Access Rights on Scenarios

  • 18 April 2024
  • 0 replies

Userlevel 4
Badge +3

When working in Scenarios in Pigment, data security can be enhanced by restricting Access Rights on Scenarios to specific Members based on their Roles within the Application. Scenarios data will be restricted and the names are only displayed in the Page Selectors on Views and Boards for certain Members with assigned access rights. This allows you to keep the data on specific Scenarios private, and also makes it easier to find and select relevant Scenarios for those users on a View or Board. 


You need to be a Workspace Security Admin Account Type in order to define access rights on all Scenarios. You also need Display Application permission on the specific Application in order to manage the access to Shared Scenarios on those apps.


Here’s an example of how you’d use restricted Scenarios. Let’s say you want to develop a Scenario for Workforce and Opex planning applications where the potential to-be-hired is increased by 20%. You want to develop this Scenario privately before sharing it with non-modeling users, but you still want to share with other Admins. To do this, you’d create a shared Scenario and set access permissions to None for all roles except for Admins across both applications. This way your Workforce and Opex planning is open to some collaboration, but still remains exclusive until it’s ready to disclose to your entire team! 

Required Reading 

It’s recommended that you have a good understanding of Scenarios before adjusting Access Rights. Here are some useful topics for you:  

If you need a primer on Access Rights, we also have you covered. Check out Understanding Access Rights


Considerations for Scenario Access Rights

Access rights in Scenarios interact with different areas of Pigment, for example importing and inputting data. Here are some considerations before you start: 

Working with Default Scenarios 

Default Scenarios are straightforward: regular access rights will apply to a Default Scenario. You cannot apply Scenario-specific access rights per Role onto a Default Scenario. 

When you create any new non-Default Scenario, its access rights will be based on its source Scenario.

Activating scenarios in your Application

When first activating the scenarios feature in your Application, you will see all shared scenarios in the workspace (more details in this article). However the access rights on already created shared scenarios will be None until updated. 

Inputting data 

If you toggle on the Inputs and imports populate data across all Scenarios setting, any restricted Access Rights on a Scenario for inputting data will not apply. This setting will only take the regular access rights applied on the Default Scenario into consideration. More information on this setting is available here.  

Importing data

If the Access Right on a Scenario is set to No Write for the Role of the member importing data, then the member will be unable to import data into that Scenario in the application. However, if you toggle on the Inputs and imports populate data across all Scenarios setting for a Metric, the Access Rights for that Block’s Default Scenario will apply. 

If the Access Right on a Scenario is No Write for an Admin, the Admin will be unable to import data into that Scenario, even if the Apply Access Rights to Admins Importing data setting is toggled on. The assigned Scenario Access Right will thus apply. More information on that setting is available here

Handling privacy for scenario names

First of all, it’s generally a good practice to remove any sensitive information from a Scenario name to ensure data privacy and security. Privacy is priority, right? 

Scenario names are only hidden in Page Selectors on Boards and Views. Even if you change the access rights in a Scenario, Scenario names remain visible in the platform. However, if you have certain permissions, there are places in Pigment where its name is visible, even if the access set to None.

These are described in more detail below: 

Pigment location where Scenario name is visible Permission

Formula bar and formula groups

Block settings


Configure Blocks
Scenario Management Page in Application Settings Create Scenarios
Application History and Block History View History
Snapshot creation Builder Account Type
Access Rights in Block Settings: View Detailed Access by Member Can Define Security

Block Explorer

Dependency Diagram

Open Block Explorer
Import configuration Import data
Application Variables Configure Application
Pigment Connector for Excel and Pigment Connector for GSheets  -


If a Member has access of None assigned to their Role in the application, they’re unable to view Metric data for that Scenario. In Page Selectors on Boards and Views, that is on a Block, Scenarios labeled as None for the Role are not displayed to users with restricted access.


Read-only Scenarios

When you work with read-only Scenarios (set as read-only through the scenario selector), and assign Read-only (Read / No Write) access rights to a Scenario, both options allow you to prevent input and imports into your Scenario

But here’s where these two options are different: 

  • When you make a Scenario Read-only through the Scenario selector, this applies across all Roles and Metrics in the application.
  • When you apply access rights in a Scenario, this is applied to Application Roles within the application. For shared scenarios, access must be defined when the Scenario is created for each application where it will be used.
  • In an Application where you have restrictions through the Scenario selector and through Access Rights, the strictest restrictions are implemented.
    For example, if the Access Rights in a Scenario are set to None, this is applied at Role level. This means that users that have no access can’t see the Scenario, and therefore can’t change the Scenario to Read-only using the Scenario selector.
    If the Scenario is set to Read-only through the Scenario selector, but the access rights are Read and Write, the Scenario is still Read-only within that Application and in any other Applications where it’s shared.

Scenario access rights and regular access rights 

Scenario access rights function similar to regular access rights in that they control what data you can view (Read) and input (Write) in the Metric's scenario. However, updates to formulas can still affect the data in the Block. This is controlled by the Configure Blocks permission, not by data access rights.

When you create or update access rights for a Scenario, these access rights will take precedence over regular access rights. Unlike in regular access rights, you can’t create additional rules in Scenarios to work together in combination - it is only defined for the Role for the application member. Scenarios access rights are applied at Scenario level for all Metrics using that Scenario. Regular access rights are only used for the Default Scenario.

Imagine you are using Scenarios in your Application with the following access rights setup:

  • Default Scenario. The access rights are set to Read/Write.
  • Scenario A. The Scenarios access rights are set to Read-only for the Role “Contributor”

You also have regular access rights for the following: 

  • Metric1. Access rights are set to NoRead/NoWrite 
  • Metric2. Access rights are set to Read/Write. 

When Scenario A is used in Metric1 and Metric2, the specified access rights in Scenario A override the regular access rights for the Contributor Role: 

  • Metric1. Access rights are updated to NoRead/NoWrite.
  • Metric2. Access rights are updated to Read/NoWrite. 

If you choose not to use Scenario A in Metric1 and Metric2, the regular access rights will apply for data on those blocks:

  • Metric1. NoRead/NoWrite
  • Metric2. Read/Write

Ready to start creating new Access Rights for your Scenarios? Great! Next step:  


0 replies

Be the first to reply!