In EPM Planning, we can now apply cell level security (CLS). It is finally here. It is surely exciting news.
The CLS can deny access to cells that a user would normally have access to due to their regular security. It is defined as an exception to the existing member security.
Historical Situations/Challenges
Let’s start with some examples and problems that we are facing when using the traditional planning security design.
1.Cross dimension security — Revenue & Expense planning
A department manager requires write access to all accounts under his/her department, but only requires write access to a few expenses accounts for other departments.
2. Cross dimension security — Workforce planning
A department manager requires write access to salary expenses account for his/her department, and requires no access to salary expense for other departments
Current solution:
The current security setting would provide write access to all accounts for all departments. We might end up using different dimension members or multiple applications to solve this. This cross dimensional security was not available in a planning solution.
3.Cube level security — Workforce cube vs Financial cube
A department manager requires write access to salary expense accounts in workforce cube, and requires read access to salary expense accounts in Financial cube.
Current solution:
The current security setting would not allow cube level security. We might use valid intersection or different dimension members between cubes to solve this.
Cell Level Security Release
The CLS feature has released within the March 2021 patch, 21.03.
As of now, the CLS is available for the following product only:
- Planning
- Planning Modules
- Tax Planning
Please note:
- CLS works for both traditional PBCS/EPBCS and enterprise planning
- For Financial Consolidation and Close, CLS will be available later in CY21. Need to apply to Journals and supplemental data manager (SDM)
- For Profitability and Cost Management, it is currently not using the Planning platform. There is a plan to move to the planning platform later in CY21. When that happens, PCM will be able to use CLS.
Cell Level Security Overview
Let’s start with the cool features.
- CLS applies security per cube
- CLS applies security to unsecured dimensions
- CLS restricts existing security. In other words, it is taking away security, not granting security.
- Deny Read (Default)
- Deny Write
- Users with deny write access can see the data value in a cell but the cell is not editable; users with deny read access, the value displayed in the cell is # noaccess.
- CLS leverages the valid intersection framework to restrict access to users viewing certain cell intersections
- CLS applies to users or user groups
- CLS doesn’t affect administrator
- CLS can be imported/exported from CLS definition UI
- CLS is available in EPM Automate and REST API
- CLS supports impersonating a user
- Use Existing Forms to See Security Impact Per User as an Administrator
We will go through some of these features in detail. CLS is similar to valid intersection rules to deny read or write access to users viewing certain cell intersections anywhere a cell is shown.
It applies to:
- Forms
- Web Ad Hoc
- Runtime prompts
- Smart View
- Reports
- Dashboards
- Infolets
Does not apply to
- Hard-coded calcs
- Administrator security
Cell Level Security Example
To create a CLS, go to the Cell-Level Security card.
For example, create an Entity – Account CLS. Assign CLS to the user TEST.
Notice, we are able to specify a cube when creating a CLS.
If you are familiar with Valid Intersection, you will notice when creating a CLS it has the following 2 settings as well.
- Anchor dimension – Apply to Selected Members Only
- Non-anchor dimension – Required
Save and enable the new CLS.
From a user perspective, when the TEST user logs into the application. This user will see the form as follows.
User View:
Back to the admin view. The CLS “Testing” feature is cool. It supports impersonating a user. So as an admin, we can pick one of the users and see what they see. Really good for us to troubleshoot security issues.
For example, click Test, and then select the TEST user.
Now we see what security this user has.
Please note, CLS works for any unsecured dimension. In this example, we created the CLS to the unsecured dimension, Entity.
Additional takeaways
1.CLS is not a best practice to only use cell level security. It is taking away security. CLS is meant to be exception-based security, not primary security design.
2.CLS vs Valid Intersection
- CLS is using the valid intersection framework. But it not replacing valid intersection. The valid intersection is nothing about security, it is just preventing you from entering data. CLS can take read access away and can be used as a security design.
- There are use cases for both. If Entity1, Product1 is valid for data entry, and Entity2, Product2 is valid for data entry, a valid intersection might be a better solution.
3.Security conflict. Deny read will always win. The cell will display as #noaccess
4.Smart Push
- If a user is assigned with either Deny Write or Deny Read security, this user will not be able to process smart push to this combination.
- For example, data stores in a combination submitted by an admin, but has not pushed to the reporting cube. Processing smart push by a user for this combination will not push the data over to the reporting cube. Use the previous example, when the TEST user processing smart push, the deny write and deny read combinations will not push over to the reporting side.
The deny write and deny read combinations will not get pushed over.
5.EPM automate
- EPM Automate will support the exportCellLevelSecurity and importCellLevelSecurity Commands in the April 2021 patch.
For example,
epmautomate exportCellLevelSecurity FILE_NAME.zip [Names=SECURITY_RECORD_NAMES]
-
- Names = Optional Comma Separated List of CLSD
- If No Names Provided, Exports All CLSD
Hope this post provides some useful information for you. Till next time.
Well explained.