DeepSee Implementation Guide
Setting Up Security
[Home] [Back] [Next]
InterSystems: The power behind what matters   
Class Reference   
Search:    

DeepSee has a formal mechanism for managing access to functionality and DeepSee items. This mechanism is based on the underlying Caché security framework. This chapter discusses the following topics:

This chapter assumes that you are familiar with Caché security as described in the Caché Security Administration Guide. In particular, it assumes that you understand the relationships between resources, roles, and users.
For information on security for Visual Reporting options, see Using DeepSee Visual Reporting.
Note:
If you install Caché with the Minimal Security option (and if you do not tighten security after that), the user UnknownUser belongs to the %All role and has access to all parts of DeepSee. In this case, ignore this chapter.
Important:
Also note that you use DeepSee from within a web application. By default, a web application can access a subset of InterSystems classes, which does not include the %DeepSee classes. To use DeepSee in your web application, you must explicitly enable access to the %DeepSee classes. For details, see CSP Application Settings in Using Caché Server Pages (CSP); see the subsection “Special Case: DeepSee.”
This access is enabled by default for the /csp/samples and /csp/ensdemo web applications.
Overview of Security
The following table summarizes how elements in DeepSee are secured:
Element How Secured
DeepSee User Portal %DeepSee_Portal and %DeepSee_PortalEdit resources
DeepSee Analyzer %DeepSee_Portal, %DeepSee_Analyzer, and %DeepSee_AnalyzerEdit resources
DeepSee Architect %DeepSee_Portal, %DeepSee_Architect and %DeepSee_ArchitectEdit resources
Folder Manager and Cube Manager %DeepSee_Portal and %DeepSee_Admin resources
Query Tool and Settings pages %DeepSee_Portal, %DeepSee_Admin, and %Development resources
Term List Manager and Quality Measure Manager pages %DeepSee_Portal and %DeepSee_PortalEdit resources
Listing Group Manager %DeepSee_ListingGroup, %DeepSee_ListingGroupEdit, and %DeepSee_ListingGroupSQL resources
Cubes, subject areas, listings, listing fields, listing groups, KPIs, folders, and folder items (such as dashboards and pivot tables) Custom resources (optional)
Quality measures Accessible only to users of any cubes to which the quality measures are published; no additional security
Term lists No security options
For details, see Requirements for Common DeepSee Tasks,” later in this chapter.
Basic Requirements
For a user to use DeepSee, the following must be true, in addition to the other requirements listed in the rest of this chapter:
Requirements for Common DeepSee Tasks
The following table lists the security requirements for common tasks, in addition to the items in the previous section.
Task Privileges That the User Must Have for This Task*
Viewing the User Portal (apart from the Analyzer or the mini Analyzer) with no ability to create dashboards USE permission for the %DeepSee_Portal resource
Viewing the User Portal (apart from the Analyzer or the mini Analyzer) with the ability to create new dashboards
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_PortalEdit resource
Viewing a dashboard (including exporting to Excel and printing to PDF)
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the resource (if any) associated with the dashboard; see Adding Security for Model Elements
  • USE permission for the resources (if any) associated with the pivot tables used in the dashboard
  • USE permission for the resources (if any) associated with the folders that contain the dashboard and the pivot tables
  • USE permission for the resources (if any) associated with the cubes or subject areas** used in the pivot tables
  • USE permission for the resources (if any) associated with the KPIs used in the dashboard
  • SQL SELECT privilege for all tables used by the queries of the KPIs
Note that the system displays all widgets to which the user has permission. That is, the dashboard is displayed even though the user cannot see all of it.
Read-only access to the Analyzer or Mini Analyzer
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_Analyzer resource
Full access to the Analyzer or Mini Analyzer
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_AnalyzerEdit resource
Viewing a listing
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the resource (if any) associated with the listing
  • SQL SELECT privilege for all tables used by the listing
Modifying an existing pivot table in the Analyzer
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_AnalyzerEdit resource
  • USE and WRITE permissions for the resource (if any) associated with the given pivot table
  • USE permission for the resources (if any) associated with the folders that contain the pivot table
  • USE permission for the resources (if any) associated with the cube** or subject area used in the pivot table
Creating a new dashboard
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_PortalEdit resource
  • USE permission for the resource (if any) associated with the folder that contains the dashboard
Modifying an existing dashboard
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_PortalEdit resource
  • USE and WRITE permissions for the resource (if any) associated with the given dashboard
  • USE permission for the resource (if any) associated with the folder that contains the dashboard
Read-only access to the Architect
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_Architect resource
Creating a new cube or subject area in the Architect
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_ArchitectEdit resource
Modifying an existing cube or subject area in the Architect
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_ArchitectEdit resource
  • USE and WRITE permissions for the resource (if any) associated with the given cube or subject area; see Adding Security for Model Elements
  • Folder Manager page
  • Query Tool page
  • Settings pages
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_Admin resource or USE permission for the %Development resource
  • Term List Manager page
  • Quality Measures page
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_PortalEdit resource
Listing Group Manager (read only access) USE permission for the %DeepSee_ListingGroup resource
Listing Group Manager (edit access, except for custom SQL query options) USE permission for the %DeepSee_ListingGroupEdit resource
Listing Group Manager (edit access, including custom SQL query options)
  • USE permission for the %DeepSee_ListingGroupEdit resource
  • USE permission for the %DeepSee_ListingGroupSQL resource
*Also see the previous section. Note that in your resource definitions, some of the permissions might be public. For example, in a minimal security installation, by default, the USE permission is public for all the DeepSee resources.
**If a cube contains relationships to other cubes, those cubes are secured separately. A user must have USE permission for all of them in order to use the relationships. Similarly, a compound cube consists of multiple cubes, which are secured separately.
Adding Security for Model Elements
To add security for a cube, subject area, KPI, pivot table, dashboard, listing, or listing field:
  1. Create a resource in the Management Portal. Use the Resources page (select System Administration > Security > Resources).
  2. Create a role in the Management Portal. Use the Roles page (select System Administration > Security > Roles). This role should have USE and WRITE permissions on the resource you just created.
    Or you could create one role with USE and WRITE permissions and another role with only USE permission.
  3. Associate the resource with the DeepSee item as follows:
  4. Assign users to roles as needed.
Specifying the Resource for a Dashboard or Pivot Table
To specify the resource for a dashboard or pivot table, specify the Access Resource field when you save the item. You can do this in any of the following cases:
Specifying the Resource for a Folder
To specify the resource for a folder:
  1. Click the InterSystems Launcher and then click Management Portal.
    Depending on your security, you may be prompted to log in with a Caché username and password.
  2. Switch to the appropriate namespace as follows:
    1. Click Switch.
    2. Click the namespace.
    3. Click OK.
  3. Click the check box next to a folder.
  4. In the left area, click the Details tab.
  5. Type the name of the resource.
  6. Click Save Folder.