Security and roles in PerformancePoint Planning

The security model in PerformancePoint Planning and PerformancePoint Planning Business Modeler is based on roles. There are two types of roles, administrative roles and business user roles. Each role has certain permission levels, and enables its members to perform a specific set of tasks.

In addition, each role has a specific scope. For example, a Modeler might have permission that is scoped at the application level, which means that the Modeler can do tasks in every model that belongs to the application. Alternatively, the Modeler might have permission that is scoped at the model site level. In this case, the Modeler can perform tasks only in the specified model site. All administrator roles have application scope or model-site scope. In contrast, many business user roles have permission that is scoped at the member set level.

Each user is assigned to one or more roles, and permission levels for that user are determined by the roles to which the user belongs. PerformancePoint Planning automatically defines four administrative roles. Administrators can define business user roles as needed.

In this article

Administrator roles

Scope for administrator roles

Security tasks for administrator roles

Business user roles

Administrator roles

PerformancePoint Planning includes four predefined administrative roles:

  • Global Administrator

  • Data Administrator

  • User Administrator

  • Modeler

Each role enables its members to perform a specific set of tasks within a specific scope. Typically, administrators perform administrative tasks in PerformancePoint Planning Administration Console, but they can also perform many administrative tasks in Planning Business Modeler.

For more information about administrator roles, see Overview of administrator roles in PerformancePoint Planning

Scope for administrator roles

The following table provides a quick description of the tasks that each administrator role can perform, and the scope of each role.

Role

Primary tasks

Scope

Global Administrator

Create and delete applications and model sites.

System

Data Administrator

Create and manage data integration processes and data movement processes. Create business roles.

Application or model site

User Administrator

Add users to security roles, and manage user memberships.

Application or model site

Modeler

Create and manage models, dimensions, business rules, and workflow processes. Create business roles.

Application or model site

If the scope of an administrator is at the application level, the administrator has permissions for all model sites in the application. If the scope of an administrator is at the model site level, the administrator has permissions only for the specific model site.

Top of Page

Security tasks for administrator roles

Each type of administrator has certain tasks to perform to implement the Planning Business Modeler security model. The following table provides a summary of these tasks.

Security task

Type of administrator

Create a business role

Modeler, Data Administrator

Add or remove users from a User Administrator role

Global Administrator

Add or remove users from a Data Administrator, Modeler, or business user role

User Administrator

Configure member set permissions for a business user role

Modeler, Data Administrator

Customize user permissions in a business user role

Modeler, Data Administrator

Top of Page

Business user roles

Business user roles enable users to interact with specific slices of data that are within a model. These roles form the foundation of the security model in PerformancePoint Planning. For example, one individual in a business user role might be able only to read data for certain department budgets, while another might be authorized to change employee salary information for an entire business unit.

Users who are in a business role cannot configure permissions.

For more information, see Overview of access for business user roles in PerformancePoint Planning.

Configuring permissions for business user roles

Modelers and Data Administrators configure permissions for the type of access each business user has. A business user can have Read, Read and Write, or No access. Modelers and Data Administrators can assign permissions at any of the following levels in an application:

  • Default     The default permission is configured when a business user role is created. PerformancePoint Planning Server automatically assigns this permission level to all users in the associated role. Other permissions for a user may further restrict this access level, and no other permissions can exceed this level. For information about how to configure default permissions, see Configure default permissions for business role in Planning Business Modeler.

  • Member Set     Like the default permission, member set permission is assigned to a business role. The Modeler or Data Administrator selects dimensions and member sets for a role. Then, users who belong to that role automatically inherit the permissions of the role. For information about how to configure member set permissions, see Configure member set permissions for a business role in Planning Business Modeler.

  • Custom     Custom permissions are assigned to individual users. Custom permissions cannot exceed role-based permissions. Instead, they can only be used to create additional restrictions on role-based permissions. For information about how to configure custom permissions, see Customize user permissions in a business role in Planning Business Modeler.

Top of Page

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×