Access and Security
Activity Hub access and security is set by the Data Governance Committee and Data Stewards.
Reports are saved into folders in Cognos/Tableau. Each folder is then connected to one or more Active Directory (AD) group.
Report development teams or business units then maintain the AD group membership.
Example:
Folder | AD Group | What can members do? |
|---|---|---|
Team A | TeamA_ProjectA_BI_Developers TeamA_ProjectA_BI_Consumers | Publish reports into the Team A folder in Cognos & Tableau. Run reports in Team A folder in Cognos & Tableau. Cannot see or run reports in Team B folder or Team C folder. |
Team B | TeamB_ProjectB_BI_Developers TeamB_ProjectB_BI_Consumers | Publish reports into the Team B folder in Cognos. Run reports in Team B folder in Cognos. Cannot see or run reports in Team A folder or Team C folder. |
Team C | TeamC_ProjectC_BI_Developers TeamC_ProjectC_BI_Consumers | Publish reports into the Team C folder in Tableau. Run reports in Team C folder in Tableau. Cannot see or run reports in Team A folder or Team B folder. |
Reports / Workbooks
Required: Reports live in Folders in both Cognos and Tableau. Security is then applied at a BI tool folder level.
Team Folder
Required: The security applied to Cognos Folders and Tableau Projects rely on Active Directory (AD) groups. Report developers work with their local Departmental Security Administrator (DSA) or local IT Support to create or use existing AD groups. The report developer then sends the AD group name to the BIA team so that the BIA team can create the team folder and connect it to the team AD group. The report developer can manage the participants of that AD group in order to manage who has access to the reports saved to that folder. For the Employee Activity Hub (EAH), Financial Activity Hub (FINAH), Research Activity Hub (RAH) and Student Activity Hub (SAH), access to the report will grant access to the data within the report.
Row Level Security
Additional security can be requested in the form of row based security. The Activity Hub can reference an access matrix that will contain a user login against the rows of data that users is assigned to see. The most common example of this is userid to department. Based on that matrix, the activity hub will only show data to users in that matrix and will only show that user the rows they are associated with.
Row level security is applied prior to Active Directory (AD) group security, therefore, AD group security cannot over-ride row level security.
Currently, only EAH is using row level security.
Activity Hub
At the Activity Hub level there is very limited access: only Cognos, Tableau and column groups can directly connect to an Activity Hub.
Report developers and report consumers use Cognos packages or Tableau data sources to access Activity Hub data. Report Consumers use reports/workbooks built by Report Developers to access Activity Hub data.
Data integration developers and integrated applications use column groups to access Activity Hub data.
Levels of Security
There are numerous levels of security a Data Steward can select for any Activity Hub.
Security Level | What is it? | How to request access? |
|---|---|---|
View Level Security = Core vs Restricted | Core views are available to report developers and data integration developers who are approved for developer access. Restricted views are available to a small group of people with Core access to that Activity Hub who have a business need for the restricted data. | Report developers can request Core access here: https://blink.ucsd.edu/technology/bi/sources/index.html Data integration developers can request Core access here: ITS-BIA Service Request SAH Report Developers can request access to Financial Support here: Student Activity Hub Restricted Report Developer Access Request All other restricted access can be requested via email to busintel@ucsd.edu. Include your business need and how you will be securing the data you are using. |
Folder Security | Reports are saved to folders in Cognos/Tableau. Each folder is associated to an Active Directory (AD) security group. Membership to that AD security group is required in order to run any reports in that folder. | |
Row level security - View level (only in EAH and FINAH CBO) | Some views have row level security per data steward request. This limits the number of rows a person can see based on the departments they have been approved to access. | For more information see https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/11175811 |
Row level security - Report Developer created | Report developers can limit the rows a person can see based on the person’s relationship with the data or AD Group membership by using Cognos or Tableau. | Cognos How-To coming soon https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/847118736 https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/848691588 |
Column level security - P4 (only available in Cognos) (Tableau will not display P4 fields due to security limitations) | Some fields (aka columns) contain sensitive data that the data steward has marked as P4. Only approved users will be added to the Active Directory (AD) group for that set of P4 fields. Note: There are several different groups of P4 data. Developers are added to each group per data steward approval. | P4 access can be requested via email to busintel@ucsd.edu. Include the exact fields you are requesting, the business justification and the security plan for how you will be using the P4 data. |
Column level security - Masking (only in SAH-AR) | Some fields/columns contain sensitive values that the data steward would like protect without hiding the entire field/column. BIA can implement masking. Masking will display the value to members of the AD group granted access to the sensitive values and will display a generic value to everyone else. | Masking is currently only in use in the SAH-AR views. See https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/2610987108/SAH-AR-Transaction-View+Quick+Start+Guide#Masked-Data for the list of masked fields. You must demonstrate how your current access does not meet your needs in order to gain access to the masked values. SAH Report Developers can request access to masked AR values here: Student Activity Hub Restricted Report Developer Access Request Data Integration Developers can requested access to masked AR values via email to busintel@ucsd.edu. Include your business need and how you will be securing the data you are using. |
Column level security - Report Developer created | Report developers can limit the fields/columns a person can see based on the person’s AD group or AD group membership by using Cognos or Tableau. Report developers can also use this method to create their own masking. | Cognos How-To coming soon https://ucsdcollab.atlassian.net/wiki/spaces/ACP/pages/848396986 |