Skip to main content
Previous sectionNext section

Setting Up Security

InterSystems IRIS Business Intelligence has a formal mechanism for managing access to functionality and Business Intelligence items. This mechanism is based on the underlying InterSystems security framework.

This chapter assumes that you are familiar with InterSystems security as described in the Security Administration Guide. In particular, it assumes that you understand the relationships between resources, roles, and users.

Note:

If you install InterSystems IRIS® with the Minimal Security option (and if you do not tighten security after that), the user UnknownUser belongs to the %All role and has access to all parts of Business Intelligence. In this case, ignore this chapter.

Important:

Also note that you use Business Intelligence from within a web application. By default, a web application can access a subset of InterSystems classes, which does not include the %DeepSee classes. To use Business Intelligence in your web application, you must explicitly enable access to Analytics. For details, see Setting Up the Web Applications.

Overview of Security

The following table summarizes how elements in Business Intelligence are secured:

Element How Secured
Business Intelligence User Portal %DeepSee_Portal and %DeepSee_PortalEdit resources
Analyzer %DeepSee_Portal, %DeepSee_Analyzer, and %DeepSee_AnalyzerEdit resources
Architect %DeepSee_Portal, %DeepSee_Architect and %DeepSee_ArchitectEdit resources
Folder Manager and Cube Manager %DeepSee_Portal and %DeepSee_Admin resources
MDX Query Tool and Settings pages %DeepSee_Portal, %DeepSee_Admin, and %Development resources
Term List Manager and Quality Measure Manager pages %DeepSee_Portal and %DeepSee_PortalEdit resources
Listing Group Manager %DeepSee_ListingGroup, %DeepSee_ListingGroupEdit, and %DeepSee_ListingGroupSQL resources
Cubes, subject areas, listings, listing fields, listing groups, KPIs, folders, and folder items (such as dashboards and pivot tables) Custom resources (optional)
Quality measures Accessible only to users of any cubes to which the quality measures are published; no additional security
Term lists No security options

For details, see “Security Requirements for Common Business Intelligence Tasks,” later in this chapter.

Basic Requirements

For a user to use Business Intelligence, the following must be true, in addition to the other requirements listed in the rest of this chapter:

  • The user must have access to the database or databases in which Business Intelligence is used.

    By default, when you create a database, InterSystems IRIS does the following:

    • Creates a resource with a name based on the database name (%DB_database_name).

    • Establishes that this resource controls access to the new database.

    • Creates a role with the same name as the resource. This role has read and write privileges on the resource.

      You can specify whether the read and write privileges are public. These privileges are not public by default.

    For example, suppose that you create a database called MyApp for use with Business Intelligence, and you let InterSystems IRIS create the resource and role as described here, and suppose that the read and write privileges are not public. In this case, a Business Intelligence user must belong to the %DB_MyApp role, which has read and write privileges on the %DB_MyApp resource.

  • If the ^DeepSee globals are mapped from another database, the user must also have access to the database that contains these globals.

Security Requirements for Common Business Intelligence Tasks

The following table lists the security requirements for common tasks, in addition to the items in the previous section.

Task Privileges That the User Must Have for This Task*
Viewing the User Portal (apart from the Analyzer or the mini Analyzer) with no ability to create dashboards USE permission for the %DeepSee_Portal resource
Viewing the User Portal (apart from the Analyzer or the mini Analyzer) with the ability to create new dashboards
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_PortalEdit resource
Viewing a dashboard (including exporting to Excel and printing to PDF)
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the resource (if any) associated with the dashboard; see “Adding Security for Model Elements
  • USE permission for the resources (if any) associated with the pivot tables used in the dashboard
  • USE permission for the resources (if any) associated with the folders that contain the dashboard and the pivot tables
  • USE permission for the resources (if any) associated with the cubes or subject areas** used in the pivot tables
  • USE permission for the resources (if any) associated with the KPIs used in the dashboard
  • SQL SELECT privilege for all tables used by the queries of the KPIs
Note that the system displays all widgets to which the user has permission. That is, the dashboard is displayed even though the user cannot see all of it.
Read-only access to the Analyzer or Mini Analyzer
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_Analyzer resource
Full access to the Analyzer or Mini Analyzer
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_AnalyzerEdit resource
Viewing a listing
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the resource (if any) associated with the listing
  • SQL SELECT privilege for all source tables used by the listing and SELECT privilege for the generated CubeClass.Listing table for that cube. If a custom listing uses the $$$RESTRICT token, SELECT privilege on the CubeClass.Listing table are required.
Modifying an existing pivot table in the Analyzer
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_AnalyzerEdit resource
  • USE and WRITE permissions for the resource (if any) associated with the given pivot table
  • USE permission for the resources (if any) associated with the folders that contain the pivot table
  • USE permission for the resources (if any) associated with the cube** or subject area used in the pivot table
Creating a new dashboard
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_PortalEdit resource
  • USE permission for the resource (if any) associated with the folder that contains the dashboard
Modifying an existing dashboard
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_PortalEdit resource
  • USE and WRITE permissions for the resource (if any) associated with the given dashboard
  • USE permission for the resource (if any) associated with the folder that contains the dashboard
Read-only access to the Architect
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_Architect resource
Creating a new cube or subject area in the Architect
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_ArchitectEdit resource
Modifying an existing cube or subject area in the Architect
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_ArchitectEdit resource
  • USE and WRITE permissions for the resource (if any) associated with the given cube or subject area; see “Adding Security for Model Elements
  • Folder Manager page
  • MDX Query Tool page
  • Settings pages
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_Admin resource or USE permission for the %Development resource
  • Term List Manager page
  • Quality Measures page
  • USE permission for the %DeepSee_Portal resource
  • USE permission for the %DeepSee_PortalEdit resource
Listing Group Manager (read only access) USE permission for the %DeepSee_ListingGroup resource
Listing Group Manager (edit access, except for custom SQL query options) USE permission for the %DeepSee_ListingGroupEdit resource
Listing Group Manager (edit access, including custom SQL query options)
  • USE permission for the %DeepSee_ListingGroupEdit resource
  • USE permission for the %DeepSee_ListingGroupSQL resource

*Also see the previous section. Note that in your resource definitions, some of the permissions might be public. For example, in a minimal security installation, by default, the USE permission is public for all the Business Intelligence resources.

**If a cube contains relationships to other cubes, those cubes are secured separately. A user must have USE permission for all of them in order to use the relationships. Similarly, a compound cube consists of multiple cubes, which are secured separately.

Adding Security for Model Elements

To add security for a cube, subject area, KPI, pivot table, dashboard, listing, or listing field:

  1. Create a resource in the Management Portal. Use the Resources page (select System Administration > Security > Resources).

  2. Create a role in the Management Portal. Use the Roles page (select System Administration > Security > Roles). This role should have USE and WRITE permissions on the resource you just created.

    Or you could create one role with USE and WRITE permissions and another role with only USE permission.

  3. Associate the resource with the Business Intelligence item as follows:

    • For a dashboard or pivot table, when you save the item, type the name of the applicable resource into the Access Resource field.

      See also “Specifying the Resource for a Dashboard or Pivot Table.”

      To save a dashboard or pivot table, you must also have the USE and WRITE privileges for the appropriate Business Intelligence user interface component, as described in the previous heading.

    • For a cube, subject area, or listing field, use the Architect to specify the resource that secures that item.

    • For a listing defined in a cube definition, use the Architect to specify the resource that secures that item.

    • For a listing group or for a listing defined in a listing group, use the Listing Group Manager to specify the resource that secures that item.

    • For a KPI, edit the class definition in Atelier. Use the name of the applicable resource as the value of the RESOURCE class parameter.

  4. Assign users to roles as needed.

Specifying the Resource for a Dashboard or Pivot Table

To specify the resource for a dashboard or pivot table, specify the Access Resource field when you save the item. You can do this in any of the following cases:

  • The item has no owner (specified as the Owner field).

  • You are the owner of the item.

  • You have USE permission on the %DeepSee_Admin resource.

Specifying the Resource for a Folder

To specify the resource for a folder:

  1. Click the InterSystems Launcher and then click Management Portal.

    Depending on your security, you may be prompted to log in with an InterSystems IRIS username and password.

  2. Switch to the appropriate namespace as follows:

    1. Click Switch.

    2. Click the namespace.

    3. Click OK.

  3. Click Analytics > Admin > Folder Manager.

  4. Click the check box next to a folder.

  5. In the left area, click the Details tab.

    generated description: folder resource

  6. Type the name of the resource.

  7. Click Save Folder.