The Database Security section

This topic describes the Database Security section of the Data model, its specific properties and the information it provides.

In this section, you can create or manage Data model security profiles and check the Security Report on the desired Data model. You will find details covering the following topics:

• About Security profiles

• Database profile options

• Create or edit a Security profile

• Security profile page options

The Board 12.6 release introduced a new Enterprise security concept, officially replacing the previous Enterprise security feature (~DBNAME & ~Security). These prebuilt Data models are no longer maintained nor supported by Board. Customers already using ~DBNAME & ~Security can continue to do so, however it is recommended to move to the more recent and embedded functionalities now offered by our latest versions.

About Security profiles

A Data model security profile is a set of permissions and authorizations that allows or denies a Board user access to:

• Data model design features. The ability to change the Data model design (i.e. add or modify Entities, Cubes, Relationships, Data readers etc.)

• Data. The ability to view or modify data in Cubes. In this case, you can restrict access to all or part of said data

To access the security profiles, access the designer space of the desired Data model and click on the Database security tile. You will be taken to the Database security page, which displays a table that contains all existing security profiles in the Data model. The table is sortable and searchable using the interactive header fields.

The Database security table contains the following information for each security profile:

• Database profile. This column displays the name of each security profile. This is the name that you will use to associate the security profile with a user Role in the Roles section, in the System Administration area of Board. Once you have associated a security profile with a Role, you can associate that Role with a Board user in the User section of the Subscription Hub: only then will the security profile be applied to that user, along with all permissions and authorizations defined in the Role associated with it

• Security filters. This column indicates the presence of security selections or a Custom selection script. A blue-filled radio button is displayed when a security profile with a security selection is in place, otherwise the radio button is empty

• Access mode. This column displays the access mode of each security profile. The following access modes can be associated with a security profile:

  • Database Administrator. Users associated with security profiles with this type of access mode can fully access and modify the Data model and the data in Cubes

  • Read and Write. Users associated with security profiles with this type of access mode can view and modify values in Cubes, apply Selections, etc., but they cannot access the Data model designer space

  • Read. Users associated with Security profiles with this type of access mode cannot modify values in Cubes (unless they have access to Procedures that update them) and cannot access the Data model designer space.

  Note that users associated with security profiles with “Database Administrator” or “Read and Write” access modes cannot view or modify values in Cubes or Entities that are restricted by specific security selections, including Cube access filters called “Cube Visibility”.

• Security system: This column displays the access level of each security profile that determines whether a Board user can access the Database security section or not. The available options are the following:

  • Builder. Users associated with security profiles with this type of Security System can access the Database security section and create or modify security profiles

  • Access denied. Users associated with security profiles with this type of Security System cannot access the Database security section of the Data model

Database profile options

Create or edit a security profile to open the Database profile options panel on the right-hand side of the Screen. The panel displays the following options:

• Data model access. Configure the Data model profile name, Access mode, and Security system settings described in the previous paragraph
   

• Security filters. Configure and apply security selections to the security profile. These are filters that allow you to restrict access to data in Cubes or Entities, both in the Capsules/Presentations environment and in the Data model designer space. You can do this by applying a selection to the Entity members associated with the desired Cube or feature: users affected by these selection will only have access to values and data within the applied selection.
  For example, if the “France” member of the “Country” Entity is selected, a user associated with the security profile with this security filter applied will only see data and values related to the “France” member.
   

Custom selection script. You can also add a Custom selection script that allows you to manually write a selection command script to automatically filter data displayed in Board Platforms based on Entity members defined in the script. An example syntax for this command is as follows:

SELECT EntityName=Member1,Member2,Member3,etc. 
Example: SELECT Country=France,Italy

To define the desired members, you must enter their member code in the script.

Typically the Custom selection script is used to dynamically filter data displayed in Board for each user by using Substitution formulas or Metadata variables. For example, you can configure a “Country” metadata variable, enter the country of each user in the Subscription Hub, and then use it in the Custom selection script so that users can access data only related to their country. This way, the user’s access to data is dynamically filtered by their country (based on their “Country” metadata value) rather than creating multiple security profiles with fixed country selections and associating those profiles with multiple user Roles.

Select Entity based on Cube. You can also add a security filter on Entities based on a specific Cube.

See the next paragraph to learn how to configure security selection and Custom selection scripts in the Database profile options. Read more about Custom selection scripts in detail in the Security filters section.
See Add and manage User metadata to use selection scripts based on custom user metadata defined in the Subscription Hub.

• Cube Visibility. Configure the access level on Cubes of the Data model for the current security profile. The table lists all Cubes of the Data model with a dropdown list under the "Access level" column where you can define the access level that will be saved in the security profile you are editing. This feature prevents users from writing into Cube cells where they shouldn't. Learn more on how to configure Cube visibility.
  Cube visibility rules can be defined from the Database security section of each Data model. When editing or creating a new security profile, a new table in the “Database profile options” sliding panel allows you to manage/review Cube visibility rules.
  The available access levels are the following:

  • OK (Read only). This level grants permission to enter data into the Cube and run update Procedures. Access to the data model design features is not affected by this configuration, as it is based on the user's license

  • Read only. This level grants read-only access to the data stored in the Cube. Users with this profile can view values in reports coming from the Cube or run update Procedures, but they cannot enter data

  • Exclude (No Access). This level completely denies any access to the Cube. Users will not be able to view values coming from it in reports or run update Procedures

To learn how to configure Cube Visibility settings, see the Cube visibility page.
To learn more about the best practices of defining security settings at the Role level and Database level, read this Community best practice post.

Creating or editing a Security profile

To create a Data model Security profile, proceed as follows:

1. Click on the orange plus icon  in the top left corner next to "Database security" to open the Database profile options sliding panel to the right

2. Enter the name of the Security profile in the “Data model profile name” field. This is the name that will be associated with a user Role in the Roles page under the System Administration area of Board

3. Choose an option from the “Access mode” dropdown list. The three options (“Read”, “Read and Write”, and “Administrator”) are described at the beginning of this page

4. Choose an option from the “Security system” dropdown list. The two options (“Builder” and “Access denied”) are described at the beginning of this page

5. (Optional) Add security selection

   Click on “ADD SECURITY SELECTION” to open the Select window and configure a security selection by choosing the desired Entity members that you want the security profile to have access to. Only data related to the selected Entity members will be visible to the user associated with this security profile, as described in the security filters section

6. (Optional) Add a Custom selection script

   Enter a Custom selection script in the “Custom selection script” field by using the following syntax: SELECT EntityName=Member1,Member2,Member3,etc. (i.e. SELECT Country=France,Italy). Read about the specific syntax for custom selection script for Entities with unbalanced hierarchies. See Add and manage User metadata to use selection scripts based on custom user metadata defined in the Subscription Hub

7. (Optional) Configure Cube access levels

   In the "Cube visibility table", change the access level from the dropdown list next to the desired Cubes in the table. You also have the following options located above the table:

   • Access levels for multiple Cubes. You can change the access level of multiple Cubes at once by selecting the checkboxes to the left of the desired Cube names and then changing the access level in bulk from the buttons above the table: READ & WRITE, READ ONLY, and NO ACCESS.

   • COPY/PASTE. Copy a  selected Cube and then paste it

   • EDIT. Configure access permissions and locking conditions on one or multiple Cubes. Select the desired Cubes and click EDIT to apply configurations on all the selected Cubes

   • IMPORT. Import Cubes using a compatible file. The compatible format is .bcv

     Import will only be available when none of the Cubes in the table are selected. This action will overwrite all matching Cube visibility rules, add new ones, and cannot be undone.

   • EXPORT. Select Cubes to Export in a .bcv format

8. Click “CREATE” in the bottom right corner of the screen to save the security profile.

The selection script is applied only at the Data model level.

If you configure security selections and selection scripts on the same security profile. In this case, Board will apply the security selections first, and then it will apply the selection based on the selection scripts, following their order from top to bottom.

To edit a security profile, select the desired security profile that you want to edit and follow the same steps described above (except step 1).

Changes made in the “Data model access” options of a security profile will have an immediate effect on the users associated with it. On the other hand, changes made to the Security filters and Cube visibility sections will be applied only after the Screen is refreshed.

Security profile page options

At the top of the page, you will see the following options:

• Add .Add a security profile

• Edit . Edit the selected Security profile or multiple profiles. If multiple profiles are selected, only the Access mode and Security system will show in the configuration panel and can be edited at the same time

• Copy . Click to copy a selected profile. To copy the configurations of a Database security profile, proceed as follows:

  1. From the Database security profile section of a Data model, select the desired profile and click on the copy icon . A popup window will appear

  2. In the popup window, enable the configurations that you want to copy to the browser clipboard. The configurations are the following:

     1. Security system and Access mode 

     2. Security filters
         

     3. Cube visibility
         

  3. Click the "COPY" button to copy the selected configurations in the browser clipboard

     You can copy the configurations of only one Database security profile at a time.

• Paste . Click to paste profiles copied to the clipboard. To paste the configurations of a Database security profile, proceed as follows:

  1. From the Database security profile section of a Data model, select one or more security profiles whose configurations you want to overwrite

  2. Click the paste icon   to overwrite the configurations of the selected Database security profiles with those in your browser clipboard 

     The paste process will overwrite only the configurations that have been enabled in the "Copy security profile" popup window. For example, when pasting configuration into a target Database security profile, its security selections will not be changed, if they have been disabled in the "Copy security profile" popup window.

  3. Click "SAVE "

• Delete . Click to delete selected profiles

• IMPORT. To import one or more Database security profiles, proceed as follows:

  1. From the Database security profile section of the desired Data model, click on "IMPORT" to open the upload popup window 

  2. Click "BROWSE FILE" or drag and drop the .bsp file that contains the desired Database security profiles, then click the "IMPORT" button.
      

     The import process will add the Database security profiles contained in the .bsp file and overwrite all existing Database security profiles that have the same name as those in the file The maximum file size limit is 1MB.

• EXPORT. To export one or more Database security profiles, proceed as follows:

  1. From the Database security profile section of a Data model, select the desired profiles

  2. Click "EXPORT" to download the security profiles and all their configurations to your local machine. The profiles are saved in a single file with the following name: DataModelName_security_profiles.bsp. 

     The .bsp file contains all the configurations of a Database security profile, including Security selections and Cube visibility configurations.

• EXTRACT TO EXCEL. This option is only available when generating a Security report as described in the next paragraph

• SECURITY REPORT. Click here to generate a table view of all users and their security filters on data. See the Security Report section below for more details.
   

Security Report

This feature generates a table view with all users and their security filters on data. This allows you to easily audit users and their security selection (filters) on the Data model. The table is sortable and searchable using the interactive header fields.

The Security Report table contains the following information:

• User. The name of each Board user in the current Platform

• Role. The User profile/Role associated with each Board user in the current Board platform

• Application profile. The application profile (made in the Features page) associated with each Board user in the current Board platform

• Folder profile. The security folder profile associated with each Board user in the current Board platform

• Data model profile.The Data model security profile associated with each Board user in the current Board platform

• Database. The Data model you are currently working on in the current Board platform

• Script. The Custom selection scripts saved in the corresponding Database profile

• Entity. The Entities on which a security selection has been configured in the corresponding Database profile

• Member code. The code of the Members in a security selection configured in the corresponding Database profile

• Member description. The description of the Members in a security selection configured  in the corresponding Database profile

In the case of a security selection, the row of the same user is repeated as many times as the number of Members selected in the security selection. The difference between the rows is the Entity name, Member code, and Member description, as shown in the image below:
 
Click on the “EXTRACT TO EXCEL” button in the upper right corner to export the report in Excel format.