AI Services Security Landscape
The below diagram outlines the layers of security available within the AI Services Solutions and links for best practices on how to manage these security roles within an OneStream environment. The below examples will cover access data from Xperiflow and Database Storage from SensibleAI Forecast (FOR) and AI Data Manipulator (DMA).
Architecture
Example of Xperiflow Request
Looking at the left example in the above diagram a user is attempting to connect to the Xperiflow Engine from both FOR and DMA.
- Both requests initially pass through XperiGate, the security layer of the Xperiflow Engine that manages user access. Within these requests, XperiGate is verifying the user has access to the data that is being requested.
This access can be managed through Xperiflow Administration Tools (XAT) through the use of Identities, Roles, and Scopes.
- XperiGate confirms that the user has the proper access to view the data requested in FOR and continues through to process the request.
- The request from DMA, however, resulted in XperiGate blocking the users access to the data. If the user should have access to DMA, then an adjustment will need to be made within XAT to their security permissions.
Example of Database Retrieval
Looking at the right example in the above diagram a user is attempting to retrieve data from the database storage set up within the OneStream Environment.
SensibleAI Forecast
There is one security layer for retrieving data from the database within FOR, which is the Application Server Configuration.
- This can optionally be configured to restrict access to the database throughout the entire OneStream Application.
- By restricting this access, a user will no longer see the database as an option throughout AI Services.
- Additionally, if a user attempts to query the database from a custom Business Rule, their query will be blocked.
- If the advanced database configuration is not configured for an environment, the default access group for all AI Services database connections is ‘Administrators’.
- In the above example, the user had access to the database connection and was able to see the previewed data in FOR.
AI Data Manipulator
Due to the nature of DMA and the direct access to the databases that it gives users, there is an additional security layer included.
- This layer is managed within DMA’s global settings dialog and allows a user to grant access to the following:
- Database Connections
- These are the database connections that are available to a user group based on the Application Server Configuration security settings.
- Security Modify Access
- This grants access for a user group to access the security section of the global settings dialog and modify the security access other users have.
- Database Connections
- The above example resulted in a user having both access layers configured for them to be able to query against the database.
- An alternative example worth noting:
- A user can have access to a database connection blocked within the Security Roles setting in DMA, but still have access to the database connection within the Application Server Configuration.
- This example is important to understand because a user would be able to query that database connection from a custom Business Rule.
- A user can have access to a database connection blocked within the Security Roles setting in DMA, but still have access to the database connection within the Application Server Configuration.