Working with unusual requirements here (well, not a common one at least).
In our model, cost center security is user-driven rather than a group. The business is adamant that we can't logically group cost centers to use vanilla group security. There are about 500 cost-centers and as you can imagine having 500 groups would be a nightmare!
I have got a cost center/user relationship table and my idea is to create a lookup cube to store that data. Then use a cut-down cell-security cube with CellSecurityCubeCreate to only include cost-center (possible version too) that way avoiding a need to run Security Refresh upon any changes. This cube would have a rule along the line of [ 'value' ] = S: ( IF ( 'lookup cube', TM1USER, !Cost_Centre ) <>"", Permission, STET ), basically creating a user driven-security.
Not having to do this in the past, I am looking for feedback from others in particular to:
- What is the performance overhead of having to evaluate the IF statement each time?
- What is the performance overhead of the cell security having to do a recalculation every time a user selects a new cost center/ a bunch of cost centers, given that strings are never cached in the memory?
- Is there any known issue with using TM1USER in rules? I usually avoided this function in the past in rules
- Any potential locking issue with the cell security cube referencing a lookup cube and turning it into a single reader?
ET