OneStream Security: Data Access Security (aka Slice)
On this edition of Tech Talks, Author of the new OneStream mini-book "OneStream Essentials", Teresa Catron Kress joins Tom Linton and Matt Kerslake to discuss how to design and maintain a robust security model in OneStream. Learn about what's possible with OneStream Security, using Slice Security versus no input business rules, and get a walk-through of uses cases
Key Topics Covered
- OneStream Security Essentials: a 221-page book authored by Teresa Catron Kress covering security fundamentals — described as a 'mini' book in OneStream terms, meaning focused rather than brief; this session concentrates on data access security (slice security)
- What is slice security: a slice is a data access record that grants a user group access to a specific combination of dimension members — for example, restricting a group to only see data for a specific sales territory within the entity dimension
- Three access levels: every slice grants one of three levels of access — no access (data is hidden), read access (data is visible but not editable), or modify access (data can be edited); the combination of slices on a group defines what each user can see and do
- Group-based security model: slices are assigned to groups rather than individual users; users inherit data access through their group membership, allowing centralized management of access as organizational roles change
- Configuring slices at the cube level: slices are set up within a cube and tied to a group, restricting access by entity, scenario, time period, or any combination of dimensions supported by the cube
- Nested slices: slices can be embedded within other slices, enabling layered security structures where, for example, a territory-level slice contains embedded city-level restrictions within it
- Dynamic hierarchy problem without slice security: when entities are reorganized in the entity dimension (e.g., a city moved from Territory One to Territory Two), users without slice security may inadvertently retain visibility to entities they should no longer see — slice security ensures access follows the current hierarchy, not the old one
- Live demonstration: a user assigned to a Sales Territory One group is shown to correctly see only Territory One data; when an entity is moved to Territory Two, slice security ensures that entity is no longer visible to the Territory One user
- Slice security vs. workflow locking: the two mechanisms solve different problems — slice security controls which data a user can see or edit by dimension; workflow certification locks prevent editing of certified/locked periods regardless of slice access; they are complementary but independent
- Privacy during the financial close: slice security is particularly valuable for consolidation teams who need to work privately during the close process, controlling precisely when consolidated results become visible to the broader organization
- When slice security is and is not needed: if privacy during the close is not a concern and access control is handled through workflow locking alone, slice security may not be required — the choice depends on the organization's data visibility requirements
- Audit tool from Solution Exchange: the 'Data Access Slice Security' tool — available as a free download from the Solution Exchange — allows administrators to view all configured slices in a grid format, supporting governance, audit, and troubleshooting of the security model