Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
  • Manage user restrictions

  • Update users in bulk
    Info

    This page outlines how to manage

    restrictions from the Databases area of the Administration module. You can also manage specific user restrictions from the Users area of the Administration module.

    You can control whether or not users have access to a database, then use restrictions to limit what users can see in the database. For example, you might want all users to be able to access the Sales database but only allow some users to see a subset of the data, such as a specific dimension or customer.

    In the image below, the first two users can access the Sales database but some restrictions have been applied. The third user can access the Sales database and no restrictions have been applied. The fourth user cannot access the database (outlined in red).

    Image Removed
    Tip

    The Bulk Update feature allows you to update multiple settings, permissions and restrictions for one or more users at the same time, which can save you a lot time.

    Access the database restriction settings

    Click the Phocas menu button > access and restrictions for a database, for one or more users, via the database screen. For other methods and more information, see the Overview of access to data page. See also Manage default database restrictions.

    1. Click Administration > Databases, then click the database name (blue link) to open the database settings screen for that database.

    You can then either manage access to the database for individual users or add default restrictions to the database.

    Give or remove access to a database

  • On the database settings screen, click the Users tab.

  • Give access to the database: Select the required default period from the dropdown list.

    Image Removed
  • Remove access to the database: Select the blank option from the dropdown list.

    Image RemovedThe database will appear with a blank box and red outline to indicate there is no access. Image Removed
  • Click Save.

  • Restrict what a user can view in a database

    1. Click the Restrictions button (lock icon) next to the defined period. A grey button indicates no restrictions have been applied yet and a black button indicates Click the Users tab.

    2. Review the current access and restrictions:

      • If a period displays next to a user’s name, it means the user has access to the database. If no period displays (a red outline displays on the period box), it means the user does not have access to that database.

      • If the lock icon (Restrictions button) next to the period is grey, it means no restrictions have been applied to the database. If a black button displays, it means one or more restrictions have been applied.

    3. In the Restriction for… window, configure the restrictions (see examples below as the process is similar) and click Save.

    Add default restrictions 

    Normally, restrictions are applied on a user-by-user basis, so if a user doesn't have a restriction, it implies they have access to all data in a database. Default database restrictions allow that logic to be reversed, so any user without a specific restriction will get the default restriction from the database. Instead of applying a user restriction to limit access, it is used to increase access. This allows a 'secure by default' way of setting up the database.  

    Expand
    titleExample - Create a default restriction on streams

    In the example below, a default restriction has been created to allow access only to the principle stream, which is Sales. All users without a specific restriction will only be able to access the Sales stream. To grant a user access to the Budget stream, you would add a user restriction. 

    Image Removed

    Expand
    titleExample - Create a default restriction on measures

    You could set a default restriction on measures to allow access only to the Value and Quantity measures. This would mean that all users would be prevented from seeing Profit and Margin figures, unless specifically granted that access. For example, you would grant access to the Profit and Cost of Sales measures for managers and directors by adding a user restriction.

    Expand
    titleExample - Create a default restrictions based on user settings

    A further refinement to the regular way of applying database restrictions is to base a dimension restriction on a user's settings, instead of an absolute, fixed value. By replacing a fixed value with one of the two user variables {{user:group}} or {{user:territory}}, the appropriate setting value from the user will be applied when they login. This allows the restriction to be created at a database level, but applied per user. In the screens below, a default restriction has been set on the database using the territory value from the user. In the second screen, the users have multiple territory (or State) codes assigned to them, which are used when they access the database. Note: Semi-colon separated values are used when specifying multiple allowed values. 

    Image Removed

    Significantly for this type of restriction, a mistake or a missing territory or group value value on the user will result in no data being exposed. This mechanism provides a 'secure by default' way of setting up the system.

    Expand
    titleExample - Use sub-databases to restrict data view

    If sub-databases have been created for the site, you will see a Sub-databases option when setting restrictions on a database, as shown below. As the name suggests, these contain only a sub-set of data. Creation of these sub-databases, or so-called 'splits', are an advanced form of user security which needs to be implemented by a Phocas consultant.  

    Image Removed

    Sub-database names

    The Sub-database names will always begin with the master database name that they relate to, followed by an underscore, followed by another other name to make them unique. For example, a master database of Phocas_Sales could have sub-databases called Phocas_Sales_Depot001Phocas_Sales_Depot002, etc. 

    Sub-database impact on sharing 

    Because these sub-databases are available to different groups of users as subsets of the same application database (and in fact appear as the actual application databases), favorites and dashboards can be shared across databases and between users.

    Insert excerptManage user database access and restrictionsManage user database access and restrictionsnopaneltrue

    On this page

    Table of Contents
    maxLevel2
    minLevel2

    Related page

    1. Locate the user you want to update.

    2. Manage the access and restrictions as required:

      • Give access to the database: Select the required period from the dropdown list.

        Image Added
      • Remove access to the database: Select the blank option from the dropdown list.

        Image Added
      • Add or update restrictions: Click the Restrictions button (lock icon) next to the period dropdown list, then configure the restrictions and click Save. See the examples on the Manage default database restrictions page, as the process is similar.

        Image Added
    3. Repeat the above steps 4 and 5 to manage the access and restrictions for other users.

    4. Click Save, then click Close.