Skip to content

Planning Analytics Security

Last updated: 17 Jun 2025

ControlWORQ & Planning Analytics Security

ControlWORQ stores its settings and application data/audit logs using a combination of a Planning Analytics Server and a SQL Server relational database. The ControlWORQ Server application maintains the required access to the SQL Server database but relies on user credentials when performing any operations such as posting journal entries or retrieving report data.

This topic covers some of the basic elements of ControlWORQ and Planning Analytics Security, which apply to all ControlWORQ applications, including the Web and Excel clients. In addition, ControlWORQ administrators can assign additional ControlWORQ roles to users, restricting the operations that they can perform on one or more of the Planning Analytics cubes configured for use with ControlWORQ.

Planning Analytics Security Considerations

ControlWORQ is designed to work with Planning Analytics, allowing users to, for example, post journal entries in a controlled fashion to Planning Analytics cubes. In addition, ControlWORQ uses other Planning Analytics objects like subsets, element attributes, etc to store additional metadata and settings used by ControlWORQ and its user interfaces. Therefore, ControlWORQ users may need some of the following Planning Analytics security permissions in order to use ControlWORQ features:

  • Read access to cubes and related dimensions, element attributes: Required in order to use all available features of ControlWORQ for a given cube.
  • Write access to cubes: Required in order to post journal entries to a given cube.

ControlWORQ security works in conjunction with Planning Analytics security, not as a replacement. Users must have appropriate Planning Analytics permissions in addition to ControlWORQ roles to perform their assigned functions effectively.

Info

Users do not need to have global Write or Read access to a given cube and its dimensions in order to use ControlWORQ with that cube. For example, if a user is only allowed to view/post entries in one legal entity, Planning Analytics element security can be defined in a manner that supports this because ControlWORQ always honors a user's Planning Analytics Security, without exception, and will not show data in journal entries or allow the creation/posting of entries that are outside of that entity.

ControlWORQ User Roles

ControlWORQ users must be defined in ControlWORQ and given access to one or more of the following roles for each cube to which they need access. Only ControlWORQ Administrators can add ControlWORQ users and assign roles to those users. The following defines ControlWORQ's available cube roles, which can be assigned to ControlWORQ users:

Save

  • A user with this role can create new entries in ControlWORQ, as well as update any entries currently in a "Saved" status.
  • Users with the Save role can also view any other "Approved" or "Posted" entries.

Delete

  • This allows a user to delete an entry that has not been "Posted" or "Reposted".

Approve & Approve Own

  • A user with this role can Approve entries in ControlWORQ that are in a "Saved" state, as well as view any entries.
  • A user cannot Approve entries that they created with this "Approve" role alone – in order to approve their own entries they would also need the "Approve Own" role.

Info

Only balanced entries can be Approved in ControlWORQ.

Post & Post Own

  • A user with this role can Post entries in ControlWORQ that are in an "Approved" state, as well as view any entries.
  • A user cannot Post entries that they originally Approved with the "Post" role alone – in order to post their own entries they would also need the "Post Own" role.

Info

Only balanced, approved entries can be Posted in ControlWORQ, and this Post operation updates Planning Analytics.

Unpost & Unpost Own (for Reposting)

  • A user with this role can Repost entries in ControlWORQ that are in a "Posted" state, but only using the ControlWORQ Excel client. Unposting is used by ControlWORQ to reverse the entry before reposting it, ensuring that the repost process is done in a controlled manner with detailed log information about the unpost/post operation.
  • A user cannot Repost entries that they originally Posted with the "Post" role alone – in order to repost their own posted entries they would also need the "Post Own" role.

Info

Only balanced, approved entries can be Reposted in ControlWORQ, and this Unpost operation updates Planning Analytics.

Security Best Practices

When implementing ControlWORQ security, consider the following best practices:

  • Segregation of duties: Assign different users to Save, Approve, and Post roles, if required by your internal controls.
  • Regular review: Periodically review user roles and permissions to ensure they remain appropriate.