SensibleAI Forecast Security Best Practices
SensibleAI Forecast security can be controlled at 4 distinct locations: the OneStream environment and application level, the dashboard level, the SensibleAI Forecast level, and using Xperiflow Administration Tools to regulate SensibleAI Forecast job activity. Each level plays an important part in regulating user access, and even for simple and moderate complexity deployed governance models, all four levels need to be considered.
A simple stakeholder governance model may include resources like:
-
SensibleAI Admin - Responsible for maintaining environment, change approval, and managing security.
-
SensibleAI Power User - Operates all elements of SensibleAI solutions. Might operate deployed projects but also will experiment with new use cases or improve existing ones. They should have unrestricted access to all areas of SensibleAI solutions, except for modifying or managing security access.
-
SensibleAI Base User - These users might only execute deployed forecast cycles but have no responsibility for building or improving. Other times, they might build and improve models for use cases relevant to them but should be segmented from other areas of the business.
-
Business Planner - These users might have view-only access to specific SensibleAI Forecast projects (feature insights) or targeted access for FVA analysis.
OneStream Security Roles
One of the practices stakeholders adopt, especially if SensibleAI Forecast does not tie into an established OneStream Planning workflow, is to have a blank OneStream Application that solely hosts SensibleAI Forecast and other SensibleAI solutions. While these users typically are not OneStream admins, their access can be easily controlled by creating an “SensibleAI Forecast Open Application” user group that allows them to open the OneStream application hosting SensibleAI Forecast. This is probably the biggest filter for OneStream users and lightens the burden for later SensibleAI Forecast and Xperiflow Administration Tools security configurations - the pool of OneStream users to manage shrinks from the entire userbase to the small subset of people approved to work in SensibleAI Forecast.
In DEV environment or DEV application instances, where users are expected to experiment and develop SensibleAI Forecast use cases, this might be the entire security configuration that’s needed. Anyone allowed access to the SensibleAI Forecast DEV app can read and write for all areas of Data Manipulator, FVA, or SensibleAI Forecast.
This OpenApplication Security role can be found in Application > Tools > Security Roles
All user types specified in the example stakeholder governance model should have the OpenApplication privileges, but Application or System tab access may be segmented to only SensibleAI Admins and Power Users.
Dashboard Level Security
One step below managing application access is managing dashboard access. This is performed by modifying the maintenance unit for each individual SensibleAI solution. On the Maintenance Unit for a dashboard, users can modify the access group and maintenance group to the specific OneStream Security Group that should be able to click on the dashboard in OnePlace.
To implement this, additional OneStream security roles should be created. A 4-tiered example of groups that can be created are:
- SensibleAI Admin - Access to everything, Maintenance Group for everything.
- SensibleAI Power User - Access to everything, but cannot manage security - no Xperiflow Administration Tools, XCT, or XFU.
- SensibleAI Base User - Cannot enter Data Manipulator (no data read/write), but can enter SensibleAI Forecast, FVA, and Data Pipeline dashboards.
- SensibleAI Business Planner - Can only enter SensibleAI Forecast and FVA with view-only controls.
This is a layer of recommended security to minimize user confusion on why they can’t do anything in an application that they have the ability to open.
SensibleAI Forecast Security
There are 2 SensibleAI Forecast Level Security roles that can be configured:
- Power User→ These users can build and deploy projects and access the global settings content.
- Base User → These users can look at projects already created.
Selections for these roles are derived from OneStream Security Groups and allow control of SensibleAI Forecast at a high level. They apply across all projects unless project level security has been configured.
Xperiflow Administration Tools Project Level Security in SensibleAI Forecast
When creating a project in SensibleAI Forecast, the user is prompted with 3 fields to configure project security restrictions. Selections for these fields can be derived from Identities created in Xperiflow Administration Tools (Xperiflow Administration Tools). These selections are ONLY scoped to the project that they are configured for.
- Viewer → Read-only access. Cannot modify anything within a Model Build or run any jobs.
- Editor → Read/Write access. Can modify anything within a Model Build, but does not have access to higher administrative level privileges.
- Manager → Read/Write/Delete access. Full capabilities to modify anything within a project and higher-level project settings.
By following this structure, we ensure clear restrictions of access for users. Included below are potential use cases for each role.
Viewer
The Viewer Role can be associated with anyone who needs to access the data/results inside a project. All pages inside the project can be accessed, but nothing can be changed. This role can be very useful for users who either aren’t familiar with SensibleAI Forecast and need to view the forecasts, or if they just shouldn’t be allowed to change the project in general.
Editor
The Editor Role can be associated with those who will perform project changes that revolve around Editing or Reading resources. Editors are restricted from deleting any resources inside of the project and the project itself. This role can be useful for users who are meant to move projects along in the build process and to create new predictions.
Manager
The Manager Role can do anything within the project itself. This includes full CRUD operations as the user can delete resources in the project as well. This can be used as an Admin role at the specific project level in SensibleAI Forecast.