Definition of data access dimensions

By configuring data access dimensions, you can assign data access privileges that, in addition to process access privileges, enable you to control access to PPM data.

Data access privileges are assigned to user groups and are inherited by the users assigned to that group. The administrator (PPM user with User management function privilege) defines the data access privileges by specifying particular filters on dimensions that cannot be edited by the user. These dimensions are called data access dimensions and specified in the configuration of the process tree through the roledim XML element. The roledim element must reference an already configured text dimension (chapter Text dimensions) that must be registered at the root of the process tree. This ensures that data access dimensions can be used throughout the entire process tree. Only one- and two-level text dimensions are allowed for the roledim element.

If you do not want a data access dimension to be displayed in the PPM user interface, specify the internal="yes" XML attribute in the definition of the dimension.

Example

In the process tree configuration file, the Sold-to party and Sales organizationdata access dimensions are specified as follows:

...

<roledim name="VKORG"/>

<roledim name="PRINCIPAL" refinement="BY_LEVEL1"/>

...

<usedim name="VKORG"/>

<usedim name="PRINCIPAL" refinement="BY_LEVEL1"

scale="LEVEL1SCALE"/>

...

The two dimensions are available as data access dimensions in privilege management.

PPM users inherit the data access privileges for all user groups they are assigned to. The data access privileges are linked as follows:

A user who is not assigned to any user groups has no data access privileges.

Special case

To link data access privileges for different dimensions with an OR rule, combine the values of these dimensions into a new, invisible dimension using the attribute calculator and specify the calculated dimension as the data access dimension.

Example

You want to assign data access privileges for the two dimensions Location 1 and Location 2in such a way that a user can view data if the Munich plant appears in one of the Location 1 or Location 2 dimensions.
All dimension values for the two dimensions are combined in the calculated dimension Location 3. This is specified as a data access dimension in the process tree configuration.

Location 1

Location 2

Location 3

Munich

Berlin

Munich_Berlin

Stuttgart

Leipzig

Stuttgart_Leipzig

Hamburg

Munich

Hamburg_Munich

Saarbrücken

Hamburg

Saarbrücken_Hamburg

Using the filter expression *Munich* creates the relevant data access privilege.