lab 04 - hfm 11.1.2.2 security -...

Qubix International Limited – Hyperion HFM Bootcamp

31st January 2013

Author: Saravanan Singaravadivelan

Qubix International Limited

Highclere House 5 High Street, Knaphill

Surrey, GU21 2PG Tel: +44 (0) 1483 480222


CONTENTS

4 SECURITY ................................................................................................................. 4

4.1 SECTION OBJECTIVES ...................................................................................................................... 4 4.2 SECURITY ..................................................................................................................................... 4 4.2.1 Creating Users and Groups ................................................................................................ 4 4.2.2 Provisioning Groups (or Users) ........................................................................................... 8 4.2.3 Creating and Assigning Classes ........................................................................................ 11 4.2.4 Extract and Load security using Classic method .............................................................. 15

4.3 LIFE CYCLE MANAGEMENT............................................................................................................. 18 4.3.1 Extract Artifacts ............................................................................................................... 18 4.3.2 Load Artifacts ................................................................................................................... 21


4 SECURITY

4.1 SECTION OBJECTIVES

The focus of this Chapter is to review the main components of Shared Services. There are two main

components to Shared Services: Security and Life Cycle Management. Security is managed within

Hyperion Shared Services. The chapter discusses provisioning users to log into the application and

once they do restricting what they can or cannot do. After provisioning the chapter discusses

limiting the members users can see and/or modify.

Life Cycle Management is a tool that can be used to migrate application components from one

application to another.

At the end of this section, you will be able to:

Create Users & Groups and assign Users to Groups

Provision Users & Groups

Create and assign classes to application elements

Use text file to upload security

Migrate applications using Life Cycle Management

4.2 SECURITY

4.2.1 CREATING USERS AND GROUPS

Users are typically provisioned using their network IDs – the connection between Hyperion and the active directory or LDAP server is established during the software installation. Alternatively, IDs may be created “natively” within Shared Services.


1. From in Workspace, click on the Navigate > Administer > Shared Services Console, or open a new internet explorer window and open Oracle EPM Shared Services from the list of shortcuts.

2. Open up the User Directories > Native Directory > Users node as show above.

3. Click on File > New, or the New icon .

4. Enter values as per the screen shot below, Password – “europe” and click the Save button.

5. Now create 2 additional users as below.

User Name Password Description

usa usa USA User

uk uk UK User


Next we need to provision these users to have access to any of the Hyperion Products they are likely to require. In this instance we are going to give them access to our QBCCONSOL HFM Application. We can do this individually or we can create a group which we provision, and add individual users to the group. Individual Provisioning will supersede any group provisioning. The Provisioning process works in exactly the same fashion whether it is being applied to a group or an individual.

Groups can be established within Shared Services and then provisioned for access. One set of groups may control role assignments and another set of groups may control entity access. Groups are typically created and maintained within Shared Services with the user IDs from the network being placed into the groups. Alternatively network groups can be provisioned within Shared Services; however, the Hyperion administrator will typically have no control or visibility as to who are in the groups. Also monitoring the software licenses could be impaired.

6. Click on Groups, and File > New.

7. Create a Group as per the screen shot below.

8. Once we have named the group and given a description (description not mandatory, but useful), click Next.


Note that tab 2 allows for Groups to be nested into groups should it be required

9. Click Next and this will take you to the User Members tab.

10. Add our user to the Group as per the screen shot below.


11. Click on Save. The Status Message window displays ‐ Group 'HFMEurope' created. Click OK button

12. Repeat steps 6‐11 to create the following groups.

Name Description User(s) in Group Use

HFMUSA USA HFM User Group usa To control access to USA entities

HFMUK UK HFM User Group uk To control access to UK entities

HFMUsers HFM User Group europe, usa, uk To control roles assignment for Users

4.2.2 PROVISIONING GROUPS (OR USERS)

When provisioning users or groups the administrator grants specific roles to the users. For example,

a user or group may be provisioned to create journals but not post them. Users are typically divided

into groups based upon role that reflects both the product licensing and the controls/procedures

that apply to the users.

13. On Shared Services Console, expand User Directories > Native Directory > Groups node and click on Search button.


14. Right click on HFMUsers group and select Provision.

15. Expand Default Application Group > QBCCONSOL > Application Administrator.


16. You can now select the role(s) that are appropriate for the user, moving them over to the pane on the right.

The administrator is generally flagged to be Provisioning Manager (unless there is a segregation of

duties required between managing security and managing the application) and Application

Administrator. End users typically are set up with something as shown below: the required controls

and processes will help determine the appropriate settings.


17. When done, click on Save.

18. Click on OK.

19. Repeat steps 155‐160 for groups HFMEurope, HFMUSA and HFMUK, but provisioning them only for the role Default.

4.2.3 CREATING AND ASSIGNING CLASSES

20. On Shared Services Console, expand Application Groups > FM node, right click on QBCCONSOL and select Assign Access Control.


21. On the first tab, Select Users and Groups, select Groups and click on Show All.

22. Select HFMEurope, HFMUSA, HFMUK and HFMUsers groups and move them to the right pane.

23. On the second tab, Select Classes, type Europe in the Class Name box and click on Add.


24. Repeat the previous step to add USA class.

25. Select [Default], Europe and USA classes just created and move them to the right pane.

26. On the third tab, Assign Access, select intersection between HFMEurope group and Europe class. Select All from the Access Rights dropdown menu and click on

the button to apply the access right.

27. Apply the same right to the correct intersection for USA.


28. Fill the info for the [Default] class as below.

29. Click on Save button.

30. The last tab, Security Reports, allows you to report on the groups and users granted access and it is typically required by auditors.

31. Select Users by Groups, PDF format and click on Launch Report .


4.2.4 EXTRACT AND LOAD SECURITY USING CLASSIC METHOD

If working with a Classic application there is another way to set up security. Manually adding each component one at a time through the web interface may take a while. Security can be extracted out of the application, modified in a text file, and then reloaded.

32. Select Security from the Consolidate Extract Application Elements menu in the web.

33. Click on the Extract at the top of the screen

34. Click on Download at the bottom and browse to D:\1HFMBootcamp\Security\, then give the file the filename QBCConsol Security – Lab Exercise.sec and click on Save.


35. Launch Textpad and open the file just saved.

36. The file shows the 4 groups and the 2 classes, the groups provisioning and the security access we have defined earlier in the exercise.

37. Highlight the security class USA, right click and select Copy.


38. Paste the copied line at the bottom of the !SECURITY_CLASSES section.

39. Modify the new line to UK and click on Save.

40. Select Consolidation Load Application Elements and the Security part on it.

41. Click on the Browse icon , browse to D:\1HFMBootcamp\Security\

42. Select the file with the filename QBCConsol Security – Lab Exercise.sec and click on Open.

43. Leave everything else ticked and click on Load at the top of the screen.

44. The updated security file has now been loaded onto the system.


4.3 LIFE CYCLE MANAGEMENT

Lifecycle management is a component of Shared Services that provides a mechanism of moving artifacts – web data entry forms, for example – from one application to another. In prior versions items required extracting and loading. The ability to use Lifecycle Management is controlled via a unique role for which the user must be provisioned.

4.3.1 EXTRACT ARTIFACTS

45. Within Shared Service Console, expand Application Groups > Default Application Group node, and select QBCCONSOL. You will be presented with a list of Artifacts for our application.

46. Expand categories such as Dimensions, Forms and Security to explore level of detail available for HFM application artifacts.


47. Click on the Select All button, and all the artefacts will be selected.

48. Select the Export button.

49. Provide the File System Folder Name as QBCCONSOL

50. Next we are given the Migration Status Report.


51. If you get any errors, you can click on the status message to display the detail of the error.

52. When done, click on Cancel at the bottom of the screen.

53. The default destination on the Shared Services computer is C:\Oracle\Middleware\user_projects\epmsystem1\import_export.

54. Open QBCCONSOL\HFM‐QBCCONSOL\resources folder.

55. This folder will list all the folders related to the artifacts we extracted earlier.

Note: If we want to restore from this file export to an application it is necessary to save a copy of the Migration definition file. This xml file and the resultant folder which is created during execution will need to be copied to the target system and opened in the target system shared services. The target application must pre‐exist, and have identical year, time and currency dimensionality to the application being restored from the LCM files.


4.3.2 LOAD ARTIFACTS

56. Within Shared Service Console, expand File System node, and select QBCCONSOL Group and Select HFM‐QBCCONSOL. You will be presented with a list of Artifacts available for load.

57. Click on Select All button or manually select the Artifacts you want to load and Click Import.

58. Choose the Destination Application and Click Import.


59. Select Administration Migration Status Report.

60. The status is now on Completed, which means the load has completed successfully and all artifacts have been loaded onto the application.

lab 04 - hfm 11.1.2.2 security -...

Documents