lab 04 - hfm 11.1.2.2 security -...
TRANSCRIPT
Qubix International Limited – Hyperion HFM Bootcamp Page 2
31st January 2013
Author: Saravanan Singaravadivelan
Qubix International Limited
Highclere House 5 High Street, Knaphill
Surrey, GU21 2PG Tel: +44 (0) 1483 480222
Qubix International Limited – Hyperion HFM Bootcamp Page 3
CONTENTS
4 SECURITY ................................................................................................................. 4
4.1 SECTION OBJECTIVES ...................................................................................................................... 4 4.2 SECURITY ..................................................................................................................................... 4 4.2.1 Creating Users and Groups ................................................................................................ 4 4.2.2 Provisioning Groups (or Users) ........................................................................................... 8 4.2.3 Creating and Assigning Classes ........................................................................................ 11 4.2.4 Extract and Load security using Classic method .............................................................. 15
4.3 LIFE CYCLE MANAGEMENT............................................................................................................. 18 4.3.1 Extract Artifacts ............................................................................................................... 18 4.3.2 Load Artifacts ................................................................................................................... 21
Qubix International Limited – Hyperion HFM Bootcamp Page 4
4 SECURITY
4.1 SECTION OBJECTIVES
The focus of this Chapter is to review the main components of Shared Services. There are two main
components to Shared Services: Security and Life Cycle Management. Security is managed within
Hyperion Shared Services. The chapter discusses provisioning users to log into the application and
once they do restricting what they can or cannot do. After provisioning the chapter discusses
limiting the members users can see and/or modify.
Life Cycle Management is a tool that can be used to migrate application components from one
application to another.
At the end of this section, you will be able to:
Create Users & Groups and assign Users to Groups
Provision Users & Groups
Create and assign classes to application elements
Use text file to upload security
Migrate applications using Life Cycle Management
4.2 SECURITY
4.2.1 CREATING USERS AND GROUPS
Users are typically provisioned using their network IDs – the connection between Hyperion and the active directory or LDAP server is established during the software installation. Alternatively, IDs may be created “natively” within Shared Services.
Qubix International Limited – Hyperion HFM Bootcamp Page 5
1. From in Workspace, click on the Navigate > Administer > Shared Services Console, or open a new internet explorer window and open Oracle EPM Shared Services from the list of shortcuts.
2. Open up the User Directories > Native Directory > Users node as show above.
3. Click on File > New, or the New icon .
4. Enter values as per the screen shot below, Password – “europe” and click the Save button.
5. Now create 2 additional users as below.
User Name Password Description
usa usa USA User
uk uk UK User
Qubix International Limited – Hyperion HFM Bootcamp Page 6
Next we need to provision these users to have access to any of the Hyperion Products they are likely to require. In this instance we are going to give them access to our QBCCONSOL HFM Application. We can do this individually or we can create a group which we provision, and add individual users to the group. Individual Provisioning will supersede any group provisioning. The Provisioning process works in exactly the same fashion whether it is being applied to a group or an individual.
Groups can be established within Shared Services and then provisioned for access. One set of groups may control role assignments and another set of groups may control entity access. Groups are typically created and maintained within Shared Services with the user IDs from the network being placed into the groups. Alternatively network groups can be provisioned within Shared Services; however, the Hyperion administrator will typically have no control or visibility as to who are in the groups. Also monitoring the software licenses could be impaired.
6. Click on Groups, and File > New.
7. Create a Group as per the screen shot below.
8. Once we have named the group and given a description (description not mandatory, but useful), click Next.
Qubix International Limited – Hyperion HFM Bootcamp Page 7
Note that tab 2 allows for Groups to be nested into groups should it be required
9. Click Next and this will take you to the User Members tab.
10. Add our user to the Group as per the screen shot below.
Qubix International Limited – Hyperion HFM Bootcamp Page 8
11. Click on Save. The Status Message window displays ‐ Group 'HFMEurope' created. Click OK button
12. Repeat steps 6‐11 to create the following groups.
Name Description User(s) in Group Use
HFMUSA USA HFM User Group usa To control access to USA entities
HFMUK UK HFM User Group uk To control access to UK entities
HFMUsers HFM User Group europe, usa, uk To control roles assignment for Users
4.2.2 PROVISIONING GROUPS (OR USERS)
When provisioning users or groups the administrator grants specific roles to the users. For example,
a user or group may be provisioned to create journals but not post them. Users are typically divided
into groups based upon role that reflects both the product licensing and the controls/procedures
that apply to the users.
13. On Shared Services Console, expand User Directories > Native Directory > Groups node and click on Search button.
Qubix International Limited – Hyperion HFM Bootcamp Page 9
14. Right click on HFMUsers group and select Provision.
15. Expand Default Application Group > QBCCONSOL > Application Administrator.
Qubix International Limited – Hyperion HFM Bootcamp Page 10
16. You can now select the role(s) that are appropriate for the user, moving them over to the pane on the right.
The administrator is generally flagged to be Provisioning Manager (unless there is a segregation of
duties required between managing security and managing the application) and Application
Administrator. End users typically are set up with something as shown below: the required controls
and processes will help determine the appropriate settings.
Qubix International Limited – Hyperion HFM Bootcamp Page 11
17. When done, click on Save.
18. Click on OK.
19. Repeat steps 155‐160 for groups HFMEurope, HFMUSA and HFMUK, but provisioning them only for the role Default.
4.2.3 CREATING AND ASSIGNING CLASSES
20. On Shared Services Console, expand Application Groups > FM node, right click on QBCCONSOL and select Assign Access Control.
Qubix International Limited – Hyperion HFM Bootcamp Page 12
21. On the first tab, Select Users and Groups, select Groups and click on Show All.
22. Select HFMEurope, HFMUSA, HFMUK and HFMUsers groups and move them to the right pane.
23. On the second tab, Select Classes, type Europe in the Class Name box and click on Add.
Qubix International Limited – Hyperion HFM Bootcamp Page 13
24. Repeat the previous step to add USA class.
25. Select [Default], Europe and USA classes just created and move them to the right pane.
26. On the third tab, Assign Access, select intersection between HFMEurope group and Europe class. Select All from the Access Rights dropdown menu and click on
the button to apply the access right.
27. Apply the same right to the correct intersection for USA.
Qubix International Limited – Hyperion HFM Bootcamp Page 14
28. Fill the info for the [Default] class as below.
29. Click on Save button.
30. The last tab, Security Reports, allows you to report on the groups and users granted access and it is typically required by auditors.
31. Select Users by Groups, PDF format and click on Launch Report .
Qubix International Limited – Hyperion HFM Bootcamp Page 15
4.2.4 EXTRACT AND LOAD SECURITY USING CLASSIC METHOD
If working with a Classic application there is another way to set up security. Manually adding each component one at a time through the web interface may take a while. Security can be extracted out of the application, modified in a text file, and then reloaded.
32. Select Security from the Consolidate Extract Application Elements menu in the web.
33. Click on the Extract at the top of the screen
34. Click on Download at the bottom and browse to D:\1HFMBootcamp\Security\, then give the file the filename QBCConsol Security – Lab Exercise.sec and click on Save.
Qubix International Limited – Hyperion HFM Bootcamp Page 16
35. Launch Textpad and open the file just saved.
36. The file shows the 4 groups and the 2 classes, the groups provisioning and the security access we have defined earlier in the exercise.
37. Highlight the security class USA, right click and select Copy.
Qubix International Limited – Hyperion HFM Bootcamp Page 17
38. Paste the copied line at the bottom of the !SECURITY_CLASSES section.
39. Modify the new line to UK and click on Save.
40. Select Consolidation Load Application Elements and the Security part on it.
41. Click on the Browse icon , browse to D:\1HFMBootcamp\Security\
42. Select the file with the filename QBCConsol Security – Lab Exercise.sec and click on Open.
43. Leave everything else ticked and click on Load at the top of the screen.
44. The updated security file has now been loaded onto the system.
Qubix International Limited – Hyperion HFM Bootcamp Page 18
4.3 LIFE CYCLE MANAGEMENT
Lifecycle management is a component of Shared Services that provides a mechanism of moving artifacts – web data entry forms, for example – from one application to another. In prior versions items required extracting and loading. The ability to use Lifecycle Management is controlled via a unique role for which the user must be provisioned.
4.3.1 EXTRACT ARTIFACTS
45. Within Shared Service Console, expand Application Groups > Default Application Group node, and select QBCCONSOL. You will be presented with a list of Artifacts for our application.
46. Expand categories such as Dimensions, Forms and Security to explore level of detail available for HFM application artifacts.
Qubix International Limited – Hyperion HFM Bootcamp Page 19
47. Click on the Select All button, and all the artefacts will be selected.
48. Select the Export button.
49. Provide the File System Folder Name as QBCCONSOL
50. Next we are given the Migration Status Report.
Qubix International Limited – Hyperion HFM Bootcamp Page 20
51. If you get any errors, you can click on the status message to display the detail of the error.
52. When done, click on Cancel at the bottom of the screen.
53. The default destination on the Shared Services computer is C:\Oracle\Middleware\user_projects\epmsystem1\import_export.
54. Open QBCCONSOL\HFM‐QBCCONSOL\resources folder.
55. This folder will list all the folders related to the artifacts we extracted earlier.
Note: If we want to restore from this file export to an application it is necessary to save a copy of the Migration definition file. This xml file and the resultant folder which is created during execution will need to be copied to the target system and opened in the target system shared services. The target application must pre‐exist, and have identical year, time and currency dimensionality to the application being restored from the LCM files.
Qubix International Limited – Hyperion HFM Bootcamp Page 21
4.3.2 LOAD ARTIFACTS
56. Within Shared Service Console, expand File System node, and select QBCCONSOL Group and Select HFM‐QBCCONSOL. You will be presented with a list of Artifacts available for load.
57. Click on Select All button or manually select the Artifacts you want to load and Click Import.
58. Choose the Destination Application and Click Import.
Qubix International Limited – Hyperion HFM Bootcamp Page 22
59. Select Administration Migration Status Report.
60. The status is now on Completed, which means the load has completed successfully and all artifacts have been loaded onto the application.