Setting up access rights and rules in Pigment is essential for data security and efficient workflow management. It requires you to determine which Member can read and write data within your model, while protecting sensitive information and allowing Members to perform their day-to-day tasks. Here we give you a step-by-step guide in setting up access rights and rules.
Before You Begin
Here are some required tasks you need to perform before you start setting up access rights Metrics in Pigment.
Where do I Start?
Before setting up access rights in Pigment, it's essential to define your data security needs. Create a plan that determines which data should be hidden, readable, or writable, and that identifies the users to whom these access rights apply. A well-defined plan significantly simplifies your security and access rights set-up. Security requirements are complex. If you require a security plan as part of your Pigment implementation, coordinate as appropriate with the following people to develop and implement your security functionality:
- your internal Security Administrators on Pigment
- your Professional Services Resources. If you don’t have any Professional Services Resources reach out to your Pigment CSM for further guidance.
Which System am I Working in?
Within Pigment there are different, updated, versions of the access rights feature, so you need to determine which access rights system you’re working in. There are two indicators if you’re working in the Legacy system.
In Pigment go to the Roles, permissions & access section, and check the following:
- Legacy is named as your version type. If you need more information on the Legacy system, see Difference Between Legacy and Current Access Rights.
Unspecifiedis an option available in Read or Write permissions within a Role.
What Permissions do I Need?
You must have the Define Application security Permission. This Permission is specific to each Application.
If you’re using the default Roles set up in Pigment, Admins have this permission applied to them.
In your Application, if you see a Security folder in the Sidebar, or if you’re able to see the Roles, permissions & access tab in your Application Settings, then you have the correct permissions.
What Other Information do I Need to Know?
Ensure that you’ve read and understood the concepts discussed in the introductory topic: Introduction to Access Rights
Create an Access Rights Metric and Rules
There are two methods for creating an access rights Metric:
- Create an Access Rights Metric in Block Explorer
- Create an Access Rights Metric in the Access Rights Configuration Wizard
To complete your access rights Metric set-up, you also need to create access rights rules. These rules define the areas within your model where data access should be applied or ignored.
Create an Access Rights Metric in Block Explorer
For this method, you create a Metric in Block Explorer like any other Metric in Pigment. However, an access rights Metric has specific requirements, as described below.
Need a refresher on creating a Metric? Take a look at Measure What You Need with Metrics.
-
In Block Explorer create your Metric with the following criteria:
- Data type. Access rights
- Dimension.
- Select the User Dimension. This must be present so you have different security settings for different users.
- You also need to select the Dimension to which you’re applying your security. For example, a Dimension called Department, Country, and so on.
When your new access rights Metric opens, all values are displayed as
No Read/ No Write. These are in fact blank values. Even though you see text in these cells, these can be hidden if you select the Hide empty rows and columns option in the Filter panel.
Next, you need to create access rights rules, specifying where in your model data access should be applied or ignored. When you create a Metric in Block Explorer, you need to locate your access rights Metric in your Application Settings.
- In your Application, go to Roles, permissions and access, and open the Data access rights tab.
- Find and hover over your new access rights Metric, and click Apply configuration. The Apply… pane opens. It displays the new access rights Metric, and its prepopulated values
No Read/No Write. - Select the required data access rights for each Member.
- When you’re finished assigning the Member access rights, click + Add a rule to apply the configuration.
- Create rules for your access rights Metric. This is described below in Create Access Rights Rules.
Create an Access Rights Metric in the Access Rights Configuration Wizard
You can also create an access rights Metric using the access rights configuration wizard. It also enables you to create Access Rights rules, specifying where in your model data access should be applied or ignored.
- In your Application, go to Roles, permissions and access.
- Open the Data access rights tab and click + Add access rights.
- Click + Create a new configuration.
Access Rights Configuration Wizard - Select the Dimensions to which you want to assign access rights.
The User roles Dimension is already selected for you. - Click Configure Access. The Step 1/2: Assign access rights pane opens. It displays the new access rights Metric, and its prepopulated values:
No Read/No Write - Select the required data access rights for each Member.
- When you’re finished configuring the Member access rights, click Continue to Step 2.
-
The Step 2/2: Apply this configuration to your model pane opens. This is where you create a rule (or rules) to apply your data access right configuration to specific areas of your model.
- Create rules for your access rights Metric. This is described below in Create Access Rights Rules.
Create Access Rights Rules
After you create access rights Metric from Block Explorer or from the access rights configuration wizard, you need to create a rule (or rules) to apply your data access configuration to specific areas of your model.
- Select
ApplyorIgnore.
This determines if the access rights rule is used to apply the Metrics configuration to data, or if it’s used to remove your access rights configuration from data.
For example, if you select onlyReadaccess for a rule type, theWritevalue is ignored in your Metric, regardless of how the Metric is configured.
-
Select
Read accesses,Write accesses, orRead & Write accesses. -
Define to which Blocks in your Application the rule applies or does not apply:
-
Specific Metrics. Select one or more Metrics that contain the Dimensions used in your access rights Metric.
If you created an access rights Metric that used the User list and the Country list, you could select Specific Metric(s) that contained the Country list.
-
Specific List Properties. Define on which Lists and on which Properties of this List these access rights should apply.
For example, you can specify access rights for the Annual Salary property belonging to the Employee List. - All Metrics using specific Dimension(s). Assign this rule to all present and future Metrics that contain Dimensions used in your access rights Metric.
For example, if your access rights Metric contained a Dimension called Department, then this rules is applied to all Metrics containing the Department Dimension.
- List Items values. This rule filters out values in the List according to the access rights Metric. It allows you to protect data in List based on its Properties.
For example, you can setReadaccess on an Annual Salary property based on a Dimension formatted Country Property. This allows certain Members to view some Salaries depending on the Country Property.
-
-
Enter a name for your new rule.
We recommend that you give your rule a name that describes its purpose. For example: Restrict employee access to salary data.
Applying Rules to Access Rights -
(Optional) Click + Add another access right rule to add more access rights rules.
-
Click Save configuration when you’re finished.