Analysis Models - Setup¶
This page provides information specific to the setup of the Analysis Models.
Defining the environment parameters correctly is essential to be able to use the tabular framework.
For more detailed information about the Environment Parameters page and the Setup Environment Assistant, please refer to IFS Analysis Models - Installation.
AD User Mappings¶
Tabular models that support built-in RLS (Row Level Security) require some user setup to be made.
RLS in a tabular model is based in Role definitions. Each role has a unique name and the role typically defines:
- Included members
- RLS filter expressions
The RLS filter is a DAX expression that will basically compare the current user with a table of users that contains info about permissions for each user.
The user->permission handling is built into the models. The information is retrieved from IFS Cloud.
Even if users are defined in IFS Cloud to be part of a company, defined as GL users, project members, site members etc., these users will not by default get access. Only users that are defined on the AD User Mappings page will be considered by the different RLS implementations.
The reason is to make sure that the IFS user identity, also called Fnd User, is correctly mapped to an AD user that a tabular model can retrieve via DAX functions as USERNAME() and USERPRINCIPLENAME().
For many installations, the AD User Identity will be represented by the UPN, i.e. the User Principle Name. The UPN for the user then needs to be mapped to the Fnd User identity. If the principle name is used, then the DAX filter must use the function USERPRINCIPLENAME().
For same installations it will be possible to also use a domain name as e.g. <domain>\<userid> as the AD User Identity. If the domain user name is used, then the DAX filter must use the function USERNAME().
For the Employee Analysis tabular model, the necessary access related information should be generated and stored in a table. This approach was taken to minimize the time taken for the access detail data load. A background job should be created to accomplish this and for more information please refer to Refresh and Re Generate AD User Access for Employees. To generate access for a selected set of users at any time use the Generate Access command.