Google
 

Tuesday, August 26, 2008

Tips from Train the Trainer Sessions – Day 3 (cont’d)

Security Nuggets

Security is “different” in PerformancePoint Planning than in SQL or NTFS. 

  • Models have a global On/Off setting for access by role.  Turn this on first.
  • Roles are not cumulative.  If one role has NO ACCESS, then the user has NO ACCESS.
  • There is an operational report that describes security information for a model.
  • Use Mirror Migration to take SQL Backups and Restorations to move from Staging to Production.

Mirror Migration

  1. Synch to Staging (backup data) for models and dimensions.
  2. Backup the Staging Database to another database location.
  3. Perform Mirror Migration.
  4. Restore Staging database data.
  5. Synch Staging to Production.
  • Customizing Member Permissions means that you will need to add users to new dimension members when members are added.  This is because it converts from 'All members' to a specific set of members.
  • If you define custom security for lots of different dimensions, performance is impacted.  Ensure you use only the minimum set of dimension security.  Locking scenario is not necessary as users can only input the scenarios specified in the assignment.  As soon as you switch from 'All Members' to custom this will impact performance.
  • Use SSL for PPS Service.  IPSEC.  Use a hardware SSL accelerator.  Ensure your data is protected.
  • For accounts with just read access - created a 2-layer, input at the leaf, in the report only show the parent.  Add dummy records so that leafs are not shown in reports.  Duplicate the leaf members but do not show.  Populate data at the leaf.   This way you can enforce security by not allowing access to leaf level data in reports without getting the security impact.
  • Coming in V2? - Give assignment to certain roles instead of users - propogate properly through the emails & user name tree.  Generate assignments by group rather than users.  Multiple roles in 1 assignment.
  • Assignments are on a per-user level.   One assignment per user.  That means 300 assignments will need to be created for 300 users.
  • Bug - Save button doesn't grey out after Save, or pencil checkin doesn't disappear when saving roles.  Roles are not ‘checked in’ so pencil is invalid anyway.  Save immediately saves role information to cube.
  • When status has Calling Dispatch Manager - Refresh model.
  • When creating roles, save after each role and refresh modeler.
  • When creating cycles, save after each cycle and refresh modeler.
  • When creating assignments, save after each assignment and refresh modeler.
  • Regular Refresh of model = happy modeler.
  • Process Management and Security sections do not have check out functionality.  Make sure only 1 person is working in these sections at a time.
  • Assignment Schedules - Create recurring assignments, use the powerful functionality of days after cycle start date and assignment start date to schedule different groups of assignments.  
  • Cycles = Same Scenario, Time period, Model.
  • Assignments = Can have multiple assignments in same cycle.  Not usually a good idea.
  • Reviewer/Approver can enter/modify data.  Assignments can be rescheduled.  Assignments can be set to a 3-hour window, and then rejected.
  • Best Practice - Make the cycle a bit longer than the assignment - Grace period.
  • Assignment Importance - It changes importance on email notifications, however there are problems with the built-in email notifications.  It is recommended to turn off notifications and use manual email notifications for assignments.
  • Changing security is affected immediately.  No assignment changes or deployment changes are necessary.
  • Create domain users to test with roles.
  • Use multiple modeler accounts.   Remove them from modeler role.  Add them to test role to test input permissions.
  • Create a fake placeholder member in each account, eg. “Please select a geography…” - leaf level member of dimension - Read access to that member, set all access to this member.   Set to this member by default for filters.   Create Please Select... dummy record in each member.  This will improve performance of the matrix in Excel Add-in as it will not refresh data until all dimensions are selected.  
  • All users have to have read access to all Account members.  You have to design report without salary line or use separate models when dealing with separate information like salary.  You can also create an alternate member set without Salary, and then Create a member set with Salary.
  • Create a form with a Member View.  Filter Salary when Member View.  Leaf-level property has to be same name as account.  For ones that you don't want to write, make leaf-level property different name then account.
  • Use fake data for IFRS - SOX requirements - when dealing with Salary information.  Modeler should not have access to data.
  • Create a property on Account dimension - Restricted.  Assign restricted accounts.  In Report Properties for Filters, Setup Filter to only show unrestricted accounts in the filter.  Set True Hide & True Lock on filter.  

Debugging Rules

  • Try allow drillthrough.  Great tool for debugging rules.  Right click and see fact records in table.  Great for troubleshooting rule results.
  • Use the Debug command on a rule to see what SQL or MDX will be generated.\

Forms Design

  • Turn off merge/center.  Turn on auto-indent row members. Auto-indent members will only do left column.  Totals for group can be at top or bottom. 

 

Planning - TechNet Forums

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)