Improved Ancestor Member Access

Using the new Default Ancestor Access option to automate access assignment,  users in the web and in Smart View are now able to zoom out to ancestors and see the hierarchy in a tree view, even when, prior to this feature, they wouldn’t have had access to the members at the parent level. This feature enhances existing member security to provide a choice of default access to ancestor members. Service administrators can set the default access for ancestors to either None, Read, Write, or Display access in the application. They can also grant Read, Write, or Display access to one or more ancestors in, for example, the Dimension Editor. In these cases, the explicit security assignment made in the Dimension Editor takes precedence, unless the access set in the Dimension Editor is set to None, in which case the Default Ancestor Access setting takes precedence.

Service administrators use the new Default Ancestor Access option to specify default user access to the ancestor members of members with access other than None, including shared members. This enables users to view the members that they have access to in context of the subhierarchies that they are part of in, for example, ad hoc grids or the Member Selector.

NOTE: The user will not see subhierarchies unless they have access to at least one descendant member.

The available Default Ancestor Access options are:

  • NoneBy default, users are not able to see the ancestor members of members that they have access to unless they are explicitly granted access to them. When this option is selected, the system works the same way it did prior to the 24.03 update.
  • ReadBy default, users are granted Read Only access to the ancestor members of members that they have access to unless they are explicitly granted Write or Display access, which would override this default.
  • WriteBy default, users are granted Write access to the ancestor members of members that they have access to unless they are explicitly granted Read or Display access, which would override this default.
  • DisplayBy default, users are granted Display Only access to the ancestor members of members that they have access to unless they are explicitly granted Read or Write access, which would override this default. Note that members with Display Only access will be displayed, but instead of data values in the cells associated with those members, users will see #NoAccess.

Consider the following example, where the Service Administrator selects the Display setting in Default Ancestor Access. Users are able to see the hierarchy tree structure in the grid and in the member selector, but see #NoAccess in cells to which they do not have access. For example:

Ad hoc grid with Define Ancestor Access set to Display, showing hierarchy structure and #NoAccess cells

Ad Hoc Grid with Define Ancestor Access Set to Display, Showing Hierarchy Structure and #NoAccess Cells

Note the above is not the whole hierarchy, but all the ancestors in which the user has access to at least one member.

Likewise, in the Member Selector in Smart View, we see the full tree to which the user has access, which includes Total Entity, USA, West, East:

Member Selector in Smart View, showing the full hierarchy structure to which the user has access

Member Selector in Smart View, Showing the Full Hierarchy Structure to Which the User Has Access

Note that the ancestor access options have also been added wherever you find security on members; for example, in the Dimension Editor.

Business Benefit: The new Default Ancestor Access option for the application and dimensions gives Service Administrators a simpler way to apply access to hierarchy members, and provides users with clearly navigable hierarchy structures in, for example, ad hoc grids and the Member Selector, both in the web and in Smart View.

Steps to Enable

To set the Default Ancestor Access option for the application, a Service Administrator performs these steps from the EPM Cloud web interface:

  1. In the web business process, click Application, and then click Settings.
  1. In System Settings, select an option from Default Ancestor Access (options are described in the previous section):
    • Read
    • Write
    • Display
    • None (default)
  1. Click Save.

Tips And Considerations

  • If Write access is selected as the default, the ancestors may still be read-only if other features such as Bottom Up Versions, Dynamic Calc, the presence of a supporting detail, and others, set the cell back to read-only. The Write value is primarily provided for customers using either FreeForm, or Target Versions.
  • Default Ancestor Access applies to ancestors after shared member security is evaluated. This allows it to work correctly both whether the Include Shared Members in Cube Refresh option is enabled or disabled.
  • Enabling Default Ancestor Access facilitates the sharing of Excel workbooks between users having different levels of access to members. When access is configured, and users click Refresh in Smart View, cells to which they have access will come back with actual data values (or #NoAccess) and the hierarchy structures are maintained.

Key Resources