Stephan Freudl's picture

In the third post of the MashZone/ ARIS PPM series I want to stress security. Imagine your process warehouse is continuously filled with order processing transactions from all over the world. ARIS PPM could be configured in a way it extracts data from various sources and systems. The result is a recording of all business transactions of the last quarter, year or decade. Each transaction could be like this:

Monday, April 16th 10:00 a.m. a blue sports car has been sold to a 27 year old male (customer id 0815) in Denver, CO by Mrs. Smith. The car has been financed by credit “young & flexible” at 400 USD/month running for five years.

Inspecting such transaction carefully we find many categories in there which enable ARIS PPM users to gather powerful insights. There is information about

  • Time – when did the transaction happen?
  • Car’s type, color – what’s the favorite product?
  • Customer type– which combinations are successful for which audiences?
  • Customer id – this enables us to answer questions like is this a first-time customer?
  • Dealer location – where was the car sold and who did this?
  • Credit type, rate, duration – what about discounts, when did we receive payments…

So, the data being stored inside the process warehouse is dimensionalized. Having – for instance – the dimension dealer location available we are able to benchmark locations, e.g. compare U.S. sales with European. Add the time dimension and trends become available.

Being that powerful one might want to add security, so results are only partly visible. The system should guarantee that a sales dashboard reveals data for the region an employee works in, only. An employee from the U.S. must not see sales figures from Europe and vice versa.
ARIS PPM 5.1 and MashZone 2.2 support data level security.

How to implement this? Well, ARIS PPM enables us to define access control lists for individual dimension values. This is comparable to a filter which is enforced by administrators of the process warehouse.  Effectively it provides a tool to hide certain aspects of your data from certain users. The image below illustrates how to tell ARIS PPM that one user group is eligible to see transactions from the U.S., only.

We often see ARIS PPM as well as MashZone being connected with LDAP – the company wide directory service. Based on this ARIS PPM administrators are able to utilize existing organizational structures, such as eMail distribution lists or security groups to grant or revoke access for given dimension values, their associated transactions as well as KPI values.

Now, having a shared user management, MashZone is able to take advantage. Of course one could define an individual dashboard per region, but this increases maintenance efforts. Instead we could build one MashApp, having ARIS PPM as a data source, and let the data source decide which values to reveal. KPI values, goal accomplishments, trends and any other calculation will be dependent on the current user of MashZone.

In order to fulfill such requirement the data source, of course, needs knowledge about the person who is currently using the MashApp. At the moment this is a feature which is exclusively available for the ARIS PPM data source.

When installing MashZone make sure the “Use external user management” option has been enabled.

This setting delegates user management to a MashZone external entity – to ARIS PPM.

At design time – when a MashApp is authored – the ARIS PPM chart as well as ARIS PPM data source offers two authentication options.  First, a constant user name which is reused by every MashApp user and, second, a new option called “Current user”.

At runtime when looking onto MashApps it just feels right. Depending on the user name which has been specified in MashZone’s login procedure each chart is automatically filtered according to the rights which have been granted in advance.