Scenario-level security controls which users can see specific scenarios in Catalyst—such as forecasts, management plans, or sensitive models. This feature is disabled by default and requires careful planning before enablement. This guide covers requirements, setup process, access management, and ongoing maintenance.
What is Scenario-Level Security?
Scenario-level security allows administrators to control which users can see specific scenarios in Catalyst. This is particularly valuable when certain scenarios—such as executive forecasts, management-only plans, or sensitive what-if models—should be restricted to specific audiences.
Critical: Read Before Enabling
When scenario-level security is first enabled, all non-admin users temporarily lose access to all scenarios until access is explicitly assigned. Because of this immediate impact, we strongly recommend:
- Enable during off-peak hours or planned maintenance windows
- Pre-create user groups before enablement
- Communicate timing clearly to affected users
- Prepare to assign access immediately after enablement
Before You Enable: Key Considerations
Scenario-level security is a powerful feature with significant operational implications. Review these requirements carefully before proceeding.
Access Model
Access is additive—scenarios are invisible unless access is explicitly granted. This applies to all existing and future scenarios.
Cube Rebuild Required
Scenario permission changes require a cube rebuild to take effect. Expect 15-30 minutes for changes to propagate.
Admin Override
Admin users always retain access to all scenarios regardless of security settings. Standard users see only what's been granted.
Ongoing Maintenance
You are responsible for maintaining access going forward. New scenarios default to no access for non-admins.
⛔ If these operational implications are not acceptable for your organization, do not enable this feature.
What Changes When This Feature is Enabled
Once EBM Support enables scenario-level security, you'll notice the following changes immediately:
Managing Scenario Access
Scenario access is managed on a per-scenario basis through the Access tab. You can grant access to individual users, user groups, or a combination of both.
Where to Configure Access
Navigate to Scenarios
Go to Administration → Scenarios
Edit Scenario
Click Edit on the scenario you want to configure
Open Access Tab
Select the Access tab to view and manage permissions
Recommended Approach: Use Groups
While you can assign individual users directly, we strongly recommend using user groups for easier long-term maintenance and consistency.
✅ Benefits of Groups
- Easier to add or remove users later
- Maintains consistency across many scenarios
- Reduces risk of missing scenarios by accident
- Simplifies auditing and access reviews
- Supports organizational changes efficiently
❌ Individual User Risks
- Must update every scenario manually per user
- Easy to miss scenarios during changes
- Difficult to maintain consistency
- Time-consuming for large user bases
- Hard to audit who has what access
Example Group Strategy
Here's a practical approach to structuring your security groups for scenario access:
💡 Why This Structure Works
This two-tiered approach gives you flexibility: most users get broad access through the "All Access" group, while sensitive scenarios can be restricted to smaller, specialized groups. When users join or leave your organization, you only need to update group membership—not individual scenario permissions.
Step-by-Step: Initial Setup After Enablement
Once EBM Support confirms that scenario-level security is enabled, follow this process to configure access for your organization.
Refresh Catalyst
Have at least one admin user refresh Catalyst to ensure the Access tabs are visible. Go to your profile menu in the top-right corner and select Refresh.
Create Security Groups (If Not Already Done)
Go to Administration → User Groups and create your security groups following the strategy outlined above. At minimum, create:
- Scenario Security – All Access (add general users)
- Scenario Security – Limited Access groups (one per restricted scenario)
Assign Access for Each Scenario
For every scenario in your environment:
- Go to Administration → Scenarios
- Click Edit on a scenario
- Open the Access tab
- Add the appropriate group(s) or users using the search fields
- Click Save
- Move to the next scenario and repeat
Apply Permission Changes (Cube Rebuild)
After configuring access for all scenarios, apply changes by rebuilding the cube:
- Click your profile name in the top-right corner
- Select Refresh
- Allow 15–30 minutes for permissions to propagate fully
Validate Access
Test that permissions are working correctly before notifying users. See the validation section below for detailed testing instructions.
⚠️ Critical Reminder
If a scenario has no access assigned, non-admin users will not see it anywhere in the system—not in planning, actuals management, or reporting. Repeat the assignment process for every scenario to ensure proper visibility.
Applying Permission Changes
Scenario access changes do not apply immediately. A cube rebuild is required for permissions to take effect.
How to Apply Changes
Access Your Profile Menu
Click your profile name in the top-right corner of Catalyst
Select Refresh
Choose Refresh from the dropdown menu to initiate the cube rebuild process
Wait for Propagation
Allow 15–30 minutes for permission changes to propagate fully. Users may see outdated access until this completes.
💡 Timing Recommendation
If you've made changes to multiple scenarios, wait until all scenario configurations are complete before triggering the cube rebuild. This ensures all changes apply together rather than requiring multiple rebuild cycles.
How to Validate Access
We strongly recommend testing scenario visibility before notifying users that access has been configured. The most reliable validation method is user impersonation.
Using User Impersonation to Test
Select a Test User
Choose a standard user (not an admin) whose access you want to verify. Select someone from your "All Access" group for the first test.
Impersonate the User
Go to Administration → Manage Users, find the user, and click Impersonate. Catalyst will reload with that user's permissions.
Check Scenario Visibility
Verify scenarios appear where expected:
- Administration → Manage Actuals: Check scenario dropdown
- Planning Tab: Verify available scenarios in planning interface
- Reporting: Confirm scenarios appear in report filters
End Impersonation
Click End Impersonation in the banner at the top of the screen to return to your admin view.
Recommended Test Coverage
Test with at least two different user profiles to ensure your configuration works correctly:
| Test Profile | What to Verify | Expected Result |
|---|---|---|
| Unrestricted User | Check scenario dropdown in Actuals and Planning | Should see all scenarios except restricted ones |
| Restricted User | Check scenario dropdown in Actuals and Planning | Should only see scenarios with explicit access granted |
✅ Testing Complete: Once you've confirmed that both unrestricted and restricted users see the correct scenarios, you can proceed with notifying users that scenario access has been configured.
Ongoing Maintenance (Critical)
After initial setup, scenario-level security becomes part of your standard operational workflow. Understanding your ongoing responsibilities is essential for maintaining proper access control.
Your Responsibility
Scenario-level security is not a one-time setup. You are responsible for maintaining access as your organization changes. Failure to do so will result in users not seeing expected scenarios or having access to scenarios they shouldn't see.
When Access Updates Are Required
You must review and update scenario access any time one of these events occurs:
New Scenario Created
Default behavior: New scenarios have no access for non-admins.
Required action: Assign appropriate groups or users through the Access tab immediately after creation.
New User Added
Default behavior: New users have no scenario access until granted.
Required action: Add user to appropriate security group(s) based on their role and access needs.
Group Membership Changed
Impact: Adding/removing users from groups immediately affects their scenario visibility (after cube rebuild).
Required action: Verify the user's scenario access matches their new role responsibilities.
Role Changes
Impact: When users change roles, their scenario needs may change.
Required action: Review and update group memberships to reflect new responsibilities; remove access that's no longer appropriate.
Standard Maintenance Workflow
Every time you make an access-related change, follow this process:
Make the Change
Update scenario access configuration or modify user group membership as needed
Rebuild the Cube
Go to your profile menu → Refresh to apply permission changes
Wait for Propagation
Allow 15-30 minutes for the rebuild to complete before testing
Validate the Change
Use impersonation to verify the affected user(s) now see the correct scenarios
💡 Pro Tip: Document Your Access Strategy
Maintain internal documentation that clearly explains which groups have access to which scenarios. This makes it much easier for future administrators to understand your access model and maintain it correctly as your organization evolves.
When to Enable the Feature
Because enabling scenario-level security causes an immediate loss of access for non-admin users, timing and communication are critical to a successful rollout.
Recommended Enablement Schedule
Enable during evenings, weekends, or scheduled maintenance windows when user activity is minimal. This reduces the impact of the temporary access loss.
Notify all users at least 48 hours in advance. Explain that scenario access will be temporarily unavailable during the enablement window and provide an estimated completion time.
Create all security groups and assign user memberships before the feature is enabled. This allows you to configure scenario access immediately after enablement, minimizing downtime.
Coordinating with EBM Support
EBM Support can work with you to schedule enablement at a time that works for your organization. When requesting enablement:
- Propose a specific date and time window (including timezone)
- Confirm that you have security groups pre-created
- Verify that at least one admin will be available during and immediately after enablement
- Provide an estimated completion time for your internal access configuration
✅ Example Request: "Please enable scenario-level security on Friday, March 15th at 6:00 PM EST. We have security groups pre-created and will configure scenario access immediately after enablement. We expect configuration to take approximately 2 hours."
Need Help?
EBM Support is available to assist with scenario-level security planning, enablement, and troubleshooting.
When to Contact Support
Planning Assistance
Need help designing your group structure, determining which scenarios should be restricted, or planning your rollout strategy? We can walk through your requirements and recommend an approach.
Feature Enablement
Ready to enable scenario-level security? Submit a support request with your preferred enablement date and time. We'll coordinate with you to minimize disruption.
Validation Support
Having trouble validating that access is working correctly? We can help you verify permissions, troubleshoot visibility issues, or confirm your configuration is complete.
Troubleshooting
Users not seeing expected scenarios? Access not applying after cube rebuild? We'll diagnose the issue and provide specific guidance to resolve it.
Scenario-level security provides powerful control over who can see specific scenarios in Catalyst. Successful implementation requires careful planning, timely enablement, thorough initial configuration, and ongoing maintenance as your organization evolves. When in doubt, contact EBM Support—we're here to help you design an access strategy that works for your needs.
Comments
0 comments
Article is closed for comments.