The security model for PerformancePoint Planning controls permissions for business user roles in two ways:
The security model specifies the data the user can access by configuring access to models and to dimension members.
The security model specifies how (or if) the user can interact with that data. That is, users can have permission to view data (READ access level), to view data or submit input (READ or WRITE access level), or have no access to data (NONE access level).
Note: You must specifically configure WRITE access before a user can submit data for an assignment.
Layers of access permission
Administrators set the scope of access permissions for business users in several ways. The baseline setting, or the Default Permissions, is configured at the point that a Modeler or Data Administrator creates the role. Then, the administrator configures permissions for models and for specific dimension members. An administrator can also customize permissions for individual users as needed.
The following list describes the different layers of access permission that can be configured for users in a business role.
Default permissions Default permissions apply for all member sets in the model site and for all users in the role, unless explicit permissions have been specified. For example, to manage security precisely, a Data Administrator might set the default permissions to None, which denies all access. Then, specific and limited permissions can be granted to individual users on a case-by-case basis. For information about how to change default permissions, see Configure default permissions for business role in Planning Business Modeler.
Role-based access to models Members of a business role can view data only when a Data Administrator or Modeler grants specific access to the model. After an administrator enables access to the model, users can work with the data according to the Read and Write permissions that are defined in their role. For information about how to grant access to a model, see Enable access to a model for a business role in Planning Business Modeler.
Role-based permissions for specific member sets or members A Modeler or Data Administrator sets security for dimensions at the member set level. You can explicitly specify Read or Write access to specific member sets or members. Explicit permissions override default permissions. For information about how to specify explicit permissions, see Configure member set permissions for a business role in Planning Business Modeler.
Customized permissions for individual users By default, all users who belong to a role have exactly the permissions that are defined by the role. However, after a user has been added to a role, his or her permissions can be restricted if the Custom user permissions feature has been enabled for the member set. For information about how to customize user permissions, see Customize user permissions in a business role in Planning Business Modeler.