Unleashing Hyperion Planning Security Using ODI

Ricardo Giampaoli – TeraCorp

Rodrigo Radtke de Souza - Dell

About the Speakers

Giampaoli, Ricardo

● Master in Business

Administration and IT

management

● Founder of TeraCorp

Consulting

● 18 year working with IT and

the last 8 years as an EPM

solution architect

● EPM training instructor

● Essbase/OBIEE/ODI

Certified Specialist

● Blogger @ devepm.com

Radtke, Rodrigo

● Graduated in Computer

Engineering

● Software Developer Advisor at

Dell

● Ten years working with IT and

the last five as ETL architect

● ODI, Oracle and Java Certified

● Blogger @ devepm.com

About

TeraCorp is a company specialized in products

and services focused on EPM

TeraCorp mission is to create innovate

solutions that helps people, businesses and

partners to exceed their goals reaching their full

potential.

Learn more @ www.teracorp.com.br/en

About TeraCorp

About

Knowledge on:

● ODI

● Hyperion Planning

● SQL

Pre-Requisites

Pre-Requisites

Agenda

Business Needs

Hyperion Planning Security

Hyperion Planning Repository

Building Solutions

Dell’s Environment

QA

Agenda

Business Needs

The Study Case

One Cube with an Entity dimension containing all 22000+ cost center in the world

Security must be granted in such way that an user from a region can only see data from their cost centers

The parents aggregation should display only the sum of data that the user has access

Cost center from different regions under the same parent

Cost center region defined by an attribute dimension

Hyperion Planning Security

Is Security Robust and Flexible?

● Cannot use attribute dimension to define security

Access control at Leaf level?

● How to provide and maintain security at leaf level in

dimensions with 22000 + cost centers?

● How to handle cost centers that change its region?

Use Microsoft Excel to generate all necessary

security combinations?

● What’s the cost to maintain such a file in a fast

changing business structure?

Planning Security

A Region dimension to split the data by the world regions and provide the right aggregation in parent levels.

Cost Center Region defined by an attribute dimension.● The EMEA users needs to have

access only to Cost Centers with support geography that belongs to SUPP_EMEA and only to the EMEA Region.

Aggregation Solution

Solution Choice

Read the Planning application repository to

dynamically build the Entity dimension security

based in the geography attributes and the

groups associated in the Entity Upper level

members

Security must be granted “bottom-up”

Security Solution

Solution Choice

The security must be granted for all users or groups in the

high level members (e.g. Entity gen1 or/and gen2 members).

The relation must be set as “Member”).

The Entity members attributes and the Support Geography

hierarchy

The users or groups names should have a relationship

between it and the attribute member.

Pre Requisites

Planning Security

Groups

All information exists in the Planning repository.

Seven tables were used to build this solution.

● Three security tables

● Three Attribute tables

● One object table

Planning Repository Overview

Planning Repository

Security is define using three tables:

● HSP_USERS

● Only used if an user is assigned directly to an object in

planning

● HSP_GROUP

● Only used if a group is assigned directly to an object in

planning

● HSP_ACCESS_CONTROL

● Is used to associate an user or group to an object and also

inform what access it will have to it and if this access will be

spread to its children or only on it

Security Tables

Planning Repository

Security Tables

Column Name Description

GROUP_ID

The group id that is created after an user that belongs to a

group login or a group is assigned to any object in Hyperion

planning.

SID The native or external directory ID

Column Name Description

USER_IDThe user id that is created after an user login or is assigned to

any object in Hyperion planning.

SID The native or external directory ID

HSP_USERS

HSP_GROUP

Planning Repository

Column Name Description

USER_IDThe user or the group id that is created after a group or an user is

assigned to any object in Hyperion planning.

OBJECT_ID The ID of the object that has been granted the security

ACCESS_MODE

The type of access that an user or a group can have on an object:

1 = Read 3 = ReadWrite -1 = Deny

FLAGS

Essbase access flag, determines if an user or a group has access

only to that object or to the hierarchy below it:

0

Member

5

@Children

6

@IChildren

8

@Descendants

9

@IDescendants

Security Tables

HSP_ACCESS_CONTROL

Planning Repository

Attributes is define using three tables:

● HSP_ATTRIBUTE_DIM

● Stores all attribute dimensions

● HSP_ATTRIBUTE_MEMBER

● Holds all attribute members stored in planning

● HSP_MEMBER_TO_ATTRIBUTE

● Joins the attributes with the members of a Dimension

Attribute Tables

Planning Repository

Attribute Tables

Column Name Description

ATTR_ID ID of the Attribute dimension.

DIM_ID The ID of the dimension that the attribute is associated

HSP_ATTRIBUTE_DIM

Planning Repository

Column Name Description

ATTR_MEM_ID ID of the Attribute member.

ATTR_ID ID of the Attribute dimension.

HSP_ATTRIBUTE_MEMBER

Attribute Tables

Planning Repository

Column Name Description

MEMBER_ID ID of the member that has been assigned an attribute.

ATTR_ID ID of the Attribute dimension.

ATTR_MEM_ID ID of the Attribute member.

HSP_MEMBER_TO_ATTRIBUTE

Planning objects is define using one table:

● HSP_OBJECT

● Contains the Metadata from all Planning objects as well the

parent member relationship used to create all metadata

structure.

Object Table

Planning Repository

Column Name Description

OBJECT_ID Object ID for all objects in planning.

OBJECT_NAME Stores all metadata description in Planning (e.g. Alias, Members)

OBJECT_TYPE Type of the Object (e.g. Entity, Account, Attribute…)

PARENT_IDParent ID of the object. Used for build the parent/child relationship

with OBJECT_ID

GENERATION Inform which generation that object belongs.

HAS_CHILDREN Inform if the object has or not a child

Object Tables

HSP_OBJECT

Planning Repository

Entity Hierarchy

Building Solution

Extract the Entity Dimension

members and their attributes

from Planning Repository

● Use connect by nocycle prior to

rebuild the hierarchy from bottom

up

Building Solution

Support Geography Hierarchy

Extract the Support Geography Attribute

Dimension Hierarchy from Planning Repository

● Use connect by prior to rebuild the hierarchy

Building Solution

Join 1: Entity + Support Geography

Join both queries by ATTR_MEM_ID

Building Solution

Users/Groups Security

Extract the generation 1 and 2 members and their

security groups from Planning Repository

● Generation 1 is Channel and contains all groups that has

access to everything

● Generation 2 are the Business segments and contains all

groups that has access only to that segment

Join the queries by LIKE of REGION_NAME

Building Solution

Join 2: Adding Security Groups

Building Solution

Generation 1 and 2 Members

Identify the Generation 1 and 2 parents for all Entity

members under it.

Join Parent_ID from Generation 1 or 2 and Entity_ID

Join 3: Putting Everything Together

Building Solution

Why ODI?

Building Solution

Full flexible development platform

● Tweak KMs and procedures to create

dynamic processes

● Virtually accepts any existing technology

Complete execution platform

● Built in security (Only key users can use it)

● Easy to be used by Users

● Automatize, schedule and control jobs

● Complete log information

Two ways to do it:

● Solution 1: Generate a Secfile and run a command

line in the end of the ODI process to load it into

Planning (using ImportSecurity utility)

● Solution 2: Insert the security directly into

HSP_ACCESS_CONTROL table

Solution Design Choices

Building Solution

ImportSecurity Insert into Repository

No clear control (clear all or nothing) Clear any type of security based in

any rule (delete clause + repository)

No service restart Service restart

No repository manipulation Repository manipulation

ImportSecurity utility loads access permissions for

users or groups from a text file into Planning

ImportSecurity

Parameter Description

[-f:passwordFile] Optional: If an encrypted password file is set up, use as the first parameter in the

command line to read the password from the full file path and name specified in

passwordFile.

appname Name of the Planning application to which you are importing access permissions.

username Planning administrator user name.

delimiter Optional: SL_TAB, SL_COMMA, SL_PIPE, SL_SPACE, SL_COLON, SL_SEMI-COLON. If

no delimiter is specified, comma is the default.

RUN_SILENT Optional: Execute the utility silently (the default) or with progress messages. Specify 0 for

messages, or 1 for no messages.

[SL_CLEARALL] Optional: Clear existing access permissions when importing new access permissions. Must

be in uppercase.

ImportSecurity.cmd [-f:passwordFile] “appname,username,[delimiter],[RUN_SILENT],[SL_CLEARALL]”

Solution 1

Item Description

username or group name The name of a user or group defined in Shared Services Console.

artifact name The named artifact for the imported access permissions (for example the member,

data form, task list, folder, or Calculation Manager business rule).

access permissions Read, ReadWrite, or None. If there are duplicate lines for a user/member

combination, the line with ReadWrite access takes precedence.

Essbase access flags @CHILDREN, @ICHILDREN, @DESCENDANTS, @IDESCENDANTS and

MEMBER.

artifact type For artifacts other than members, distinguish which artifact you are importing

security for with artifact type identifier.

The SecFile.txt contain the access permissions

for users or groups and should have the

following format:

SecFile.txt

Solution 1

Importing access permissions overwrites

existing access assignments and the

SL_CLEARALL parameter clears all existing

access permissions giving us two options:

● (1.1) Load only the new security and manually delete

the old undesired access (Sent by email through the

interface)

● (1.2) Clear all Security with SL_CLEARALL and then

load all access from all dimensions back to Planning

(Entity + All other existing security)

Design Decision

Solution 1

Solution 1.1

Load only new security to SecFile.txt

● Using two datasets to generate a Minus between the

new and the existing security

Generating SecFile.txt

Solution 1.1

Load all old security to OldSecurity.txt

● Using two datasets to generate a Minus between the

existing security and the new generated access

Generating Old Security File

Solution 1.2

Load ALL security to SecFile.txt

● Using two datasets to generate an Union between

the new and the existing security

Generating Full SecFile.txt

Use a ODI Procedure to run a CMD command

on Planning Server and import security

Import Security

Solution 1

Solution 2

Insert/Delete Security on

HSP_ACCESS_CONTROL

Hyperion Planning Repository

Restart Planning

● SC \\PLANNING_SERVER STOP HYS9Planning

● Wait

● SC \\PLANNING_SERVER START HYS9Planning

● Wait

Solution 2

Restart Hyperion Planning Service

ODI Package

Simple ODI Solution

Building Solution

DRM (Metadata

Source)

Oracle

Inbound tables

schema

Hyperion

Planning

Source

System

External

System

External

System

External

System

Source

System

Source

System

IKM SQL to Hyperion

Planning (Metadata)

EssbaseIKM SQL to Hyperion

Essbase (DATA)

LKM Hyperion

Essbase DATA to SQL

Security and admin tasks

Oracle

Outbound

tables schema

Traditional ETL

Production Planning Architecture

Dell Environment

QUESTIONS?

Questions

Ricardo Giampaoli – TeraCorpRodrigo Radtke de Souza - Dell

Thank you!

Thank You