Security
The Data Hub security model consists of the following:
Users and groups - Users represent single users in your environment. Groups contain multiple single users that have something in common.
Roles - Bundles a set of related permissions.
Permissions - Permissions allow specific actions. Some example permissions are: Import/Export and Manage Background Tasks.
Users and groups are assigned Roles, and Roles have a set of related permissions.
Users and groups
Users and Groups show invited(cloud) and added (on premise) users, as well as who has a active profile. Users only become active once they have logged in once. Only once their profile is active to they count towards the license allocation.
In cloud based instances, the role is allocated when you invite the user.
For on-premises installations, verify that you have selected the appropriate organization from the Organizations drop-down list. Once the appropriate users and groups are visible in Data Hub, they can be assigned roles within policies to determine their level of access to resources within the organization.
Users and groups in Data Hub are accessed from an authentication provider. The Windows authentication provider is often used to work with users and groups from Active Directory, but forms-based and claims-based authentication are also available.
Important
Users and groups are not able to be created directly in Data Hub but are defined in your authentication provider, outside of Data Hub. The authentication provider then makes them available to Data Hub for configuring resource security.
Roles
Roles in Data Hub bundle a number of resource permissions (and other settings) into a single package that can then be assigned to users or groups.
All role permissions are defined in Settings --> Security --> Roles. When a particular role is selected on the left of the screen, its default (or customized permissions) are shown on the right hand side.
Default roles
Default roles are provided for each organization. They can be changed, as described later in the article under permissions. The default roles are:
Administrator
An Organization specific administrator. They have all the permissions described for the Full Designer role and in addition manages organizational policy.
This role differs from the System Administrator in that it is specific to the selected organization. Users with this role have full control to manage the roles and policies for the selected organization. The Administrator role does not have access to all application and language settings that system administrators can access.
Full Designer
A Full designer Creates and designs resources in every category, including background tasks, data models, events, publication rules, data sources, models, and cube servers. This role is able to license solutions and manage resource security. The only restriction is on managing organization security (granted with the Administrator role).
Report Designer
A Report designer is able to create and design resources in the package category (dashboard, report pack, webpage, image, and rich text resources), the report category (analysis report, chart, and drill-through), and the elements category (calculated member, function, named set and, shape). They cannot edit events, publication rules, data models, data sources, models, or cube servers. They cannot manage background tasks or security.
Model Designer
A Model designer can create and edit data models, import and export resource packages, and manage background tasks but are unable to create non-model resources. Where a data model-only license permission is in force, it is only this role and the Administrator roles that are available.
Analyst
An Analyst performs all tasks that a Consumer can do, but can also create resources in the package category (dashboard, report pack, webpage, image, and rich text resources), the report category (analysis report, chart and, drill-through), and the elements category (calculated member, function, named set and, shape). The resources must be saved in the user's personal folder. Analysts can also export and import resources.
Consumer
The consumer role is able to view existing resources (read-only access) and perform resource management tasks (copy, paste, rename, save as and delete) in their personal folder only, but is not able to create or distribute resources.
Custom roles
Most Data Hub installations are configured using just the default roles. However, an organization administrator or system administrator may:
Edit an organization's default roles to change which permissions are assigned to them.
Create new roles and assign permissions to them.
How roles are licensed
Your Data Hub license includes quotas for two License User Types: Consumers and Designers. Users with the Consumer Role is counted towards the Consumer License User Type and all other Role Users are counted towards the Designer License User Type. Additional details about user and role licenses are described in License User Role allocations and limits
Important
Each registered user (a user that logged in at least once) is counted toward the license limits. Manage and delete profiles as users leave your organization to keep your allocated users below the license limits.
Permissions
Note
Only an administrator can view and edit role permissions.
Role permissions are altered in Settings -->> Security -->> Roles.
Available permissions are subdivided into three groups: Organization, Resource and Folder Permissions. These apply to specific actions performed on resources or to administer the organization. All permissions are organization-wide.
Organization - Perform other "housekeeping" tasks in the application that are not related to resource design.
Distribute - Grants the ability to print, email, download, and share links. Files can be distributed as PDF, CSV, or Excel files.
Distribute Resource as Excel or CSV - When selected in conjunction with the Distribute check box above, it allows for the distribution of CSV and Excel files. If you want to limit distribution to only PDF files, clear (uncheck) this check box.
Note
This check box is not available for Model Designer user types.
Explore - Grants the ability to create drill-through resources, using an existing drill-through from another resource, and drilling up/down.
Import/Export - Grants the ability to import and export resource packages created by other Data Hub users.
Note
This permission is allocated on an organizational basis to the personal folder and the Public folders separately. The permission may also be applied to individual sub-folders within the Public folder by overriding inheritance from the organization. These overrides are assigned directly to users or groups, rather than roles.
License Solution - Grants the ability to create licensed resource packages using the Export button.
Note
Organizations must have License Solution permission on their Data Hub license in order to create licensed resource packages. Resource packages are importable files containing custom resources that can be sold to other Data Hub customers.
Manage Background Tasks - Grants the ability to access the Manage Background Tasks tab, which is used to view and manage tasks such as publication rules and data model process operations.
Manage Data Gateways - Gives the ability to add, edit and delete Data Gateways for on premise data source connections.
Organization Security - Grants the ability to alter the organization's policy by updating organization roles and assigning users and groups to roles.
Resource - Permissions to design specific categories of resources. The following resource categories correspond to categories displayed when creating new resources.
Configuration - Grants the ability to design cube servers, model servers, cube configurations, and Analysis Services extensions. Also includes the deploy to cube permission.
Note
To create a model server, you need this permission as well as the Data Model permission.
Data Model - Grants the ability to create a model server.
Note
To create a model server, you need this permission as well as the Configuration permission.
Package - Grants the ability to create and design dashboards, report packs, and rich text resources.
Publish - Grants the ability to create and design event and publication rule resources.
Report - Grants the ability to create and design resources in the report and element categories (analyses, charts, drill-throughs, KPIs, reporting services, scorecards, calculated members, functions, named sets, and slicer resources).
Folder Permission settings - These govern the management of resources in folders (Import/Export, Manage Resources, and Resource Security) and are applied separately to the Public and Personal folders.
Note
These permissions may be applied to individual sub-folders within the Public folder by overriding inheritance from the organization. These overrides are assigned directly to users or groups, rather than roles.
Manage Resources - Grants the ability to save, delete, paste, and rename resources in folders, but not edit them. This permission is allocated on an organizational basis to the personal folders and the Public folder separately
Resource Security - Grants the ability to modify the security policy for individual resources. This permission is allocated on an organizational basis to the personal folders and the Public folder separately.
Resource and folder security
Resource security refers to controlling user access to individual folders and resources (e.g. analyses, charts, and scorecards).
Resources inherit their security settings from their parent folder, with the ability to override this inheritance and customize security for individual folders and resources. Resource security settings are stored with the resources in the Data Hub metadata database and are managed entirely through the Data Hub user interface.
You can view the security settings currently configured for an individual resource using the Security option on the Resource Explorer right click option or ellipses menu. Only resources in the Public folder have a policy that may have been edited and can be viewed. Resources in your personal folder are always controlled directly by the organization's policy and are set to be accessible only by you (and administrator users).
Note
Only resources stored under the main Public folder or its subfolders have policies that can be edited and viewed. Resources within a user's personal folder are automatically set to be accessible only by the user and Administrator-type users.
If a policy has been set for the resource, and you want to remove it and revert to using the security settings inherited from its parent, you can do so using the Inherit button.
Re-Inherit the organization policy
You can remove a resource-specific or folder-specific policy, returning control to the policy defined by the item's organization (or parent folder), using the Inherit button.
Important
When a resource or folder inherits its policy settings, any resource-specific or folder-specific settings are permanently lost. They can be manually recreated, but they are not remembered by the resource or folder. (They will not reappear if you again activate the resource-specific or folder-specific settings).
Verify that you are viewing a resource-specific or folder-specific policy before clicking Inherit.
Note
If this button is dimmed (grayed-out), the policy is already inheriting its security information, and no further action is needed.
User Profiles
My Profile
My profile relates to the user that is currently logged into Data Hub. Settings for the current user is is found in Settings -->> My Profile. A user's personal profile can only be seen by himself and an Administrator.
Hovering on the logged in user also displays a summary of the information.
The settings in My Profile, is relevant to this user only. It show the user email address, other settings like language and locale and you can also set a working date and home page here.
Working Date allows you to set a date that will act as "Today" in your system when you want to test reports that has sample data in a specific period only.
All profiles
View all Data Hub users, their organization, Data Hub role and the License User Type they are allocated to.
Note
Users with a blank in the Role column are Consumers or system users e.g. API Users.
View resources that have had their default (inherited) security settings altered. Click triangle icons.
Delete user profiles.
View current allocations
Note
Only administrators and system administrators can view user allocations.
This tab displays how many users of each type are currently registered in Data Hub. A user isn't registered (added to the list) until they log into Data Hub for the first time.
Role allocation information is displayed in the Profile Statistics area a the top of the tab.
Delete user profiles
Unused or outdated profiles should be deleted. Use this feature to keep the number of registered users beneath the role limits specified by your license agreement.
Note
You can delete as many profiles as you wish, but you must delete them one at a time.
View user type allocations permitted by your license on the Manage License screen.