Improving security management through easier maintenance of profiles

Idea created by ecausse on Jan 31, 2018
    Open for voting
    Score16

    Hi everyone, 

     

    As I already discussed with some of our Board France friends (Andrea Masiero especially), I found that Board is missing some key features in terms of security management. Some of them have workarounds through the so-called "Tilde Database" system, but this is not usable for all customers and it was not usable for us.

     

    Context

    Currently for my 3 main databases I have more than 200 db profiles for each of them, that can be roughly split in 3 categories:

    • Group profiles, no restriction except that some can write in the DB, some can only read.
    • Business Unit profiles, restricted through a perimeter on the product axis. For these profiles I need to remove access to some cubes that do not have the product dimensions, so I need to go into every profile and specify "no access" for each cube.
    • Market profiles, restricted through the organization axis. For these profiles, I also remove access to some cubes with no organization axis, and remove access to a series of "technical" cubes, the rest is read-only.

     

    Issues

    My issues so far are mainly linked, but not limited to the management of Database Profiles.

    • When I add a new cube to the DB, I need to go into each of 200 profiles and set the cube as "no access" or "read only" depending on the case. This is obviously a security risk as it will lead to errors and overlooks.
    • When I create a new profile I need to re-select all basic security restrictions
    • If a DB profile is modified, there is no way to know which security profile used it, so the security profile might fail if not properly updated.
    • If I need to disable a user temporarily, I cannot do it without modifying its profile (assigning a different licence to his/her profile or removing the profile itself). When the user asks for reactivation, I have no idea what the original profile was.
    • If my boss asks me who can access what information, I have no way to export authorization data to answer any specific question. I can only rely on security profile names, and I cannot even export the DB profile per user.
    • When I modify a DB profile, the DB is reloaded automatically. This can take more than 30 minutes with our current 50Gb database (in memory setup).

     

    Improvement ideas

    To solve these major security issues, here is a list of suggestions: 

    1. Ability to assign access level by "group of cubes" (RW/Read Only/No Access)
    2. Ability to do modifications to several security profiles at the same time, for example tick the "deny layout designer" for all profiles;
    3. When assigning a DB profile in a security profile, select the profile from a list of existing instead of typing it (currently it allows to pick non existing profiles);
    4. Ability to assign an end-of-validity date to a user and / or ability to disable a user account while keeping its current profile.
    5. Ability to create a hierarchy of security profiles which would inherit basic settings from each other (e.g. common capsules authorizations).
    6. Ability to create a hierarchy or reference database profiles with common restrictions in a basic dimension, common restrictions by group of cubes... For example I create a "Basic BU profile" including a restriction on a list of cubes, then when I create a "BU Coffee Machines" profile I just select the Basic BU profile as a father profile, then add a restriction on the "Coffee Machines" and that's it. Then if I add a new group of cubes I just have to assign its security level in the Basic BU profiles for all BU users.
    7. Ability to export all authorization data either to Excel or directly in a separate Board DB. This DB could then be enriched with data from Active directory...
    8. Allow the modification of DB profiles without reloading everything in memory and / or allow a "delayed" modification (i.e. I record all changes to the profile, and they are activated at midnight when the DB is reloaded/the service is restarted).

     

    References

    This has been reported before to the support :

    Ticket

    Topic

    Created

    24034

    Improvements required on security management

    20 February 2017 03:03 PM

    22724

    Exporting security profiles content

    03 January 2017 11:55 AM

    23765

    Parallel modifications in the Security panel

    10 February 2017 09:32 AM

     

    Thanks in advance for your feedback, and thanks for all the up votes as I'm sure we are not alone with these issues