Question:
Hello all,
From an Security auditing standpoint, has anyone ever tackled trying to assign business ownership to queries or InfoCubes/InfoAreas etc to assure that say a Finance role owner doesn't request a sensitive HR query without HR's knowledge..and ultimately Security assigns those authorizations and could be held responsible?
It's a very grey area, who would own the data inside particular cubes, because that data could come from many different areas and also the query itself would not necessarily pull that data.
Any thoughts?
Thanks.
Answer:
We do this routinely. Our cubes are owned by various "thread managers" and when workbooks (these have the queries) and their accompanying "access" roles (these have the cubes in them, among other things) are requested, they have to be approved. I even need feed back on what derivation to give out - our cubes are auth relevant on different characteristics (profit center, sales area, etc) so I don't necessarily know what role to assign unless it is run by someone in an authoritative role.
Not exactly a streamlined procedure, it takes time to get requests through, but we know the data is only viewed by approved folks.