Setting Up Security
InterSystems IRIS Business Intelligence has a formal mechanism for managing access to functionality and Business Intelligence items. This mechanism is based on the underlying InterSystems security framework.
This chapter assumes that you are familiar with InterSystems security as described in Authorization Guide. In particular, it assumes that you understand the relationships between resources, roles, and users.
If you install InterSystems IRIS® with the Minimal Security option (and if you do not tighten security after that), the user UnknownUser belongs to the %All role and has access to all parts of Business Intelligence. In this case, ignore this chapter.
Also note that you use Business Intelligence from within a web application. By default, a web application can access a subset of InterSystems classes, which does not include the %DeepSee classes. To use Business Intelligence in your web application, you must explicitly enable access to Analytics. For details, see Setting Up the Web Applications.
Overview of Security
The following table summarizes how elements in Business Intelligence are secured:
|Business Intelligence User Portal||%DeepSee_Portal and %DeepSee_PortalEdit resources|
|Analyzer||%DeepSee_Portal, %DeepSee_Analyzer, and %DeepSee_AnalyzerEdit resources|
|Architect||%DeepSee_Portal, %DeepSee_Architect and %DeepSee_ArchitectEdit resources|
|Folder Manager and Cube Manager||%DeepSee_Portal and %DeepSee_Admin resources|
|MDX Query Tool and Settings pages||%DeepSee_Portal, %DeepSee_Admin, and %Development resources|
|Term List Manager and Quality Measure Manager pages||%DeepSee_Portal and %DeepSee_PortalEdit resources|
|Listing Group Manager||%DeepSee_ListingGroup, %DeepSee_ListingGroupEdit, and %DeepSee_ListingGroupSQL resources|
|Cubes, subject areas, listings, listing fields, listing groups, KPIs, folders, and folder items (such as dashboards and pivot tables)||Custom resources (optional)|
|Quality measures||Accessible only to users of any cubes to which the quality measures are published; no additional security|
|Term lists||No security options|
For details, see “Security Requirements for Common Business Intelligence Tasks,” later in this chapter.
For a user to use Business Intelligence, the following must be true, in addition to the other requirements listed in the rest of this chapter:
The user must have access to the database or databases in which Business Intelligence is used.
By default, when you create a database, InterSystems IRIS does the following:
Creates a resource with a name based on the database name (%DB_database_name).
Establishes that this resource controls access to the new database.
Creates a role with the same name as the resource. This role has read and write privileges on the resource.
You can specify whether the read and write privileges are public. These privileges are not public by default.
For example, suppose that you create a database called MyApp for use with Business Intelligence, and you let InterSystems IRIS create the resource and role as described here, and suppose that the read and write privileges are not public. In this case, a Business Intelligence user must belong to the %DB_MyApp role, which has read and write privileges on the %DB_MyApp resource.
If the ^DeepSee globals are mapped from another database, the user must also have access to the database that contains these globals.
Security Requirements for Common Business Intelligence Tasks
The following table lists the security requirements for common tasks, in addition to the items in the previous section.
|Task||Privileges That the User Must Have for This Task*|
|Viewing the User Portal (apart from the Analyzer or the mini Analyzer) with no ability to create dashboards||USE permission for the %DeepSee_Portal resource|
|Viewing the User Portal (apart from the Analyzer or the mini Analyzer) with the ability to create new dashboards||
|Viewing a dashboard (including exporting to Excel and printing to PDF)||
|Read-only access to the Analyzer or Mini Analyzer||
|Full access to the Analyzer or Mini Analyzer||
|Viewing a listing||
|Modifying an existing pivot table in the Analyzer||
|Creating a new dashboard||
|Modifying an existing dashboard||
|Read-only access to the Architect||
|Creating a new cube or subject area in the Architect||
|Modifying an existing cube or subject area in the Architect||
|Listing Group Manager (read only access)||USE permission for the %DeepSee_ListingGroup resource|
|Listing Group Manager (edit access, except for custom SQL query options)||USE permission for the %DeepSee_ListingGroupEdit resource|
|Listing Group Manager (edit access, including custom SQL query options)||
*Also see the previous section. Note that in your resource definitions, some of the permissions might be public. For example, in a minimal security installation, by default, the USE permission is public for all the Business Intelligence resources.
**If a cube contains relationships to other cubes, those cubes are secured separately. A user must have USE permission for all of them in order to use the relationships. Similarly, a compound cube consists of multiple cubes, which are secured separately.
Adding Security for Model Elements
To add security for a cube, subject area, KPI, pivot table, dashboard, listing, or listing field:
Create a resource in the Management Portal. Use the Resources page (select System Administration > Security > Resources).
Create a role in the Management Portal. Use the Roles page (select System Administration > Security > Roles). This role should have USE and WRITE permissions on the resource you just created.
Or you could create one role with USE and WRITE permissions and another role with only USE permission.
Associate the resource with the Business Intelligence item as follows:
For a dashboard or pivot table, when you save the item, type the name of the applicable resource into the Access Resource field.
See also “Specifying the Resource for a Dashboard or Pivot Table.”
To save a dashboard or pivot table, you must also have the USE and WRITE privileges for the appropriate Business Intelligence user interface component, as described in the previous heading.
For a cube, subject area, or listing field, use the Architect to specify the resource that secures that item.
For a listing defined in a cube definition, use the Architect to specify the resource that secures that item.
For a listing group or for a listing defined in a listing group, use the Listing Group Manager to specify the resource that secures that item.
For a KPI, edit the class definition in Atelier. Use the name of the applicable resource as the value of the RESOURCE class parameter.
Assign users to roles as needed.
Specifying the Resource for a Dashboard or Pivot Table
To specify the resource for a dashboard or pivot table, specify the Access Resource field when you save the item. You can do this in any of the following cases:
The item has no owner (specified as the Owner field).
You are the owner of the item.
You have USE permission on the %DeepSee_Admin resource.
Specifying the Resource for a Folder
To specify the resource for a folder:
Click the InterSystems Launcher and then click Management Portal.
Depending on your security, you may be prompted to log in with an InterSystems IRIS username and password.
Switch to the appropriate namespace as follows:
Click the namespace.
Click Analytics > Admin > Folder Manager.
Click the check box next to a folder.
In the left area, click the Details tab.
Type the name of the resource.
Click Save Folder.