This video is taken from the MITS Discover Admin training course. The full course can be found at learning.mits.com.
Understanding security in MITS Discover will help you trust the system to display only the information users should be allowed to see and not anything they shouldn't.
At the heart of security in MITS Discover is the idea that MITS controls what content a user can access, not what a user can do. If a user can only access certain types of data, then it doesn't matter if they can open reports that contain data they shouldn't see because MITS Discover simply won't show it to them.
The biggest hurdle we see with new administrators is getting past the mindset of enabling or disabling access to specific reports or libraries and instead thinking about the type of information a user should be able to access.
Let's take a look at what that means.
This is a company wide report of all sales for every sales rep. Since we are logged in as an unrestricted user, we can see not only the total sales for every sales rep, we can see the total sales for the whole company. This is fine for an executive, but typically you want Sales Reps to only see their own activity and not the company totals.
In a more traditional model, we would drill down to just a single rep, in this case let's pick William Delgado, save the report and grant William access to it. But that's inefficient because it requires manually making reports for each sales rep and managing that sales rep's permissions to specific reports and libraries.
Now imagine multiplying that by all the reports you want them to see, multiply that again by all the different hypercubes you want them to access, and multiply that once more by other job functions, like warehouse manager and finance people who also need access to reports for their jobs, and suddenly it becomes more than full time job just managing permissions.
This is why MITS Discover is designed to help you set the type of data a user can see and let the system manage what specific reports are available to them based on their contents.
Here is a good example. Logged in as an unrestricted user, such as an admin or an executive, we can look at this report that shows the top 5 bill to customers for each sales rep. We can scroll down the report and see who the most profitable customers are for all of each our reps. We can also see the profit totals for the company.
Now here is that same report, but this time we are logged in as Sales Rep William Delgado. Not only is the report limited to just William's data, it also hides the company totals from him.
But now that this report is limited to just William's data, he is free to make any changes he wants to the report and MITS Discover will still keep him within the bounds of just his data. That is to say he will only be able to look at customers he has sold to, vendors he has sold from, products he has sold, and so on.
If he wants to remove the clip and show all of his customers he can. If he wants to change the drill down path to look at product group, he can do that too.
But notice if he tries to change the select exploration value for Sales Rep, as if he were looking to see how other sales reps are performing, the system limits him to just his own sales rep ID.
If we switch back to the unrestricted user and do the same select exploration, we have all the sales reps available to us. That's because this user has no restrictions on the SALES cube.
At this point, it is worth mentioning that security can also be used for convenience. You may not care if sales reps can see each other's activities or company totals. However, applying security to limit a sales rep to see just their own data can remove clutter and help them focus on only the numbers they need to see without having to wade through everyone else's data.
So how do we set up this kind of security? It all happens on the Admin tab.
Let's start with a currently unrestricted user.
In MITS Discover, a majority of the security is configured on the Hypercubes section of the Manage Users or Manage Templates tools. In this case, we'll manage a single user who is not part of a template.
Templates are simply a way to assign a set of permissions to many people at once. We'll look at templates in more detail before the end of this video.
Here we have a user who has access to all the cubes, indicated by a checkmark to the left of the cube's name. To the right of the cube's name are the restrictions. There are both Identifier restrictions and Accumulator Restrictions.
Identifier restrictions limit how a user can enter a drill down path. Think of it a little like rows in an spreadsheet. If a user has an identifier restriction on Sales Rep, then they will only be able to see or create reports that start with Sales Rep or any of the drill down paths below Sales Rep.
Accumulator restrictions limit the user from seeing certain types of columns. For example, I can deny the user from seeing any columns that show Invoice Cost or Invoiced Commission Cost by marking these two boxes. That will prevent those columns from being visible to the user. It will also prevent any other columns calculated off those values from being available. In this example, if we hide the cost, that will also hide the profit columns since cost could be calculated using profit and sales.
Let's add an identifier restriction to this user for the SALES cube. Click Add Restriction and chose the Identifier type. In this example, we'll use location. Perhaps this person is a warehouse manager and we want them to only see activity related to their warehouse.
We'll set the show rows value to Allow, but we could also use this same method to hide specific values if we wanted to give access to all the warehouses except certain ones.
Now we'll add a value. If you know exactly how MITS is using the identifier value, you can enter it here. But usually it is better to use the Find Values link.
This user manages Warehouse 7, so we'll pick that from the list and click OK. If this user were in charge of multiple warehouses, we could add more here. For now we'll stick to just the one warehouse.
With that permission added, click Back and you'll see there is now a single identifier restriction on the SALES cube for this user.
Notice that some cubes do not allow for additional accumulator restrictions. This is because those cubes are "helper" cubes users don’t' access them directly. Permissions on those cubes inherit the permissions for the main cube they are designed to assist.
To simplify things, we'll also remove this user's unrestricted access to all of the other cubes, leaving them with just the warehouse restricted access to the SALES cube.
Click Save to apply the permissions you've just added.
Now if we log in as that user, you can see that only reports available to them are reports that start with Warehouse at the top of the drill down path of the SALES cube. And if we open any of these, we can see the report is limited to only warehouse 7.
Returning to session where we're logged in as an admin, we could modify this user's restrictions to include additional warehouses. Perhaps he is a regional manager and needs to see the values for multiple warehouses. We'd go to his hypercube restrictions for the SALES cube and modify the warehouses he is allowed to see.
You'll probably notice that you can add multiple restrictions to a user, allowing them to access the cube with different identifiers. This is only used in very specific situations.
When you put a restriction on a user, it means they can only enter the cube based on that one identifier, such as sales rep or warehouse, but it also means they have access to all of the drill down paths under that identifier. If you give a restriction of Sales Rep to a user, they will automatically have access to the drill down path Sales Rep to Bill To Customer. You don't have to grant them access to the Bill to Customer identifier as well.
If you do grant a user restrictions on one than more identifier, you may end up granting much more permission or very limited permission to the data. It depends if you use the AND or OR option.
Using the AND option means that the drill down path must have BOTH identifiers before MITS will grant user access to the data. In this example, it would mean the drill down path would have to be SALES REP to BILL TO CUSTOMER before the user could see any data and then it would only be the data for that sales rep and bill to customer. The sales rep would not be able to see data on any of their other customers.
Using the OR option means the drill down path could start with EITHER Sales Rep or Bill To Customer. This would allow the user to see drill down paths starting with BILL TO CUSTOMER, even if it was not a customer they'd ever sold to.
The AND option ends up being to limiting with the data and the OR options is usually granting too much access.
If you are missing a drill down path that you need a user (or type of user) to have access to, contact email@example.com and they can help you add it. This is usually the best way to grant additional access to the data for an identifier.
Up until now, we have been looking at permissions for a single user. But you can grant permissions for entire groups of users with the Templates tool.
With templates you can set up permissions and then assign users to the template. The users will then inherit the permissions of the template. This works well for groups of users who share job functions, such as Sales Reps.
To assign permissions to a template, you follow the same steps as assigning them to an individual user. Under the Assign Users section, select all of the users you want to inherit the permissions of this template. Alternately, you can assign a user to a template from the template section of the user management.
However, there is one important difference.
When assigning a restriction to an individual user, you select a specific value for a restriction. William's Sales Rep ID is 1013 so we entered that when we set up the permission. But if we were to put that in the restriction of the template, then every user who was assigned to the template will only see William's data. Instead we need to use a placeholder in the template and then assign a value for that placeholder on each user who is a member of the template.
In MITS Discover, we call that placeholder a User Property. User Properties are created in the User Properties section of the Admin tab. Click New and give the user property a name.
In the template, the user property is used when setting up restrictions on a cube. Create the restriction and set it to use the User Property Value of the individual user. This creates the variable for the template.
Then, in a user, go to the User Properties section and assign the individual user's value for that identifier. Kenneth's Sales Rep ID is 1006, so we'll enter that here.
We'll make sure Kenneth is part of the Sales Rep template.
Now when Kenneth logs in, MITS will replace the User Property with the specific value we assigned to Kenneth in his user settings.
Outside of data security, there are a few other features that can be controlled by security. These work exactly the same on both individual users and in templates.
System permissions grant access to some activities you may or may not want users to be able to do, such as send reports and dashboards as emails from within MITS Discover or export reports and dashboards to Excel or PDF. You can also control some of the more advanced features like allowing a user to use he manual modify option on the dashboard editor.
The Report and Dashboard libraries tools are there to grant or deny read and write access to the libraries. As discussed in previous videos, these exist for the easy of grouping similar reports together. As we have seen with the hypercube restrictions, a user can create any report they want for the data they have access to. If you grant them read access to a library that doesn't contain any reports with data they can access, the report will simply be hidden. So don't get too hung up on individual access to the libraries.
The other side of that is to be careful with what libraries you grant write access to. With write access, a user can overwrite or delete any reports or dashboards they have access to. Generally speaking it is best to grant them just write access to their own library so they can save personal copies of reports.
One last word about templates. It is a natural instinct to make users members of multiple templates, thinking you're granting them additional permissions. However that is not the way MITS Discover works. Instead of giving users who belong to multiple templates additional permission, MITS limits the user to only the permissions that overlap between templates. Usually this ends up being a very small set of permissions.
If you need a set of permissions that are not covered by the standard templates, or cannot be granted by modifying the templates, you can create new templates and give them the permissions you need.
Security in MITS can be challenging at first, but once you get the hang of it, you'll find it to be a useful tool to empower your users to explore the data in MITS without having to worry about exposing the wrong information.
As with everything else in MITS, if you find you are having trouble or just have questions about how something works, feel free to email firstname.lastname@example.org or visit our public knowledge base at help.mits.com.
You're now ready to start managing security in MITS Discover.