As I already discussed with some of our Board France friends (Andrea Masiero especially), I found that Board is missing some key features in terms of security management. Some of them have workarounds through the so-called "Tilde Database" system, but this is not usable for all customers and it was not usable for us.
Currently for my 3 main databases I have more than 200 db profiles for each of them, that can be roughly split in 3 categories:
- Group profiles, no restriction except that some can write in the DB, some can only read.
- Business Unit profiles, restricted through a perimeter on the product axis. For these profiles I need to remove access to some cubes that do not have the product dimensions, so I need to go into every profile and specify "no access" for each cube.
- Market profiles, restricted through the organization axis. For these profiles, I also remove access to some cubes with no organization axis, and remove access to a series of "technical" cubes, the rest is read-only.
My issues so far are mainly linked, but not limited to the management of Database Profiles.
- When I add a new cube to the DB, I need to go into each of 200 profiles and set the cube as "no access" or "read only" depending on the case. This is obviously a security risk as it will lead to errors and overlooks.
- When I create a new profile I need to re-select all basic security restrictions
- If a DB profile is modified, there is no way to know which security profile used it, so the security profile might fail if not properly updated.
- If I need to disable a user temporarily, I cannot do it without modifying its profile (assigning a different licence to his/her profile or removing the profile itself). When the user asks for reactivation, I have no idea what the original profile was.
- If my boss asks me who can access what information, I have no way to export authorization data to answer any specific question. I can only rely on security profile names, and I cannot even export the DB profile per user.
- When I modify a DB profile, the DB is reloaded automatically. This can take more than 30 minutes with our current 50Gb database (in memory setup).
To solve these major security issues, here is a list of suggestions:
- Ability to assign access level by "group of cubes" (RW/Read Only/No Access)
- Ability to do modifications to several security profiles at the same time, for example tick the "deny layout designer" for all profiles;
- When assigning a DB profile in a security profile, select the profile from a list of existing instead of typing it (currently it allows to pick non existing profiles);
- Ability to assign an end-of-validity date to a user and / or ability to disable a user account while keeping its current profile.
- Ability to create a hierarchy of security profiles which would inherit basic settings from each other (e.g. common capsules authorizations).
- Ability to create a hierarchy or reference database profiles with common restrictions in a basic dimension, common restrictions by group of cubes... For example I create a "Basic BU profile" including a restriction on a list of cubes, then when I create a "BU Coffee Machines" profile I just select the Basic BU profile as a father profile, then add a restriction on the "Coffee Machines" and that's it. Then if I add a new group of cubes I just have to assign its security level in the Basic BU profiles for all BU users.
- Ability to export all authorization data either to Excel or directly in a separate Board DB. This DB could then be enriched with data from Active directory...
- Allow the modification of DB profiles without reloading everything in memory and / or allow a "delayed" modification (i.e. I record all changes to the profile, and they are activated at midnight when the DB is reloaded/the service is restarted).
This has been reported before to the support :
Improvements required on security management
20 February 2017 03:03 PM
Exporting security profiles content
03 January 2017 11:55 AM
Parallel modifications in the Security panel
10 February 2017 09:32 AM
Thanks in advance for your feedback, and thanks for all the up votes as I'm sure we are not alone with these issues