EPM Lab – Conflicting Access Security Setting

April 20, 2018
Posted by Jun on

As we know, in Hyperion Planning and EPM cloud applications, such as PBCS, EPBCS, FCCS, etc., we are able to assign access to specific members. The access options are:

  • Read
  • Write
  • None

From the above screenshot, we can also see that the inherited access options are:

  • Children
  • Children (inclusive)
  • Descendants
  • Descendants (inclusive)

 

What if in certain cases, we assign a member access to a user and group with different access; or we assign a user access to a level 0 member and a parent member with different access. When conflicting access happens, the situation might become tricky. Let’s dig into all the possible conflicting situations.

 

Firstly, create sample Entities for testing purpose.

 

Create a simple webform for testing purpose. As an admin, we have the write access to all the entities.

 

We are going to use Alex Smith account to test the conflicting access. Let’s create an Access and Access2 groups. Then assign Alex to both of the groups.

 

Log in as Alex.

 

1.Individual Access vs. Inherited Group Access

Give access to a user supersedes the access inherited from the associated group. For example, assign Write access for Massachusetts to Alex. In the meantime, assign read access to the Access Group.

 

When open the webform, we see Alex has the write access.

 

Conclusion: Individual access supersedes group access.

 

2.Write Access vs. Read Access

If a user is under different groups, one group has write access and the other group has read access. For example, assign Write access to Access group and Read access to Access2 group.

 

Alex has the write access to the entity Massachusetts.

 

Conclusion: Write access supersedes read access.

 

3.None Access vs. Read Access

If a user is under different groups, one group has none access and the other group has read access. For example, assign None access to Access group and Read access to Access2 group.

 

Alex has no access to the entity Massachusetts.

 

Conclusion: None access supersedes read access.

 

4.None Access vs. Write Access

If a user is under different groups, one group has none access and the other group has write access. For example, assign None access to Access group and Write access to Access2 group.

 

Alex has no access to the entity Massachusetts.

 

Conclusion: None access supersedes write access.

 

5.Direct Member Access vs. Inherited Member Access

If a user has assigned access to a member and has assigned a different access to a parent member. For example, assign none access for descendants inclusive to Total Entity, and assign read access to Massachusetts.

 

Alex has the read access to the entity Massachusetts.

 

Similar situation, if assign read access for descendants inclusive to Total Entity, and assign write access to Massachusetts. The Alex has write access.

 

Conclusion: Direct member access supersedes inherited member access.

 

Hope this post gives you some idea of the conflicting access. Till next time.

 

Leave a Reply