An administrative role scenario
The Planning Server security model includes predefined administrative roles. Members of these administrative roles use Planning Business Modeler to create and manage data, business processes, and the business roles that control access to business data. For information about administrative roles, see About permissions for administrative roles.
A role scenario
The following scenario is an example only, and is intended to explain the relationship between the Planning Server roles.
Planning Server is installed in the data center of Woodgrove Bank. The IT administrator designates a Woodgrove Bank business analyst, Matt Berg, to be the first member of the Global Administrator role. The IT administrator enters Matt's account information in the appropriate screen of Planning Server Configuration Manager and then finishes the installation.
The next morning, Matt arrives at work. He uses the Planning Administration Console to access the Planning Server system and adds his coworker Amy Rusko as a Planning Server user (users must be added to the Planning Server system before they can be added to a role). Then he adds Amy to the Global Administrator role so she can perform the same tasks that he can. Only members of the Global Administrator role can add or remove other Global Administrator members.
Next, Matt uses the Planning Administration Console to create an application and he calls it Woodgrove App. At this point, the application is just a container with some basic metadata. Matt associates the application with a SQL Server 2005 database, which the database administrator provided for him earlier. Matt then creates two model sites in the Woodgrove App application, Model Site 1 and Model Site 2.
While Matt is doing that, Amy is adding some more coworkers to the Planning Server system so that they can be assigned to roles. She adds her assistant Brad to the Planning Server system and then adds Brad to the User Administrator role at the application level. Members of the User Administrator role can add or remove people from roles, but they cannot perform any modeling operations.
After the model sites are created, Brad is ready to add users to the Data Administrator and Modeler roles so that they can create the rest of the Planning Server infrastructure. Some Woodgrove Bank business analysts are given full application scope as Data Administrator and Modeler members. This means that they can add dimensions and build models in either model site, whereas others are given scope to work only in Model Site 1 or Model Site 2.
While the Data Administrator and Modeler members begin adding dimensions, defining member sets, and building models in the model sites, Brad can add the rest of the Woodgrove Bank employees to the system. After that, he can assign appropriate employees to the Data Administrator, Modeler, and User Administrator roles, as necessary, and with the appropriate scope. He can also remove users who stop working on the project, or remove users from the system if they leave the bank.
Eventually, the Woodgrove App application is finished. The next step is to create business roles in Planning Business Modeler, so that Woodgrove Bank employees can begin using the application by using PerformancePoint Add-in for Excel. Business roles that are created in Model Site 1 or Model Site 2 will only be able to access data in their own model site. The Data Administrator and Modeler members create many business roles. Some business roles can access only certain models in a model site, but others can access every model. Each business role is given very specific permissions on member sets inside the two model sites. Roles that can access sensitive data will be populated only with employees who are authorized to see such data.
After the business roles are created and their permissions are defined, Brad, the User Administrator member, can add users to the appropriate business roles. These roles depend on their job functions and the data that they must access. By using PerformancePoint Add-in for Excel, the business role members can now read and write data segments that are appropriate to their role in the bank.