and specific Versions to Public (managed with Model Data Privacy via Roles)
- Create a new story off a Planning Acquired Model
- Open the story, select 'Version Management" and publish a private version to the 'Public Versions', but only allow the user to publish a particular version
- The user is not the owner of the model
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
| Model file | Read - View | | ||||
| Model file | Edit - Maintain | | ||||
| Model file | Model Preferences - Model Data Privacy | | ||||
| | Role - Model |
|
| ||
| | Dimension | Read | | ||
| | Planning Model | Read | | ||
| | Planning Model | Maintain | | ||
| | Public Files | Read | |
This also gives the right to create a new private version
Strictly speaking the 'Dimension' right is not needed for the workflow if no dimensions where in the story, however in almost every case it would be needed.
Users will be able to publish other versions, but these versions will not contain any data, they will be unbooked public versions. It means the version will appear to that user as an unbooked public version which they can delete. The version will also appear in the Model-Version Dimension. It could be an 'IT admin' task to occasionally delete these unbooked versions should the user(s) not delete them by themselves. Other users will see these unbooked public versions, even if they are not granted read access to them. The read access rights are to view booked data, it doesn't stop them seeing that a version exists, albeit they can't view any booked data in it.
Can be combined with 'Model Data Access Control' by enabling Access Control on the 'Version' Dimension or any other dimension. The combination of access rights is as you would expect. If a dimension is specified in both 'Model Data Access Control' and 'Model Data Privacy' via Roles, they need both rights. If a dimension is only specified in either 'Model Data Access Control' or 'Model Data Privacy' via Roles (but not both) then just one access right is enough.
'Model Data Access Control' access control rights are assigned to user(s)/team(s). And 'Model Data Privacy' are set per Role. A Role can contain users and teams and the same Model can have set with 'Model Data Privacy' in more than one Role.
For 'Model Data Access Control' access control rights, the user(s) (or the users in the team(s)) will only be able to publish the versions for the Versions specified to have 'Write' access. 'Delete' also gives 'Write' access and 'Write' also gives 'Read' access.
It is the right that prevents the user from publishing booked versions to public, since the 'Write' right only allows them to publish specific booked versions of a given name. Or if you like, it is this right that denies their ability to publish booked data to other versions.
Image above shows a 'Model Data Privacy' set on a Role. It means users (or teams) that are members of this Role will be able to Write data into the Versions 'Actual' and 'Covid plan'!
Image above shows 'Model Data Access Control' access control rights and the user 'MATTHEW' and team 'MYTEAM' can write to 3 versions and can delete 2 versions
If BOTH 'Model Data Privacy' set on a Role (and MATTHEW (and users in the team 'MYTEAM') are in that role) AND 'Model Data Access Control' on the versions are enabled, then the user MATTHEW (and users in the team 'MYTEAM') will only be able to write to the 'Covid plan' since 'Actual' version is not in both, its missing from the 'Model Data Privacy'. These users will also be able to publish a version, but that version would be unbooked once published. It is not possible to prevent other users from seeing that these unbooked versions exist, albeit if they do view it, they won't see any data.
Workflow: Publish booked Versions to Public (managed with Model Data Access Control)
- Create a new story off a Planning Acquired Model
- Add a table to a new page and select the model y, select 'Version Management" and publish a private version to the 'Public Versions', but only allow the user to publish a particular version
- The user is not the owner of the model
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
| Model file | Read - View | | ||||
| Model file | Edit - Maintain | | ||||
| Model file | Model Preferences - Data Access Control - Version | | ||||
| Model file |
|
| ||||
| | Dimension | Read | | ||
| | Planning Model | Read | | ||
| | Planning Model | Maintain | | ||
| | Public Files | Read | |
This also gives the right to create a new private version
Strictly speaking the 'Dimension' right is not needed for the workflow if no dimensions where in the story, however in almost every case it would be needed.
A 'booked' version is simply a version that contains 'fact' data, measures and values against dimensions. An 'unbooked' version is a simply a version that contains no 'fact' data, although it may show dimensions, but there's no measure values to show with any dimension values.
Users will be able to publish other versions, and these versions will contain data, It means the version will appear to that user as a booked public version which they can also delete. The version will also appear in the Model-Version Dimension. Other users will see these public versions as unbooked, even if they are not granted read access to them. The read access rights are to view booked data, it doesn't stop them seeing that a version exists, albeit they can't view any booked data in it.
Can be combined with 'Model Data Privacy' that can be set per Role. The combination of access rights is as you would expect. If a dimension is specified in both 'Model Data Access Control' and 'Model Data Privacy' via Roles, they need both rights. If a dimension is only specified in either 'Model Data Access Control' or 'Model Data Privacy' via Roles (but not both) then just one access right is enough.
'Model Data Access Control' access control rights are assigned to user(s)/team(s) on a version by version basis:
When using only 'Model Data Access Control' access control rights (rather than in combination with 'Model Data Privacy' via Roles, the user(s) (or the users in the team(s)) will only be able to publish new booked version and publish versions for the Versions specified with 'Write' access. 'Delete' also gives 'Write' access and 'Write' also gives 'Read' access.
It is this right that grants the user with publishing booked versions to public. It grants them the right to publish any version to public and only to write/publish to specific version as defined.
'Model Data Access Control' access control rights are more user friendly, in that the user is notified at data entry time if they have the appropriate write permissions or not, rather than being notified at publishing time when using solely 'Model Data Privacy' via Roles.
Workflow: Create Planning Model off Data Source Export to File (Owner)
- Create a new Planning Model off a data source (Google Drive as an example)
- Save the Planning Model in the Public Folders
- Export Planning Model data
- to a CSV file to be created in the Private user folder
- The user is the owner of the model
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
Model property | Restricted Export | | ||||
Model file | Read - View |
| ||||
| Planning Model | Create |
| |||
| Analytic Model | Create | | |||
| Planning Model | Maintain |
| |||
| Dimension | Read |
| |||
| Dimension | Create | | |||
| Other Datasources | Execute |
| |||
| Connection | Maintain | | |||
| Connection | Read | | |||
| Public Files | Read | | |||
| Public Files | Create | | |||
| Private Files | Create | | |||
| Private Files | Read |
|
It is the 'Other Datasources - Execute' permission that enables the user to create a model off a data source
If the 'Other Datasources - Execute' permission is not granted the user can still create a new planning model via 'Start with a blank model' workflow.
Even though the user is the owner of the model, they still need the 'Model Property - Restricted Export' to be disabled.
Workflow: View Story based on Analytical Model with Live Connection
- Open a Story (the user does not own) that is based off a model using a live connection (for example to HANA, BW, Universe, S4)
- Where the Model and the Story is held in Public Folders
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
Model file | Read - View |
| ||||
Story file | Read - View |
| ||||
| | | Analytic Model | Read | | |
| | | Public Files | Read | |
The user does NOT need any 'Connection' permissions or 'Data Source' permissions.
If the data source may request the user to enter parameters (prompts/variables). There are no additional rights needed for a user to answer these prompts/variables
Workflow: Share Analytical Model with Users/Teams
- Share an Analytic Model (the user does not own) with other users and/or teams
- Where the Model is held in Public Folders
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
Model file | Read - View |
| ||||
Model file | Full Control - Share |
| ||||
| | | Analytic Model | Read | | |
| | | Public Files | Read | | |
| | | User | Read | | |
| | | Team | Read | |
It is not necessary for BOTH 'User-Read' and 'Team-Read' rights to be granted. If only 'Read-User' is granted then the model can only be shared by selecting individual users. Likewise, if only 'Team-Read' is granted, then the model can only be shared by selecting individual teams. If neither 'User-Read' or 'Team-Read' is granted, then it will not be possible to share the model.
If a user has the right 'Full Control - Share', the user can grant themselves additional rights including 'Full Control - Delete'. The 'Full Control - Delete' will not override application (or role) permissions. For example, if the user does not have the role right 'Delete' (such as 'Planning Model - Delete', 'Analytic Model - Delete') the user will not be able to delete the Model file in Public folders, even if they have 'Full Control - Delete'.
Workflow: Move an Analytic Model in the Public Folders to another folder
- Move an Analytic Model (the user does not own) that is stored in the Public Folders to another location within Public Folders
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
Model file | Read - View |
| ||||
Model file | Edit - Update |
| ||||
| | | Analytic Model | Read | | |
| | | Analytic Model | Update | | |
| | | Public Files | Create | | |
| | | Public Files | Read | |
The user will also need 'Edit - Create files' right in the target folder.
Once the model has been moved it will inherit the rights of it new parent folder.
Workflow: View Story based on Analytical Model with Acquired data (Import Connection)
- Open a Story (the user does not own) that is based off a model with acquired data. I.e. using an import connection
- Where the Model and the Story is held in Public Folders
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
Model file | Read - View |
| ||||
Story file | Read - View |
| ||||
| | | Analytic Model | Read | | |
| | | Dimension | Read | | |
| | | Public Files | Read | | |
| | | Public Files | Manage | |
strictly speaking the 'Dimension' right is not needed for the workflow if no dimensions where in the story, however in almost every case it would be needed.
Perhaps confusingly the 'Public Files' - 'Manage' right is needed for acquired (imported) data connections and not for live data connections. If you do NOT have this right the visualisations will not show acquired data, instead you'll see an error "Unable to retrieve data from the datasource. Error: You have no authorisation on the model."
Workflow: Open an Analytic Model with Acquired Data (import connection)
- Open an Analytics Model (the user does not own) that is based acquired data. I.e. using an import connection
- View the 'Model' tab: model details, list all the dimensions and view all the dimension values. View account (measures) structure. View Dimension Settings
- View the Data Management 'tab': View Draft Source, Import Jobs, Export Jobs, View the 'Data Timeline', Change the 'Notify me of refresh failures by email' switch option
- View the 'Model Preferences'
- Where the Model is held in Public Folders
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
Model file | Read - View |
| ||||
Story file | Read - View |
| ||||
| | | Analytic Model | Read | | |
| | | Dimension | Read | | |
| | | Public Files | Read | |
strictly speaking the 'Dimension' right is not needed for the workflow if no dimensions where in the model, however in almost every case it would be needed.
This workflow requires fewer rights that the 'View Story based on Analytical Model with Acquired data (Import Connection)' workflow. It means that if you can view a story, based off acquired data, you can also view and inspect the acquired analytic model that the story uses to show the visualisation.
Workflow: Create a new connection
- View connections and add a new connection to the list of connections
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
| | | Other Datasources | Execute | | |
| | | Connection | Create | | |
| | | Connection | Read | |
Once the connection has been created, the user can edit and share the connection they just created, since they are the owner of that connection.
Workflow: Change System Owner
- View the list of users (Menu-Security-Users)
- Select a user
- Select the option 'Assign As System Owner'
| Analytics Hub Role | BI Role | Planning Pro Role | Planning Standard Role | Right | Setting | |
|---|---|---|---|---|---|---|
| | | | Role | Read | |
| | | | System Information | Read | |
| | | | System Information | Update | |
| | | | User | Read | |
| | | | User | Update | |
The right needed to grant this right to an existing role (which a user could already be a member of) will require the 'Update' right on a Role. To create a new role and grant rights will require an additional rights on users of 'Update' and 'Manage'. So, if you want to prevent users from granting themselves the 'System Owner' right, then you need to not grant them the rights to update a Role as this will prevent existing roles or new roles being granted with the 'System Information' - 'Update' right.