Ensuring that your data remains secure and accessible only to the right people is a critical aspect of managing financial information. This help center article will guide you through the process of restricting access in your hierarchies so that users can only view data related to specific accounts, companies, or departments. To achieve this, we'll walk you through the steps to enable security on the account hierarchy and set permissions at the account level.
This articles contains the following topics:
Overview
In most financial systems, you have different users who require varying levels of access to your financial or operational data. To control this access, you'll need to create user groups, assign users to these groups, enable security on the hierarchy, and set specific hierarchy permissions for each group. The process involves an "Opt-in" approach, meaning that users are granted access based on the groups they are a part of.
Here’s a high-level flow of how this works
-
Decide what data you want to restrict (e.g., Company or Department).
-
Create a user group to act as a container for permission rules.
-
Add users to the group.
-
Apply any content permissions (visual/report access) to the group if needed.
-
Secure the hierarchy in the Admin panel that holds the data you want to restrict.
-
Grant explicit access to that hierarchy (or a level within it) for the group.
-
Reprocess the cube to apply the changes.
-
Impersonate a user to verify the setup is working as expected.
Step-by-Step Instructions
Here's a detailed guide on how to restrict access to data for specific accounts, companies, departments, or any hierarchy that you've designated as secure.
1. Create User Groups
Set up user groups in Catalyst that reflect the data access you want to control. You can create a group for each company, department, or access level.
-
Plan your groups ahead of time—it helps to sketch this out in Excel or on paper. Learn how to create user groups here.
-
You don’t need to apply hierarchy permissions during this step. That comes later.
2. Add Users to Groups
Once your groups are created, assign users accordingly. This controls who will get access to the restricted data. This allows you to test and validate the permissions for this user before applying them to the entire user base.
3. Apply Navigation Permissions (Optional)
If needed, you can also apply content permissions for navigation, administration, dashboards, or reports. This step affects what users can see and access in the Catalyst web interface.
4. Save
Click the Save button to finish saving your new group. It's important to do this first before applying security on the hierarchies you want to restrict access to.Â
5. Secure the Hierarchy
To enable access restrictions, you need to enable security on the hierarchy you want to restrict access to. Most commonly this will be the Company, Department, or Location hierarchy. This step is crucial to define who can access which accounts.Â
- Learn more about what hierarchies are here. For a deep dive on hierarchy management, click here.Â
- To make a hierarchy secure, go to Admin > Hierarchies > Edit, and select Enable Security.
Once security is enabled, only Client Admins will see that hierarchy's data unless explicit group access is added.
6. Grant Hierarchy Access to the Group
Return to your group in Admin > Groups and add permissions for the hierarchy you just secured.
-
You can grant access to specific levels within the hierarchy or the entire hierarchy itself.
-
You can also set permissions to control access to associated metrics.
7. Rebuild the Cube
After changes are made, the cube needs to be refreshed. Either wait for the hourly rebuild or trigger one manually by clicking Refresh Cube in the top-right dropdown menu.
8. Impersonate a User to Verify Access
To check that permissions were applied correctly, impersonate a user in Catalyst:
-
Click your profile icon in the upper-right corner.
-
From the profile menu, select Impersonate. This will bring you to the Manage Users screen.
-
Locate the user you want to impersonate. Click the three-dot menu next to their name and choose Impersonate.
-
You’ll know you’re impersonating a user when their name appears in the top-right profile area.
-
Navigate through the app—check dashboards, reports, and the Planning page to ensure the user has the right level of access.
Note: You cannot make changes while impersonating. If things don’t look correct, try clearing your browser cache by clicking the Catalyst logo in the top left, then reloading the page.
8. Continue Group Setup
As needed, continue adding users to the group or create additional groups to support different permission scenarios.
By following these steps, you can restrict access in Catalyst and your cubes to ensure that users can only see data for specific accounts, companies, customers, or departments. Remember that this process is best done during quieter times to minimize user disruption. If you encounter any issues or have questions about specific configuration settings, consult your system administrator or support team for assistance.
Comments
0 comments
Article is closed for comments.