PDC Business Group Security
Portfolio Data Center provides additional data governance workflow on field and entity level security and maintenance not previously available in prior versions of classic entity maintenance. Field level security is configured through the PDC Field Group setup menu.
Field Level Security
PDC provides field level security via business groups on the Field Group setup menu. This means that only users who belong to a given business group can override data for the fields ‘owned’ by that business group. This is based on a configuration where ‘field groups’ (meta-data component) are assigned to a specific business group.
To assign field level security:
In PDC, while creating/editing Field Groups you can assign permission (Ownership/Management) to all fields belonging to a Field Group.
In Portfolio Data Center, from the left navigation, click Setup > Field Groups.
You see the Field Groups workspace with the available list of field groups.On the Home tab, in the Manage group, click Create New.
You see the Create New Field Group wizard displaying the Define page.In the ID box, type a unique identifier for the code, if required. Otherwise, by default, the system generates a unique identifier.
Type the name for the field group in the Name box.
Type a description about the field group in the Description box, if needed,
Click the Ownership/Management list to select the business group who can own and access the field group.
Otherwise click the Lookup icon to select the business group to provide access to the field group. You can select only one business group.Click Next.
You see the Field page.Click Select Fields list to select the fields for the field group.
You can select one or more fields to the field group.Click Next.
You see the Policies page.Click Select Policies to select one or more policies to add the field group.
The system adds the field group to the selected policies.Click Save & Close to save the changes.
Compound Business Group
Using Compound Business groups you can provide field editing access to users belonging to multiple business groups. A compound business group is a business group that ‘owns’ one or more regular business groups. Business groups are managed in the User Administration module.
For example assume that:
Users 1-10 are in Business Group 1.
User 11-20 are in Business Group 2.
A PDC field group is currently assigned to Business Group 1. This means that although all 20 users can view entities and the field values in PDC, only users 1-10 can update or edit them.
You want to grant field editing capabilities to all 20 users without having to pull users 11-20 out of Business Group 2.
To do this, go to the User Administration module and create a new compound business group (for example, Compound Group ABC) and add both business groups 1 & 2.
Next, go to PDC and edit the Field Group and change its Ownership/Management assignment from Business Group 1 to Compound Group ABC. Now users from both business groups will have create and edit access to all fields in this Field Group.
For more information about Compound groups, see User Administration
Best Practices
The manner by which business groups come into play depends on your workflow requirements and policies. The following variations are suggestions for illustrative purposes:
Scenario 1: There is one group responsible for entity maintenance and they should have access to all fields.
- Make sure all users are in the same business group and make sure all Field Groups are assigned to that group.
- If these users are already spread across multiple business groups, create a compound group that includes the full spectrum of business groups, then reset all the Field Groups to be assigned to the new compound group.Scenario 2: Create several distinct groups and each are responsible for specific field groups. For example legal type fields are maintained by the legal department, performance fields by the performance department, and so on.
- First determine how many distinct groups are there
- Create a business group for each area and assign users
- Create field groups that contain the fields that each area is responsible for
- Ensure each field group is assigned to the associated business group
Entity Level Security
PDC has a feature that allows for an entity to be granted access only to users in specific business groups. The purpose is to restrict access to an entity within other areas of the product suite.
For example ‘Entity 1’ is assigned to regular groups 1 – 3. Users outside these groups does not have access to Entity 1, when they use the entity selector in OLAP reporting, datamart and other downstream modules.
Business group assignment of an entity is optional and you can configure it in PDC during create or edit process of entities. It is important to note that only users in the Super User group and System Admin Group can make business group assignments. Members of the super user group can alone see the Permissions tab automatically when viewing entity details. Users in other business groups does not.