FAQ: Hide Sensitive Labor Data

Q. What does enabling Can View Sensitive Columns do?

A. If you enable Can view Sensitive Columns, the user can see columns marked as sensitive on Labor line item table schema. This is applies to both the Labor tab and the Summary tab.

If the user does not have Can View Sensitive Columns enabled for a Cost Object, then the user cannot view sensitive columns for that Object or for any of that Cost Object's parent or child Cost Objects.

Q. What does enabling Can View Sensitive Financials do?

A. If you enable Can view Sensitive Financials, the user can view Financials which are generated by the Labor line. In the Summary tab, they can see read-only generated Labor line items for the Cost Object.

If the user does not have Can View Sensitive Financials enabled for a cost object, the user cannot view any Labor Generated Financials for that Cost Object. This means the values are missing from KPIs, Charts, Tables, Exports, and any operation that pulls data from the database.

Q. What happens if I enable Can View Sensitive Columns but not Can View Sensitive Financials?

A. If a user has permission to view sensitive columns but doesn’t have permission to view sensitive Financials, they will be able to view lines on the Labor tab but won’t be able to see generated labor line items on the Summary tab.

Figure 1: Grant a user access to sensitive labor data

Q. Can a user export values from sensitive columns if they don't have permission to view them?

A. No. If a user exports the values for a Cost Object, and they do not have permission to view sensitive columns for that Cost Object, IT Planning will only export the columns which they have permissions to view.

Q. Can a user import values into sensitive columns if they don't have permission to view them?

A. No. If a user tries to import values for a Cost Object by using the Replace all option, the import fails and an error message is displayed.

To import values into the columns which they have permission to view, a user can still use the Append option.

Q. How do I set a column to Sensitive Data or Mandatory for Data Entry?

A. Do the following:

1. Navigate to Configuration > Schema > Line Items > Labor and select the column Attribute.

   

2. In the Edit System Attribute dialog, select either Mandatory for Data Entry or Sensitive Data then select Save.

Q. Can a column be set to bothMandatory for Data Entry and Sensitive Data?

A. No. If a column is set to either Mandatory for Data Entry or Sensitive Data, it cannot be set to the other.

Q. If a public layout includes a sensitive column, can the column be viewed in the layout by a user who doesn't have permission to view that column?

A. No. Sensitive data permissions are applied across all layouts, so the user will not be able to see the sensitive column when they view the layout.

Q. If a filter or grouping is applied to a sensitive column, and a user cannot view sensitive columns, does this affect what the user can see?

A. If a user does not have permission to view a column, any filters or groupings applied to that column are removed.

Q. If a user has an Admin or Budget Process Owner role, do they automatically see the sensitive data?

A. All users have permission to view Sensitive Data Columns by default, unless this permission is removed in the Cost Object Permissions. Like any other user, if an Admin or Budget Process Owner has the permission to view Sensitive Data Columns removed in the Cost Object Permissions, they will not be able to see that sensitive data.

Q. If a cost center owner has access to a leaf project and a leaf department, can they have permissions to view Sensitive Data Columns for one but not the other?

A. Yes. For example, if the cost center owner has permission to view sensitive data in the project but not the department, they can view a sensitive column from the project side but not the department side.

Q. If an admin does not have permission to view Sensitive Data Columns, can they publish data from sensitive columns to Costing Standard?

A. No. An admin may only publish data from Sensitive Data Columns to Costing Standard if they have permission to view Sensitive Data Columns.

Q: If an Admin does not have permission to view generated Financials for a Department Cost Object, what happens when they publish to Costing Standard?

A: The generated financials they do not have access to will be omitted from the publish to Cost Transparency.

Q: If an Admin does not have permission to view Sensitive Data Columns for a leaf Department Cost Object, what happens when they publish to Costing Standard at an All Departments level?

A: None of the data in the sensitive columns will be published to Costing Standard.

For example, a user is viewing a Cost Object (Cost Object A). The user does not have permission to view Sensitive Data Columns, and a child Cost Object of Cost Object A (Cost Object A1) has a column set to Sensitive Data Column. Planning hides this column from the user when they view Cost Object A. This is because Planning can only hide an entire column; it cannot hide the specific cells belonging to a child Cost Object.

If a user does not have permission to view a column, they cannot export it to CSV or publish it to Costing Standard.

Q. If Enforce View Permissions is disabled, do restrictions on Sensitive Data Columns still apply?

A. Yes. If a Cost Object has Sensitive Data Columns permissions configured, then these restrictions apply regardless of whether Enforce View Permissions is enabled or disabled.

Q. Can a Delegation column be marked as sensitive?

A. No. A Delegation column can always be viewed by all users.

Q. Does using sensitive data permissions reduce performance noticeably?

A. No. Although applying permissions to sensitive data requires running a query on the Cost Object Hierarchy, this is a single query and should not be noticeable to users.

Q. Can the user tell if the data they are seeing hides sensitive columns or Financials?

A. No. The user cannot tell if there is additional data which they do not have permission to see.

Q. What happens if Base Compensation is marked as Sensitive Data?

A. If Base Compensation is marked as Sensitive Data, a user who does not have permission to view Sensitive Data Columns will not be able to view any Financials for the Cost Object, including Fiscal Year (FY) Totals.

Q. If a user has different permissions for a parent and a child Cost Objects, which set of permissions is applied?

A. If a user does not have permissions to view sensitive data for a child Cost Object, they will not be able to view the column or Financial in the parent Object. This is because sensitive columns and Financials in parent Cost Objects aggregate data from child Objects, and it is not possible to display data accurately in the parent Object if the data from a child Object is excluded.

Q. If a user has different sensitive data permissions for a higher and lower Cost Objects levels, which set of permissions is applied?

A. A cost center user can be given access to view sensitive labor expense data at a lower cost object level where the user has view/edit cost object access, while preventing the same user access to view sensitive labor expense data at a higher cost object level even though the user has view/edit cost object access at a higher cost object level.