Phocas has a new user documentation site. This site will be retired soon.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This page outlines how to manage the default restrictions that apply to all users who have access to a database. For other methods and more information on applying database restrictions, see the Overview of access to data page.

Typically, database restrictions are applied on a user-by-user basis, so if a user doesn't have a restriction, it implies they have access to all data items (streams, measures and dimensions) in the database. Default database restrictions allow that logic to be reversed, so any user without a specific restriction will get the default restriction from the database. Instead of applying a user restriction to limit access, it is used to increase access. This allows a secure by default way of setting up a database.  

  1. Click Administration > Databases and click the database name (blue link) to open the database settings screen for that database.

  2. Click the Default Restriction tab.

  3. Configure the restrictions (see examples below).

  4. Click Save, then click Close.

Updating database restrictions for individual or multiple users might remove some external links to dashboards or favorites. You will see a warning about this before you confirm the change. The warning is not related to a specific link but is more of a generic warning to allow you to check whether there are any external links that might be affected before you confirm.

 Example - Create a default restriction on streams

In the example below, a default restriction has been created to allow access only to the main stream, which is Sales. All users without a specific restriction will only be able to access the Sales stream. To grant a user access to the Budget stream, you would add a user restriction. 

 Example - Create a default restriction on measures

You could set a default restriction on measures to allow access only to the Value and Quantity measures. This would mean that all users would be prevented from seeing Profit and Margin figures, unless specifically granted that access. For example, you would grant access to the Profit and Cost of Sales measures for managers and directors by adding a user restriction.

 Example - Create a default restrictions based on user settings

A further refinement to the regular way of applying database restrictions is to base a dimension restriction on a user's settings, instead of an absolute, fixed value. By replacing a fixed value with one of the two user variables {{user:group}} or {{user:territory}}, the appropriate setting value from the user will be applied when they sign in to Phocas. This allows the restriction to be created at a database level, but applied per user. In the screens below, a default restriction has been set on the database using the territory value from the user. In the second screen, the users have multiple territory (or State) codes assigned to them, which are used when they access the database. Note: Semi-colon separated values are used when specifying multiple allowed values. 

Significantly for this type of restriction, a mistake or a missing territory or group value on the user will result in no data being exposed. This mechanism provides a 'secure by default' way of setting up the system.

 Example - Use sub-databases to restrict data view

If sub-databases have been created for the site, you will see a Sub-databases option when setting restrictions on a database, as shown below. As the name suggests, these contain only a subset of data. Creation of these sub-databases, or so-called 'splits', are an advanced form of user security that needs to be implemented by a Phocas consultant.  

Sub-database names

The Sub-database names will always begin with the master database name that they relate to, followed by an underscore, followed by another other name to make them unique. For example, a master database of Phocas_Sales could have sub-databases called Phocas_Sales_Depot001Phocas_Sales_Depot002, etc. 

Sub-database impact on sharing 

Because these sub-databases are available to different groups of users as subsets of the same application database (and in fact appear as the actual application databases), favorites and dashboards can be shared across databases and between users.


  • No labels