unleashing hyperion planning security using odi
TRANSCRIPT
Unleashing Hyperion Planning Security Using ODI
Ricardo Giampaoli – TeraCorpRodrigo Radtke de Souza - Dell
About the Speakers
Giampaoli, Ricardo
● Master in Business Administration and IT management
● Founder of TeraCorp Consulting
● 18 year working with IT and the last 8 years as an EPM solution architect
● EPM training instructor● Essbase/OBIEE/ODI
Certified Specialist● Blogger @ devepm.com
Radtke, Rodrigo
● Graduated in Computer Engineering
● Software Developer Advisor at Dell
● Ten years working with IT and the last five as ETL architect
● ODI, Oracle and Java Certified● Blogger @ devepm.com
About
TeraCorp is a company specialized in products and services focused on EPM
TeraCorp mission is to create innovate solutions that helps people, businesses and partners to exceed their goals reaching their full potential.
Learn more @ www.teracorp.com.br/en
About TeraCorp
About
Knowledge on:● ODI● Hyperion Planning● SQL
Pre-Requisites
Pre-Requisites
Agenda
Business Needs Hyperion Planning Security Hyperion Planning Repository Building Solutions Dell’s Environment QA
Agenda
Business Needs
The Study Case
One Cube with an Entity dimension containing all 22000+ cost center in the world
Security must be granted in such way that an user from a region can only see data from their cost centers
The parents aggregation should display only the sum of data that the user has access
Cost center from different regions under the same parent
Cost center region defined by an attribute dimension
Hyperion Planning Security
Is Security Robust and Flexible?● Cannot use attribute dimension to define security
Access control at Leaf level?● How to provide and maintain security at leaf level in
dimensions with 22000 + cost centers?● How to handle cost centers that change its region?
Use Microsoft Excel to generate all necessary security combinations?● What’s the cost to maintain such a file in a fast
changing business structure?
Planning Security
A Region dimension to split the data by the world regions and provide the right aggregation in parent levels.
Cost Center Region defined by an attribute dimension.● The EMEA users needs to have
access only to Cost Centers with support geography that belongs to SUPP_EMEA and only to the EMEA Region.
Aggregation Solution
Solution Choice
Read the Planning application repository to dynamically build the Entity dimension security based in the geography attributes and the groups associated in the Entity Upper level members
Security must be granted “bottom-up”
Security Solution
Solution Choice
The security must be granted for all users or groups in the high level members (e.g. Entity gen1 or/and gen2 members). The relation must be set as “Member”).
The Entity members attributes and the Support Geography hierarchy
The users or groups names should have a relationship between it and the attribute member.
Pre Requisites
Planning Security
Groups
All information exists in the Planning repository. Seven tables were used to build this solution.
● Three security tables● Three Attribute tables● One object table
Planning Repository Overview
Planning Repository
Security is define using three tables:● HSP_USERS
● Only used if an user is assigned directly to an object in planning
● HSP_GROUP● Only used if a group is assigned directly to an object in
planning● HSP_ACCESS_CONTROL
● Is used to associate an user or group to an object and also inform what access it will have to it and if this access will be spread to its children or only on it
Security Tables
Planning Repository
Security Tables
Column Name Description
GROUP_ID The group id that is created after an user that belongs to a group login or a group is assigned to any object in Hyperion planning.
SID The native or external directory ID
Column Name Description
USER_ID The user id that is created after an user login or is assigned to any object in Hyperion planning.
SID The native or external directory ID
HSP_USERS
HSP_GROUP
Planning Repository
Column Name Description
USER_ID The user or the group id that is created after a group or an user is assigned to any object in Hyperion planning.
OBJECT_ID The ID of the object that has been granted the security
ACCESS_MODEThe type of access that an user or a group can have on an object:
1 = Read 3 = ReadWrite -1 = Deny
FLAGS
Essbase access flag, determines if an user or a group has access only to that object or to the hierarchy below it:
0Member
5@Children
6@IChildren
8@Descendants
9@IDescendants
Security TablesHSP_ACCESS_CONTROL
Planning Repository
Attributes is define using three tables:● HSP_ATTRIBUTE_DIM
● Stores all attribute dimensions● HSP_ATTRIBUTE_MEMBER
● Holds all attribute members stored in planning● HSP_MEMBER_TO_ATTRIBUTE
● Joins the attributes with the members of a Dimension
Attribute Tables
Planning Repository
Attribute Tables
Column Name Description
ATTR_ID ID of the Attribute dimension.
DIM_ID The ID of the dimension that the attribute is associated
HSP_ATTRIBUTE_DIM
Planning Repository
Column Name Description
ATTR_MEM_ID ID of the Attribute member.
ATTR_ID ID of the Attribute dimension.
HSP_ATTRIBUTE_MEMBER
Attribute Tables
Planning Repository
Column Name Description
MEMBER_ID ID of the member that has been assigned an attribute.
ATTR_ID ID of the Attribute dimension.
ATTR_MEM_ID ID of the Attribute member.
HSP_MEMBER_TO_ATTRIBUTE
Planning objects is define using one table:● HSP_OBJECT
● Contains the Metadata from all Planning objects as well the parent member relationship used to create all metadata structure.
Object Table
Planning Repository
Column Name Description
OBJECT_ID Object ID for all objects in planning.
OBJECT_NAME Stores all metadata description in Planning (e.g. Alias, Members)
OBJECT_TYPE Type of the Object (e.g. Entity, Account, Attribute…)
PARENT_ID Parent ID of the object. Used for build the parent/child relationship with OBJECT_ID
GENERATION Inform which generation that object belongs.
HAS_CHILDREN Inform if the object has or not a child
Object Tables
HSP_OBJECT
Planning Repository
Entity Hierarchy
Building Solution
Extract the Entity Dimension members and their attributes from Planning Repository● Use connect by nocycle prior to
rebuild the hierarchy from bottom up
Building Solution
Support Geography Hierarchy
Extract the Support Geography Attribute Dimension Hierarchy from Planning Repository● Use connect by prior to rebuild the hierarchy
Building Solution
Join 1: Entity + Support Geography
Join both queries by ATTR_MEM_ID
Building Solution
Users/Groups Security
Extract the generation 1 and 2 members and their security groups from Planning Repository● Generation 1 is Channel and contains all groups that has
access to everything● Generation 2 are the Business segments and contains all
groups that has access only to that segment
Join the queries by LIKE of REGION_NAME
Building Solution
Join 2: Adding Security Groups
Building Solution
Generation 1 and 2 Members
Identify the Generation 1 and 2 parents for all Entity members under it.
Join Parent_ID from Generation 1 or 2 and Entity_ID
Join 3: Putting Everything Together
Building Solution
Why ODI?
Building Solution
Full flexible development platform● Tweak KMs and procedures to create
dynamic processes● Virtually accepts any existing technology
Complete execution platform● Built in security (Only key users can use it)● Easy to be used by Users● Automatize, schedule and control jobs● Complete log information
Two ways to do it:● Solution 1: Generate a Secfile and run a command
line in the end of the ODI process to load it into Planning (using ImportSecurity utility)
● Solution 2: Insert the security directly into HSP_ACCESS_CONTROL table
Solution Design Choices
Building Solution
ImportSecurity Insert into RepositoryNo clear control (clear all or nothing) Clear any type of security based in any
rule (delete clause + repository)No service restart Service restartNo repository manipulation Repository manipulation
ImportSecurity utility loads access permissions for users or groups from a text file into Planning
ImportSecurity
Parameter Description
[-f:passwordFile] Optional: If an encrypted password file is set up, use as the first parameter in the command line to read the password from the full file path and name specified in passwordFile.
appname Name of the Planning application to which you are importing access permissions.
username Planning administrator user name.
delimiter Optional: SL_TAB, SL_COMMA, SL_PIPE, SL_SPACE, SL_COLON, SL_SEMI-COLON. If no delimiter is specified, comma is the default.
RUN_SILENT Optional: Execute the utility silently (the default) or with progress messages. Specify 0 for messages, or 1 for no messages.
[SL_CLEARALL] Optional: Clear existing access permissions when importing new access permissions. Must be in uppercase.
ImportSecurity.cmd [-f:passwordFile] “appname,username,[delimiter],[RUN_SILENT],[SL_CLEARALL]”
Solution 1
Item Descriptionusername or group name The name of a user or group defined in Shared Services Console.
artifact name The named artifact for the imported access permissions (for example the member, data form, task list, folder, or Calculation Manager business rule).
access permissions Read, ReadWrite, or None. If there are duplicate lines for a user/member combination, the line with ReadWrite access takes precedence.
Essbase access flags @CHILDREN, @ICHILDREN, @DESCENDANTS, @IDESCENDANTS and MEMBER.
artifact type For artifacts other than members, distinguish which artifact you are importing security for with artifact type identifier.
The SecFile.txt contain the access permissions for users or groups and should have the following format:
SecFile.txt
Solution 1
Importing access permissions overwrites existing access assignments and the SL_CLEARALL parameter clears all existing access permissions giving us two options:● (1.1) Load only the new security and manually delete
the old undesired access (Sent by email through the interface)
● (1.2) Clear all Security with SL_CLEARALL and then load all access from all dimensions back to Planning (Entity + All other existing security)
Design Decision
Solution 1
Solution 1.1
Load only new security to SecFile.txt● Using two datasets to generate a Minus between the
new and the existing security
Generating SecFile.txt
Solution 1.1
Load all old security to OldSecurity.txt● Using two datasets to generate a Minus between the
existing security and the new generated access
Generating Old Security File
Solution 1.2
Load ALL security to SecFile.txt● Using two datasets to generate an Union between
the new and the existing security
Generating Full SecFile.txt
Use a ODI Procedure to run a CMD command on Planning Server and import security
Import Security
Solution 1
Solution 2
Insert/Delete Security on HSP_ACCESS_CONTROL
Hyperion Planning Repository
Restart Planning● SC \\PLANNING_SERVER STOP HYS9Planning● Wait● SC \\PLANNING_SERVER START HYS9Planning● Wait
Solution 2
Restart Hyperion Planning Service
ODI Package
Simple ODI Solution
Building Solution
DRM (Metadata Source)
OracleInbound tables
schema
Hyperion Planning
Source System
External System
External System
External System
Source System
Source System
IKM SQL to Hyperion Planning (Metadata)
EssbaseIKM SQL to Hyperion Essbase (DATA)
LKM Hyperion Essbase DATA to SQL
Security and admin tasks
Oracle Outbound
tables schema
Traditional ETL
Production Planning Architecture
Dell Environment
QUESTIONS?
Questions
Ricardo Giampaoli – TeraCorpRodrigo Radtke de Souza - Dell
Thank you!
Thank You