How-To Set Up Advanced Database Configurations: Example Security Group Set Up
With this introduction of Advanced Database Configurations in AI Services, there are new requirements within the Application Server Configuration file for separating out databases by specific user groups, as well as, required configurations for AI Services to run as expected. More info on these configurations and requirements can be found in the article Application Server & Security Configurations for AI Services.
The below information is an example set of security groups that users can be assigned to when implementing an Advanced Database Configuration.
Example Scenario
The stakeholder requires the following database segmentation for their AIS Environment:
- 2 AIS Data Sources Databases w/ different users assigned to each database
- Subgroup of users that will have access to the AIS Framework Database
- OneStream Administrators should have access to all of the databases, except for the AIS Framework Database.
Step 1: Application Server Configurations on Database Server Connections
Based on the definitions in the article Application Server & Security Configurations for AI Services the following configurations will be adjusted in the Application Server Configuration:
- Each AIS Database is assigned to a user group that matches the naming conventions defined in the previously listed article:
AIS1 Data Sources Database 1:
AIS1 Data Sources Database 2:
AIS1 Framework Database:
- The required security groups are assigned to the OneStream Database Server, which will allow for non-admin users to have access to using AI Services.
Step 2: Build out Security Groups/User Personas
The following user groups should be created and assigned the following database access:
NOTE: Database Access is configured by assigning users/groups to the groups that were configured to each database in Step 1. These groups will still have to be created in OneStream after being configured in the Application Server Configuration file.
- AIS User Group 1:
- Group Name: AIS1Users1
- Description: These users will have full access to utilize the AIS solutions, but only have access to the AIS1 Data Sources Database 1
- Example User: User 1
- AIS User Group 2:
- Group Name: AIS1Users2
- Description: These users will have full access to utilize the AIS solutions, but only have access to the AIS1 Data Sources Database 2
- Example User: User 2
- AIS User Group 3:
- Group Name: AIS1Users3
- Description: These users will have full access to utilize the AIS solutions, only have access to the AIS1 Data Sources Databases, and will not have access to the AIS1 Framework Database.
- Example User: User 3
- AIS Administrators:
- Group Name: AIS1Administrators
- Description: These users will have access to all AIS related databases without having full OneStream Administrator privileges.
- Example User: User 4
Step 3: Add AIS User Groups to Required Groups for AI Services
There are a couple additional groups that are outlined in the article Application Server & Security Configurations for AI Services that AIS User Groups should be added to for all of AIS to function as expected. Below are the groups and the assignments each should have:
- Group 1:
- Group Name: DB_ANC_Maintenance_Group
- Description: Group who can edit and maintain tables.
- Group 2:
- Group Name: ManageApplicationDatabaseFilesAccess
- Description: Group who can edit and maintain files in the Application Database of the OneStream FileSystem.
Demo of Database Restrictions in Action
To see this configuration in action, the Data Target page in SensibleAI Forecast (FOR) can be used to display the different database options that each user now has with these configurations:
User 1:
User 2:
User 3:
User 4:
This user will display the same database connections in SensibleAI Forecast as User 3 because of additional security in SensibleAI Forecast around the AIS1 Framework Database that will prevent that from being shown as an option. They do have access to this database in other solutions like, DMA, for example:
