NOTE: This is an Enterprise Licensed option. If you do not have an Enterprise License or just need simple data separation without the need for data row restrictions, consider using Data Teams.

  

Security Roles are used to restrict data elements and specific actions from users. This is an enterprise level setup and requires full knowledge of all other aspects of the system. You must have administrator level access to setup security roles.


When security is enabled, ONLY administrators and assigned activated member codes will have access to the system. Simply having a valid activation code does NOT grant access to a secured system. Access MUST be granted to users by an administrator.


Important Note:
    To error on the side of caution, when the security option is enabled, ALL access to data is restricted by default.

    Individual field access MUST be specifically granted to a role or access will be denied.


    If a user is a member of multiple roles, ONLY overlapping granted fields will be accessible, all others will be denied.

    Newly discovered data elements in a Data Source will be inaccessible until access is granted to the role.


Security Roles Manager can be access from the System Managers section of the main menu on the Administration tab:



Security Roles Manager

Security LOCK will be unlocked (Security OFF) as shown above, if the system is not installed in a multi-user environment on a shared folder.


You can still setup security roles but they WILL NOT have an effect unless you see the LOCKED status (Security ON) on the menu.


You can create any number of overlapping security roles, however we suggest limiting the number or users may be denied access unintentionally.


Database Security

Security roles do NOT grant any more access to a database than allowable by an organization’s database security policy. Data connections are made with standard Integrated Security (Windows Authentication) or specific Database User Authentication.


Furthermore, only READ access (other than View publishing) is required to your database so there can never be any data integrity concerns. 


The system will NEVER UPDATE, INSERT or DELETE any data in the actual physical database tables.


Member Restrictions

Only users with valid activation codes who have been granted access by an administrator can access the system.

Members with administrative permissions will always have access and cannot be denied entry.

You can have more than one user with administrative access for employee contingencies.


System Access Permissions

System Access options allow administrators to restrict specific menu options and actions from users.

Restricted options will be grayed out or removed completely from the system.



Data Permissions

DSF supports both field limitations, which restricts users from selecting specific data fields and row restrictions, which exclude data records based on filter rules (Chinese Wall).

You can create any number of Roles, however please remember that Roles have an overlapping restriction affect.

Having a Member with too many overlapping rules may inadvertently restrict data access.


 


When a user is a member of ANY role that denies data access, then access is denied regardless if any other role Allows access.


In the image above, even though Role 1 allows access, access to Field C and Field D is denied because of Role 2.


Members

When security is enabled, members must be assigned to a role. Users will have NO access to data elements unless they are a member of a role that allows access.


DSF defaults on the side of caution and therefore, restricts ALL data access unless it is explicitly allowed.


You can add a member to the role by selecting from the member list.

or you can add a new member using the Member Manager.

If the system is running on a Domain you may have access to the LDAP (Lightweight Data Access Protocol) user information. 

Selecting this button will scan your LDAP database for users so that you can easily add them as members.


Access

Roles can control both action access and data access in a single role. In a complex role setup you may prefer to create seperate access and data roles.

You can then assign a member to both roles to combine them.    



Selected entries allow access. All others are denied.


Data

Restricting data is an Enterprise level option. Business requirements for restricting data should be discussed with a Data Selections consultant before attempting setup.


Field Permissions

Access to data fields is driven by Data Category. Data Categories are the lowest level of data organization.

DSF Views are created from Entities and Entities are derived from Data Categories. 

By restricting fields in a Data Category your are restricting ANY entities fields that are derived from that Data Category and any DSF View fields generated from the entity. 



Row Restrictions

Row restrictions can be saved by name and reused on multiple roles. 



The Row Restriction applied to this Security Role will limit data rows to ONLY include rows where the City value equals NYC.



Entity Restrictions