flex.bi version 4.1.0
Data access roles are available from flex.bi version 4.1.0.
Data access roles can be used to limit access in flex.bi account:
- which report folders are visible on the Analyze tab;
- which dashboards are visible in the Dashboards tab;
- which data cubes are visible;
- limit access only to selected members in some dimensions (requires advanced configuration).
User who creates flex.bi account is Owner of the account. Owner has all rights for this account and also can add additional users to account. In case of private accounts only specified account users will have access to account data.
When you add new account user then this user at first should register for flex.bi with his or her email and then you need to specify this user’s email in Add account user input box. If you both are users in some other account then flex.bi will suggest other known users either by their name or email.
When you add new users to account you need to specify their role:
- User admin can manage users, import source data, define calculated members and create and update reports.
- Data admin can import source data, define calculated members and create and update any reports.
- Reports admin can define calculated members and create and update any reports.
- User can create and update own reports and view any reports and dashboard pages.
- Viewer can make new reports but can't save report for repeated usage. Viewer can view existing reports and dashboard pages.
- Dashboards viewer can only view dashboard pages.
Create a data access role
Open the Account users page and go to the Data access roles tab where you can manage data access roles. You should have a User admin or Owner account user role for managing data access roles.
You can use data access roles to:
- limit access to report folders and dashboards,
- and/or limit access to cubes and cube dimensions (requires advanced configuration).
If you would like to use a data access role only to limit access to report folders and dashboards, then specify only Role name (and leave restricted cubes empty). You will then use this data access role when editing a report folder or a dashboard.
If you would like to use a data access role to restrict access to selected cubes (and optionally also cube dimensions) then select one or several cubes from the list. If a user will have a data access role with a cube restrictions then only these cubes will be visible to a user.
Please see Define dimension restrictions below for advanced configuration how to restrict access to dimension members.
Assign data access roles to users
If data access roles are defined then you can assign them to account users in the Account users tab.
Admin users with the Owner, User admin, Data admin or Reports admin role will have unrestricted access to all account data and you cannot assign data access roles to them. You can assign data access roles to users with a User, Viewer or Dashboards viewer role.
If several data access roles are assigned to a user then the user can access report folders, dashboards, cubes and dimensions if any of assigned data access roles (at least one) allows the access.
Define dimension restrictions
This requires advanced configuration. Please contact flex.bi support if you have questions or need help with this.
If you restrict access to selected cubes then you can further restrict access to some dimensions:
- Restrict access only to selected members and their children in a selected hierarchy. Measures will aggregate data only using visible dimension members.
- Remove access to a dimension. A user will not see this cube dimension at all. Measures will aggregate data at the all member level for this dimension. Please not that this will cause errors when a user will try to open a report which uses this dimension.
- Limit the bottom level of a dimension hierarchy to which a user can drill into. A user will only see all upper levels including the selected level.
You can add several dimension restrictions for one data access role. If a dimension restriction is added for the default hierarchy of the dimension then by default additional hierarchies (if defined) of the same dimension will not be visible.
If you will assign several data access roles with dimension restrictions to a user, then dimension members will be visible if any data access role allows it. For example:
- If one data access role restricts access to a dimension D1 and a member M1 and second data access role restricts access to the same dimension D1 and a member M2, then a user with these two roles will see both members M1 and M2 in the dimension D1.
- If one data access role restricts access to a dimension D1 and a second data access role will restrict access to a different dimension D2, then a user with these two roles will have no restrictions to dimensions D1 and D2 (because D2 is not restricted in the first data access role, and D1 is not restricted in the second).
Limit access to reports folders and dashboards
In the Analyze tab, select the Edit folder action and select one or several data access roles. Only users who have at least one of these data access roles will be able to access this report folder.
The lock icon in the list of folders will identify which have restricted access.
In the Dashboards tab, click on the lock icon in the toolbar and set data access roles for dashboards. In the same way as for report folders, only users who have at least one of these data access roles will be able to access the corresponding dashboards.