Improving security management through easier maintenance of profiles

Etienne CAUSSE

Hi everyone, 

 

As I already discussed with some of our Board France friends (Andrea Masiero especially), I found that Board is missing some key features in terms of security management. Some of them have workarounds through the so-called "Tilde Database" system, but this is not usable for all customers and it was not usable for us.

 

Context

Currently for my 3 main databases I have more than 200 db profiles for each of them, that can be roughly split in 3 categories:

• Group profiles, no restriction except that some can write in the DB, some can only read.
• Business Unit profiles, restricted through a perimeter on the product axis. For these profiles I need to remove access to some cubes that do not have the product dimensions, so I need to go into every profile and specify "no access" for each cube.
• Market profiles, restricted through the organization axis. For these profiles, I also remove access to some cubes with no organization axis, and remove access to a series of "technical" cubes, the rest is read-only.

 

Issues

My issues so far are mainly linked, but not limited to the management of Database Profiles.

• When I add a new cube to the DB, I need to go into each of 200 profiles and set the cube as "no access" or "read only" depending on the case. This is obviously a security risk as it will lead to errors and overlooks.
• When I create a new profile I need to re-select all basic security restrictions
• If a DB profile is modified, there is no way to know which security profile used it, so the security profile might fail if not properly updated.
• If I need to disable a user temporarily, I cannot do it without modifying its profile (assigning a different licence to his/her profile or removing the profile itself). When the user asks for reactivation, I have no idea what the original profile was.
• If my boss asks me who can access what information, I have no way to export authorization data to answer any specific question. I can only rely on security profile names, and I cannot even export the DB profile per user.
• When I modify a DB profile, the DB is reloaded automatically. This can take more than 30 minutes with our current 50Gb database (in memory setup).

 

Improvement ideas

To solve these major security issues, here is a list of suggestions: 

1. Ability to assign access level by "group of cubes" (RW/Read Only/No Access)
2. Ability to do modifications to several security profiles at the same time, for example tick the "deny layout designer" for all profiles;
3. When assigning a DB profile in a security profile, select the profile from a list of existing instead of typing it (currently it allows to pick non existing profiles);
4. Ability to assign an end-of-validity date to a user and / or ability to disable a user account while keeping its current profile.
5. Ability to create a hierarchy of security profiles which would inherit basic settings from each other (e.g. common capsules authorizations).
6. Ability to create a hierarchy or reference database profiles with common restrictions in a basic dimension, common restrictions by group of cubes... For example I create a "Basic BU profile" including a restriction on a list of cubes, then when I create a "BU Coffee Machines" profile I just select the Basic BU profile as a father profile, then add a restriction on the "Coffee Machines" and that's it. Then if I add a new group of cubes I just have to assign its security level in the Basic BU profiles for all BU users.
7. Ability to export all authorization data either to Excel or directly in a separate Board DB. This DB could then be enriched with data from Active directory...
8. Allow the modification of DB profiles without reloading everything in memory and / or allow a "delayed" modification (i.e. I record all changes to the profile, and they are activated at midnight when the DB is reloaded/the service is restarted).

 

References

This has been reported before to the support :

Ticket	Topic	Created
24034	Improvements required on security management	20 February 2017 03:03 PM
22724	Exporting security profiles content	03 January 2017 11:55 AM
23765	Parallel modifications in the Security panel	10 February 2017 09:32 AM

 

Thanks in advance for your feedback, and thanks for all the up votes as I'm sure we are not alone with these issues

Product Management Team

Hi Etienne, thank you for sharing your idea! We appreciate the time and effort you put into crafting your suggestion, and we understand the need of this solution.

Responding in order of the issues shared above:

1. This still persists.
2. We are adding a copy and paste functionality into the security profiles so instead of starting from scratch you can have a starting point set.
3. This still persists.
4. This can be done in the sub-hub.
5. There's no one place you can export everything. In the latest release, we added a new audit log in the sub hub - so can see database profile assigned per instance per user. We are evaluating the option to export a database profile and is under analysis.
6. This has been removed in the latest releases.

Audrey Nobles

Hi, is there any ETA for the functionality in #7? This is a popular request among our clients.

Currently in v12 we have the ability to export a user list with profiles assigned. However, we need to know what authorizations those security profiles are entitled for (ex. list of capsules visible, assigned database profiles). This is needed for both cloud and on premise.

Etienne CAUSSE

Hi Audrey, the security export function (working as of 12.5 I think, I just tested it in Beta 14) seem to answer that requirement. #8 seem also to be solved with B14.