Security Reports don't accurately reflect Team and Member Access Profiles

Similar Messages

• Poor performance on admin console after adding 1k+ teams and member profile

  We run v7sp3p2 (MS) now but even back on v5.1 see degraded performance in form of response times over 60 seconds when browsing security hierarchy in admin console after adding over 1000 teams and member access profiles.  We need the granularity in access for our many users.  Does anyone know any tricks to prevent the glacial and disappointing response times while maintaining the necessary security?  This behavior reflects poorly on the product's scalability.
  Thanks,
  Erik

  Sorin, I want to make sure I understand your recommendation.
  First, we do have more than 1000 users.  Each location has a unique team to which their users belong, and each of these teams has a member access profile with corresponding read/write access to the dimension member representing their location.  The users at each location only view data for their own location.
  Is your recommendation to use another interface besides the admin console for accomplishing security updates?
  We have a custom package that uses an API to upload data files with mass updates to security assignments and definitions, but hesitate to use this method for mundane changes for add/remove/change just a few users as this method bypasses the domain validation we get on the front end wherein we can only add users to the domain they correctly belong to.
  To dodge the risk of a bad user/domain matchup we'd like to use front end but it appears to not support our scale well.
  Thoughts on a setting or configuration we could manipulate to resolve the poor performance would be great - what levers can we pull?  If this is all the tool can support we just live with it and pay the cost in wasted man hours over the life of the product...

• Data access in reports after changing Member Access profile

  Hi All
  I made changes in the member access profile of a user (while current system was available for User Planning).
  After making and applying these changes in Access profile, the Current view in the report accessible to user got updated.
  But the problem was in reporting, where the updates didnot happen.
  Please suggest for necessary steps so that user get updated report as per change in Member access profile.
  Thanks in advance.
  Regards
  Abhishek

  Hi Lokesh
  Thanks for the reply.
  1. Report is based on CV
  2. With another ID assigned to same member access profile, the report is showing complete data.
  I mean with X user id 100 data sets are showing while with Y user id only 95 data sets. Where both X and Y are having same Member Access Profiles.
  Regards
  Abhishek

• Member Access Profile Setup to Secure multiple Dimensions

  Hey Experts!
  We're running BPC 5.1.502 on Microsoft SQL 2005. 
  Until yesterday, we were only using a single dimension (CATEGORY) to restrict our user's ability to push data into BPC.  We have 4 Categories. (ACTUALS, QUOTA, FORECAST, and ACCRUALS).  ACTUALS were completely locked down (Read-Only) and the other three Categories were Read-Write. 
  I was asked if we could change this so that our users could still have full Write Access to the three non-Actuals Categories; but also have the ability to write to a specific ACCOUNT under the ACTUALS Category. 
  Initally, this seemed doable.  I set up the Member Access Profile as follows:
  READ & WRITE  -  CATEGORY  - [ALL]
  READ ONLY      -  CATEGORY  - ACTUALS
  READ ONLY      -  ACCOUNT     - [ALL]
  READ & WRITE  -  ACCOUNT     - BASE_Quota_Monthly
  This setup is not working because now our users can only write to the "Base_Quota_Monthly" account regardless of what Cagetory they're working with.  Now I know I can set up Read&Write access for every single one of our Accounts, but we have hundreds of Accounts and it will be an administrative nightmare.  Is it possible to just limit a Single Account within a single Category, but not within All Categories?
  Any help would be greatly appreciated.
  Thanks!
  Sean

  Hi Sean,
  Combination of dimensions will not help. When you specify, READ & WRITE - ACCOUNT - BASE_Quota_Monthly and READ ONLY - ACCOUNT - ALL, the user will have write access to only BASE_Quota_Mothly and not others, irrespective of the categories. So, when we are defining the profile, the dimensions are completely independant of each other.
  If you want to the write access to one account for only one user, that can be provided by creating a member profile and assigning it to only that particular user. However, the independance between the dimensions will still exist.
  Hope this helps.

• Secured dimensions - member access profile

  Hi,
  I have following question concerning secured dimensions
  As you all know, you can secure dimenions using "modify applications".
  There you have the options for "secure" of "R/W"
  If you choose to secure a dimension, you have the option read only and deny in the memberaccess profile
  If you choose to R/W a dimension, you can also give acces to write
  Well if you have for example
  Entity is secured
  Category is R/W
  And you have following in the member acces profile (example for finance application):
  Read only entity [ALL]
  Write only category ACTUAL
  Read only category [ALL]
  --> Now you can write for all entities on actual, and read for all entities for the other categories
  > SO WHAT IS THE USE OF "SECURE"?? AS IN COMBINATION WITH R/W IT DOES NOT HAVE A FUNCTION AT ALL??

  Hi,
  There is some ambiguity on this aspect of the BPC probably that is why they have removed it in the NW version of BPC.
  In the below case R/W access on category enables you to either provide read or write access by the category dimension members. For example you may want your OCT09_Forecast to be blocked for editing by now.
  On the other hand entity dimension is used to determine READ access. This means the members of the entity dimension can be used to determine if the user can view the data for a particular entity member or not.
  In the below case if you choose the entity to "SalesUS" (while defining the memberaccess) then the user will have access to this member "SalesUS" only. And based on R/W access on the category the user will either be able to write to a category or not for "Saels US".
  In other words the "Entity" dimension is not used to determine if the user can write to a member or not.
  Hope this helps.
  Regards,
  Badrish

• Grantable to team members in Access Profile

  OD Help just mentions that "Profile can be assigned to team members" (pg.782).
  Pls... where is that I can assign that profile to team members ? When looking into Account > Team Members I know I can assign access like View, Read/Only etc... I cannot see where would I assign a profile to a team member.
  Txs. for any help.
  Antonio

  Txs. Mani.
  I've checked again... and I can add a User to an Account Team... and at that point define its role on the team, the account, contact and opp. access and as you've pointed out... The options are: Edit, Full, Readonly.
  Now, my question is referring to associating an Access Profile as defined in User Management > Access Profiles. This association is what I am not able to see when adding a member to a team. So I still cannot see the use or consequence of the Grantable to team members option when defining the Access Profile.
  Txs. again for any help.

• Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

  We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point  for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
  I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs.  In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
  I am familiar with version 3.2 but it does not seem to work the same.
  Any help would be appreciated on what I am missing.
  Thanks

  Hi Surenda,
                     Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
  Thanks,
  Jean Paul

• Reports don't print under WIn2K and Matrixprinters

  Hi List,
  (sorry for crossposting in Forums-list too!)
  we are running a program designed with Oracle-Dev.
  Now some of our clients change from Win98 to Win2K.
  Now it's no more possible to printout on Matrix(needle-)printers (Epson LQ580, LQ980).
  They are connected through a printserver on the DomainController and printing from e.g. MSWord works without problems.
  The Reportserver comes up with: 'REP-1848 error while start printing'(German translation).
  Printout on Laserprinters work like before. Only Matrixprinters don't work!
  Does anybody had this problem before and know a solution?
  Thank you very much in advance for every hint,
  Peter

  Hi Puvanenthiran,
  thanks for your answer.
  I run Version 1.6.1 and installed the latest patch today
  (#2322352 1.6.1:Patch Set 15 for Developer 1.6.1 and Developer Server for Windows 95/NT )
  but this doesn't change anything.
  What you mean with patch 13 as the latest patch?
  Please help!
  Regards,
  Peter

• TS1368 My iTunes account was hacked and charges were made from some other computer. Now my computer isn't being recognized and I need to enter security answers I never provided answers for and cannot access my account to make a purchase. I need help!

  My iTunes account was hacked and fraudulant charges were made. Now when I try to go into my account from my personal computer, it states that "this is the first time using this computer, please enter answers for security questions," I never answered any security questions and cannot change or edit that because it tells me I'm entering the wrong info. How do I get a live person to help me through this so I can return to making purchases on my own account?

  Does anyone have any suggestions?

• NIC teaming and direct access in windows 2012 server core

  Hello All,
  I have installed windows 2012 r2 server core and i want to implement direct access with nic teaming enabled.
  Has anyone tried this kind of setup? Were they successful in it? Moreover can we configure Direct access when we have NIC teaming configured?
  -Ashish

  Hi There - NIC teaming in both core and gui is a standard feature and there is no reason (and I have used it successfully) why you cannot do so. As always make sure you look at TCP Offload as per UAG / TMG Days to ensure best performance and also Network
  Card Binding Order.
  The link for details is here -
  http://technet.microsoft.com/en-us/library/hh831648.aspx
  Kr
  John Davies

• How to add "Team leader" field in standard BPC security report

  BPC Expert,
  We are using BPC MS 5.0 version.
  There is a checkbox in the security setup to make someone a "Team Leader" when you add him/her to a team and this checkbox determines who can post data and who cannot.  When we run the user report we see which team the user is in but we do not have visibility to whether or not they are a "Team Leader" which is what business owner needs to see to approve user access.
  I figured out "dbo.userteamassign" is the table which hold team leader value. Can anyone please tell me all the steps of adding team leader field in the standard BPC 5.0 security report.
  Thanks,
  Ketan

  Roberto,
  Thanks for the response. I know associated steps to declare business user as a team leader but my original question is "how to add a column in standard BPC security report that says who is team leader or who is not".
  Do you know the Dtx package that is responsible to supply the data to Standard BPC security report? We can enhance standard data package to pull/display extra "Team leader" column in standard security report.
  Appreciate your inputs.
  Thanks,
  Ketan

• Security report SEC_LIST_MBR is not displaying users list

  Hi,
  When we run security report SEC_LIST_MBR. It is not displaying list of users instead it is just displaying user id who ran the report all other columns Full Name, Teams, Task Profile and Member access are blank.
  Please suggest what is causing it not to display list of users.
  In database we loaded the following page  http://ReportServer/reports and ran report SEC_LIST_MBR. It also gave same result - one row with user id data only.
  Regards,
  Rajesh

  We found the root cause it was because table "task" does not have records in APPSERVER Database.
  Once we updated task table. Security report SEC_LIST_MBR is displaying results correctly.
  Regards,
  Rajesh

• Security - How to use Denied member access

  I am trying to understand how the "denied" setting works in member access profiles.
  I have an entity hierarchy with a parent (TotalCompany) and several children (CompanyA, CompanyB, CompanyC, etc.).  I want my user to be able to access all entities except CompanyA.
  I set up two member access profiles:  Entity_Totals  has read access to the parent entity (TotalCompany) at the top of my entity hierarchy.
  Entity_X_CompanyA  has denied access to CompanyA, a child of TotalCompany.
  I assigned both to my user.  But he can still read data for CompanyA as well as all other entities in the hierarchy.
  Am I setting this up wrong or do I just not understand how "denied" works?
  I am on version 5.1, SP 8.

  Hi,
  The problem is when you've conflict between profiles. The rule is less restrictive profile wins.
  For example:
  Profile A    R&W (Read & Write)  Sales Wold
  Profile B    Read only                   Sales Europe
  Profile A wins B is ignored
  So user can R&W Sales world and all underlying nodes like sales europe
  Another example:
  Profile A   Access Denied       Sales Europe
  Profile B   Read only                 Sales World
  Profile B wins (less restrictive) profile A is ignored
  User only can read data for node sales world and all underlying subnodes like europe and their leaves
  Another one:
  Profile A   Read only        Sales World
  Profile B   R&W                 Sales Europe
  Profile B wins Profile A is ignored
  That means user only can R&W node Sales Europe and their underlying and leaves.
  So you have to analyzed the conflicts between your profiles.
  Remember the rule is less restrictive profile wins.
  Hope it helps.

• I can't change my apple id password because my security answers don't match. It won't give me any other options and just keeps asking for the answers. What do I do?

  I can't change my apple id password because my security answers don't match. It won't give me any other options and just keeps asking for the answers. What do I do?

  Contact the Apple ID Security site from http://support.apple.com/kb/HT5699 or call the AppleCare support number from http://support.apple.com/kb/HE57 and ask to speak with the Account security Team.

• Security report with native roles and the roles they have access to.

  We need a security report that shows the Native/Custom Roles and the roles that they have access to.
  So, an example would be the role US_Acct, and the report would show what roles that has access to (Post Journals, Consolidate, etc).Can this be done?

  Export the Provision report from Shared Services.
  Upload report to Excel or Access.
  Build Tables to show what tasks each Role has access to.
  Build a report that links the provision report and the xref tables.
  You should also do this with Security Classes.