When working in Scenarios in Pigment, data security can be enhanced by restricting access rights on Scenarios to specific Members based on their Roles within the Application. Scenarios data is restricted and the names are only displayed in the Page Selectors on Views and Boards for certain Members with assigned access rights. This allows you to keep the data on specific Scenarios private, and also makes it easier to find and select relevant Scenarios for those Members on a View or Board.
You need to have a Workspace Security Admin account type in order to define access rights on all Scenarios. You also need the Display Application permission on the specific Application in order to manage the access to shared Scenarios on those Applications.
Before you begin
Prerequisite reading
We recommend that you read and understand the following topics - they cover the essential basics for understanding Scenarios before you start adjusting Access Rights:
- Get started with Scenarios in Pigment
- Creating and editing Scenarios in Pigment
- Editing formulas within Scenarios
If you need a refresher on access rights, here are some quick links for you:
- Pigment Access Basics
- About Roles, Permissions, and Access Rights
- Introduction to Access Rights
- About Access Rights Metrics and Rules
Permissions and Access for Working with Scenarios
Before working with Scenarios, it’s important to understand the roles and permissions required for specific tasks and how data access is managed.
- Create Scenarios.
To activate Scenarios in an Application, a Member with a Workspace Admin account type (or higher) and the Create Scenarios Application permission must create the first Scenario. This is typically done by a Workspace Admin with the Admin Role.
- Interact with Scenarios.
Now that the initial Scenario is activated, the following Members can interact with Scenarios on the Application:- all Members can see Scenarios, and access them on the Settings page
- all Members in the Application with the Create Scenarios Application permission can create and manage local Scenarios
- all Members with the Create Shared Scenarios account type permission (Workspace Admin and higher) can create and manage shared Scenarios
- Define access rights for new Scenarios.
Members need to have both the Security Admin account type (or higher) and the Display Application Role permission for the relevant Application.Defining access rights for a Scenario determines the following for Members:- Read/write access for Metric data associated with the Scenario.
- Visibility of the Scenario name in Page Selectors on Boards and Views.
For all Members that have Builder or Standard Member account types, any new Scenarios they interact with will inherit access rights from the source Scenario.
Example of restricted Scenarios
So how would you use restricted Scenarios? Let’s say you want to develop a Scenario for Workforce and Opex planning Applications where the potential to-be-hired is increased by 20%. You want to develop this Scenario independently before sharing it with non-modeling Members, however you still want to share it with other admins. To do this, you’d create a shared Scenario and set access permissions to None for all Roles except for admins across both Applications. By doing this, your Workforce and Opex planning is open to some collaboration, but still remains exclusive until it’s ready to disclose to your entire team!
Considerations for Scenario access rights
Access rights in Scenarios interact with different areas of Pigment, for example importing and entering data. Here are some aspects to consider before you start:
Working with Default Scenarios
Default Scenarios are straightforward: regular access rights will apply to a Default Scenario. You cannot apply Scenario-specific access rights by Role onto a default Scenario.
When you create any new non-Default Scenario, the access rights do not automatically update. The initial access rights for the new Scenario will default to those of the source Scenario, but can be adjusted during creation.
For example:
- If Scenario A has Role B set to "Access = None," duplicating Role B or creating Scenario B from Scenario A will also default to "Access = None" for Role B.
- To grant access to the new Scenario, manual changes are required.
This prevents unintended data access when creating new Scenarios based on a source Scenario.
Activating Scenarios in your Application
When you activate the Scenarios for the first time in your Application, all shared Scenarios are visible in the Workspace. However, access rights to pre-existing shared Scenarios will default to None, and you need to update these manually.
For more information, see Creating and editing Scenarios in Pigment.
Inputting data
If you toggle on the Inputs and imports populate data across all Scenarios setting, any restricted access rights on a Scenario for entering data will not apply. This setting will only take the regular access rights applied on the Default Scenario into consideration.
For more information, see Data Input Options for Metrics.
Importing data
If a Member's role has the No Write access right for a specific Scenario, they cannot import data into that Scenario in the Application. However, if you toggle on the Inputs and imports populate data across all Scenarios setting for a Metric, the access rights for that Block’s Default Scenario will apply.
If the access right on a Scenario is No Write for an admin, the admin will be unable to import data into that Scenario, even if the Apply Access Rights to Admins Importing data setting is toggled on. As a result, the assigned Scenario Access Right will apply.
For more information, see Apply Access Rights to Admins Importing Data.
Handling privacy for Scenario names
First of all, it’s generally a good practice to remove any sensitive information from a Scenario name to ensure data privacy and security.
Scenario names are displayed to Members based on their permissions, not their access rights. While they may be hidden in Page Selectors on Boards and Views for convenience, Scenario names can still be visible on the following screens, even if access is set to None:
| Pigment location where Scenario name is visible | Permission |
|---|---|
| Formula bar and formula groups Block settings Errors | Configure Blocks |
| Scenario Management Page in Application Settings | Create Scenarios |
| Application History and Block History | View History |
| Snapshot creation | Builder Account Type |
| Access Rights in Block Settings: View Detailed Access by Member | Can Define Security |
| Block Explorer Dependency Diagram | Open Block Explorer |
| Import configuration | Import data |
| Application Variables | Configure Application |
| Pigment Connector for Excel and Pigment Connector for GSheets | - |
If a Member's Role in the Application is assigned access of None, they cannot view Metric data for the associated Scenario. In Page Selectors on Boards and Views within a Block, Scenarios with None access for a Role are hidden from Members with restricted access.
Read-only Scenarios
When working with read-only Scenarios, which are configured as read-only using the Scenario selector, and assigning read-only (Read/No Write) access rights to a Scenario, both options allow you to prevent data input and imports into your Scenario.
But here’s where these two choices differ:
- When you make a Scenario read-only through the Scenario selector, this applies across all Roles and Metrics in the Application.
- When you apply access rights in a Scenario, this is applied to Application Roles within the Application. For shared Scenarios, access must be defined when the Scenario is created for each Application where it will be used.
- In an Application where you have restrictions through the Scenario selector and through access rights, the strictest restrictions are implemented.
For example, if the access rights in a Scenario are set to None, this is applied at Role level. This means that Members that have no access can’t see the Scenario, and therefore can’t change the Scenario to read-only using the Scenario selector.
If the Scenario is set to read-only through the Scenario selector, but the access rights are Read and Write, the Scenario is still read-only within that Application and in any other Applications where it’s shared.
Scenario access rights and regular access rights
Scenario access rights function similar to regular access rights in that they control what data you can view (Read) and input (Write) in the Metric's Scenario. However, updates to formulas can still affect the data in the Block. This is controlled by the Configure Blocks permission, not by data access rights.
When you create or update access rights for a Scenario, these access rights will take precedence over regular access rights. Unlike using regular access rights, you can’t create additional rules in Scenarios to work together in combination - it is only defined for the Application Member’s role. Scenario access rights are applied at Scenario level for all Metrics using that Scenario. Regular access rights are only used for the Default Scenario.
Imagine you are using Scenarios in your Application with the following access rights setup:
- Default Scenario. The access rights are set to Read/Write.
- Scenario A. The Scenarios access rights are set to Read-only for the Role “Contributor”
You also have regular access rights for the following:
- Metric1. Access rights are set to NoRead/NoWrite
- Metric2. Access rights are set to Read/Write.
When Scenario A is used in Metric1 and Metric2, the specified access rights in Scenario A override the regular access rights for the Contributor Role:
- Metric1. Access rights are updated to NoRead/NoWrite.
- Metric2. Access rights are updated to Read/NoWrite.
If you choose not to use Scenario A in Metric1 and Metric2, the regular access rights will apply for data on those Blocks:
- Metric1. NoRead/NoWrite
- Metric2. Read/Write
For more information on creating new access rights for your Scenarios, see Set Up Access Rights on Scenarios.