The Database Security section

This topic describes the Database Security section of the Data model, its specific properties and the information it provides.

In this section, you can create or manage Data model security profiles and check the Security Report on the desired Data model. You will find details covering the following topics:

 

Board 2023 Summer release introduces a new Enterprise security concept, officially replacing the previous Enterprise security feature (~DBNAME & ~Security). These prebuilt Data models are no longer maintained nor supported by Board. Customers already using ~DBNAME & ~Security can continue to do so, however it is recommended to move to the more recent and embedded functionalities now offered by our latest versions.

 

About Security profiles

A Data model security profile is a set of permissions and authorizations that allows or denies a Board user access to:

  • Data model design features. The ability to change the Data model design (i.e. add or modify Entities, Cubes, Relationships, Data readers etc.)
  • Data. The ability to view or modify data in Cubes. In this case, you can restrict access to all or part of said data

To access the security profiles, access the designer space of the desired Data model and click on the Database security tile. You will be taken to the Database security page, which displays a table that contains all existing security profiles in the Data model. The table is sortable and searchable using the interactive header fields.

 

The table contains the following information for each security profile:

  • Database profile. This column displays the name of each security profile. This is the name that you will use to associate the security profile with a user Role in the Roles section, in the System Administration area of Board. Once you have associated a security profile with a Role, you can associate that Role with a Board user in the User section of the Subscription Hub: only then will the security profile be applied to that user, along with all permissions and authorizations defined in the Role associated with it
  • Select. This column indicates the presence of security selections or a Custom selection script. A check mark is displayed in the case of a security profile with a security selection in place, otherwise nothing is displayed
  • Access Mode. This column displays the access mode of each security profile. The following access modes can be associated with a security profile:
    • Database Administrator. Users associated with security profiles with this type of access mode can fully access and modify the Data model and the data in Cubes
    • Read and Write. Users associated with security profiles with this type of access mode can view and modify values in Cubes, apply Selections, etc., but they cannot access the Data model designer space
    • Read. Users associated with Security profiles with this type of access mode cannot modify values in Cubes (unless they have access to Procedures that update them) and cannot access the Data model designer space.

Note that users associated with security profiles with “Database Administrator” or “Read and Write” access modes cannot view or modify values in Cubes or Entities that are restricted by specific security selections or Cube access filters.

  • Security system: This column displays the access level of each security profile that determines whether a Board user can access the Database security section or not. The available options are the following:
    • Builder. Users associated with security profiles with this type of Security System can access the Database security section and create or modify security profiles
    • Access denied. Users associated with security profiles with this type of Security System cannot access the Database security section of the Data model

 

Database profile options

Create or edit a security profile to bring up the Database profile options panel on the right-hand side of the screen. The panel displays the following options:

  • DATA MODEL. Here you must configure the Db profile name, Security system and Access Mode settings described in the previous paragraph
  • SECURITY FILTERS. Here you can configure and apply security selections to the security profile. These are filters that allow you to restrict access to data in Cubes or Entities, both in the Capsules/Presentations environment and in the Data model designer space. You can do this by applying a selection to the Entity members associated with the desired Cube or feature: users affected by these selection will only have access to values and data within the applied selection.
    For example, if the “France” member of the “Country” Entity is selected, a user associated with the security profile with this security filter applied will only see data and values related to the “France” member.

Here you can also add a Custom selection script that allows you to manually write a selection command script to automatically filter data displayed in Board Platforms based on Entity members defined in the script. An example syntax for this command is as follows:

SELECT EntityName=Member1,Member2,Member3,etc. 
Example: SELECT Country=France,Italy

To define the desired members, you must enter their member code in the script.

Typically the Custom selection script is used to dynamically filter data displayed in Board for each user by using Substitution formulas or Metadata variables. For example, you can configure a “Country” Metadata variable, enter the country of each user in the Subscription Hub, and then use it in the Custom selection script so that users can access data only related to their country. This way, the user’s access to data is dynamically filtered by their country - based on their “Country” Metadata value -, rather than creating multiple security profiles with fixed country selections and associating those profiles with multiple user Roles.

See the next paragraph to learn how to configure security selection and Custom selection scripts in the Database profile options. Read more about Custom selection scripts in detail in the Security filters section.
See Add and manage User metadata to use selection scripts based on custom user metadata defined in the Subscription Hub.

  • CUBE VISIBILITY. Here you can configure the access level on the Cubes of the Data model for the current security profile. This menu lists all Cubes of the Data model, with a drop-down list next to each Cube name where you can define the access level that will be saved in the security profile you are editing. This feature prevents users from writing into Cube cells where they shouldn't. Learn more on how to configure Cube visibility.
    Cube visibility rules can be defined from the Database security section of each Data model. When editing or creating a new security profile, a new table in the “Database profile options” sliding panel allows you to manage/review Cube visibility rules.
    The available access levels are the following:
    • Read/Write. This level grants permission to enter data into the Cube and run update Procedures. Access to the data model design features is not affected by this configuration, as it is based on the user's license
    • Read only. This level grants read-only access to the data stored in the Cube. Users with this profile can view values in reports coming from the Cube or run update Procedures, but they cannot enter data
    • No access. This level completely denies any access to the Cube. Users will not be able to view values coming from it in reports or run update Procedures

To learn how to configure Cube Visibility settings, see the Cube visibility page.
To learn more about the best practices of defining security settings at the Role level and Database level, read this Community best practice post

 

Creating or editing a Security profile

To create a Data model Security profile, proceed as follows:

  1. Click on “+SECURITY PROFILE” in the upper left corner to bring up the Database profile options panel on the right-hand side of the screen
  2. Enter the name of the Security profile in the “Db profile name” field, under the “DATA MODEL” menu. This is the name that will be associated with a user Role in the Roles page under the System Administration area of Board
  3. Choose an option from the “Security System” drop-down list. The two options (“Builder” and “Access denied”) are described at the beginning of this page
  4. Choose an option from the “Access Mode” drop-down list. The three options (“Read”, “Read and Write”, and “Administrator”) are described at the beginning of this page
  5. (Optional) Add security selection. Open the “DATA SELECTION ” menu and click on “ADD SECURITY SELECTION” to open the Select window and configure a security selection by choosing the desired Entity members that you want the security profile to have access to. Only data related to the selected Entity members will be visible to the user associated with this security profile, as described in the security filters section.
  6. (Optional) Add a Custom selection script. Open the “DATA SELECTION ” menu and enter a Custom selection script in the “Custom selection script” field by using the following syntax: SELECT EntityName=Member1,Member2,Member3,etc. (i.e. SELECT Country=France,Italy). Read about the specific syntax for custom selection script for Entities with unbalanced hierarchies. See Add and manage User metadata to use selection scripts based on custom user metadata defined in the Subscription Hub.
  7. (Optional) Configure Cube access levels. Open the “CUBE VISIBILITY” menu and change the access level from the drop-down list next to the name of the desired Cubes. You can change the access level of multiple Cubes at once by selecting the checkboxes to the left of the desired Cube names and then changing the access level in bulk from the “Change selected” drop-down list in the upper right corner of the page
  8. Click “SAVE CHANGES” in the bottom right corner of the screen to save the security profile.

The selection script is applied only at the Data model level.

If you configure security selections and selection scripts on the same security profile. In this case, Board will apply the security selections first, and then it will apply the selection based on the selection scripts, following their order from top to bottom.

 

To edit a security profile, select the desired security profile that you want to edit and follow the same steps described above (except step 1).

Changes made in the “DATA MODEL” options of a security profile will have an immediate effect on the users associated with it. On the other hand, changes made to the security selection and Cube access levels will be applied only after the Screen is refreshed.

 

Security profile page options

At the top of the page, you will see the following options:

  • +SECURITY PROFILE. Here you can add a security profile
  • DELETE. Click to delete selected profiles.
  • COPY. Click to copy selected profiles. To copy the configurations of a Database security profile, proceed as follows:
    1. From the Database security profile section of a Data model, select the desired profile and click on "COPY". A pop-up window will appear
    2.  In the pop-up window, enable the configurations that you want to copy to the browser clipboard. The configurations are the following:
      1. Security system and Access mode
      2. Security filters
      3. Cube visibility
    3.  Click the "COPY" button to copy the selected configurations in the browser clipboard

      You can copy the configurations of only one Database security profile at a time

  • PASTE. Click to paste profiles copied to the clipboard. To paste the configurations of a Database security profile, proceed as follows:
    1. From the Database security profile section of a Data model, select one or more security profiles whose configurations you want to overwrite
    2. Click "PASTE" to overwrite the configurations of the selected Database security profiles with those in your browser clipboard

      The paste process will overwrite only the configurations that have been enabled in the "Copy security profile" pop-up window. For example, when pasting configuration into a target Database security profile, its security selections will not be changed, if they have been disabled in the "Copy security profile" pop-up window.

    3. Click "SAVE CHANGES".
  • IMPORT. To import one or more Database security profiles, proceed as follows:
    1. From the Database security profile section of the desired Data model, click on "IMPORT" to open the upload pop-up window
    2. Click "UPLOAD" or drag and drop the .bsp file that contains the desired Database security profiles, then click the "IMPORT" button.

      The import process will add the Database security profiles contained in the .bsp file and overwrite all existing Database security profiles that have the same name as those in the file
      The maximum file size limit is 1MB.

  • EXPORT. To export one or more Database security profiles, proceed as follows:
    1. From the Database security profile section of a Data model, select the desired profiles
    2. Click "EXPORT" to download the security profiles and all their configurations to your local machine. The profiles are saved in a single file with the following name: DataModelName_security_profiles.bsp.

      The .bsp file contains all the configurations of a Database security profile, including Security selections and Cube visibility configurations.

  • SECURITY REPORT. Click here to generate a table-view of all users and their security filters on data. See the Security Report section below for more details.

Security Report

This feature generates a table-view with all users and their security filters on data. This allows you to easily audit users and their security selection (filters) on the Data model. The table is sortable and searchable using the interactive header fields.

The Security Report table contains the following information:

  • User. The name of each Board user in the current Platform
  • User profile/Role. The User profile/Role associated with each Board user in the current Board platform
  • Database profile. The Data model security profile associated with each Board user in the current Board platform
  • Database. The Data model you are currently working on in the current Board platform
  • Security script. The Custom selection scripts saved in the corresponding Database profile
  • Entity. The Entities on which a security selection has been configured  in the corresponding Database profile
  • Member code. The code of the Members in a security selection configured  in the corresponding Database profile
  • Member description. The description of the Members in a security selection configured  in the corresponding Database profile

 

In the case of a security selection, the row of the same user is repeated as many times as the number of Members selected in the security selection. The difference between the rows is the Entity name, Member code and Member description, as shown in the image below:

Click on the “EXTRACT TO EXCEL” button in the upper left corner to export the report in Excel format.