Unexpected behavior when setting up database security

Hi,

We are trying out a new database security setup at a client.

For now, we are adding security on one hierarchy, cost center lv0-3. Our security cube has the Lv0 entity, and has user.

In the custom selection script, we have Select User = @User. This ensures that the system always only looks at the security set for that one user.

We activate security with both "Select entity based on Cube" and in Cube visibility: "Grant cell access where "SECURITY CUBE" <>0". We expect the result to be no cost centers and no cells visible for those people who have access to nothing, a few visible for those who have access to a few, and all visible to those who have access to all. When users have access, they should be able to see both the entity member, and the data in the cells for that member.

Instead, we get an error message displaying "The requested database is currently being modified by another user. Please try again later." on all data views. Doesn't matter if the user has access to it or not, unless the user has admin rights, they see this error message everywhere. Furthermore, all the labels are "broken", and instead of displaying the selected cost centers, they display "@Cost center". When trying to click a selector for the cost center, we get a yellow popup notifiaction saying "The requested database is currently being modified by another user. Please try again later."

We have tried replacing the security cube with another cube, that only has User and nothing else, in case the cost center entity was messing this up. Got the same results.

The issue is with the cube visibility, because when we removed that, and only kept "select entity based on cube", it worked as expected. But as soon as we tried restricting accesses to the cells, we got these issues with selectors and unexpected error messages.

Is this expected behavior in any case?

Thanks,

Krisztina

Tagged:

Answers

  • Hi Krisztina,

    Can you try using the deny cell editing condition when the security cube=0 then deny the access?

    Also, are there any selections on the screens or the layouts or cube cell locked by condition?

    Also, If a Cube is affected by a Cube visibility rule, you cannot enable the "Cube cell locked by" option on it in the Layout editor: if you do, the Layout execution will fail.: Board Manual

    https://www.boardmanual.com/2023/summer/release-notes/board-2022-summer-release-release-notes/release-notes/main-features/cube-visibility.htm?rhsearch=cube%20visibility&rhhlterm=cube%20cubes%20visibility

    Thanks,

    Neha

  • Hi,

    Thank you for the ideas, @Neha Hasija !

    I have added our WRITE grant cube into the deny cell editing section, and our READ grant cube is still in the grant cell access section. Sadly, this didn't fix the issue.

    There are no selections in the layouts or cube cell locked by condition in the screen that I am testing this on. There are also no data pickers, reverse rules, nexel layers, pattern based allocation or RDB cubes in any of these screens that I am testing on.

    However, screen selections seem to play a part in this - but only selections on time. In screens where I have a selection on the month or the fiscal year entity, I get the error message "The requested database is currently being modified by another user. Please try again later." in the views, and a yellow popup with the same message when I try to open a selector or the selection editor. In screens where I don't have a selection on time, the dataviews tell me "Requested analysis does not contain rows or columns." (much more informative!), and the selectors open up. HOWEVER, the error message still shouldn't be displayed on the view at all, because the Test user does have access to many cost centers.

    Furthermore, the labels are still broken everywhere regardless of any selections in the screen. They are showing "@Cost center", "@Fiscal Year" etc instead of the selected cost center/fiscal year etc. Plus, when I select 1 cost center, the selector Active Counter still stays 820/820, instead of 1/820.

    The cube I use for these dynamic month/fiscal year selections is a matrix cube only containing month, nothing else.

    So, my questions: is it expected that the time entity has an effect on cube visibility, even though the time entity is not in the cubes connected to cube visibility roles? Why can't I see any data in a data view that has cost centers in it, even though I gave accesses to them to the test user? Why don't the labels work for users (but they work for admins) when database security is activated like this?

    Thank you for any insight,

    Krisztina

  • Hi @Neha Hasija ,

    Do you recommend opening a support ticket to get to the bottom of this issue?

    Thanks,

    Krisztina

  • Hi Krisztina,

    Yes, I think opening a support ticket should help, meanwhile looking for workaround.

    Regards,

    Neha

  • A small update: for all intents and purposes, this bug has disappeared with the latest patch.