using oracle e-business suite (ebs) to manage epm functional security for epm releases 11.1.1.3 and...
TRANSCRIPT
Using Oracle E-Business Suite (EBS) to Manage EPM Functional Security
For EPM Releases 11.1.1.3 and 11.1.2
Use Case
• The customer manages the privileges and responsibilities in EBS
• The customer would like to manage EPM’s functional security (roles) in EBS as part of a custom application with its privileges
Assumptions
• EBS users belong to a corporate directory such as OID or MSAD
• If EBS is configured to use native users and not OID, then the email address in EBS should match the email address of the corporate directory
Integration Approach
• The integration is done via two capabilities in EPM:• Hyperion Shared Service’s ability to assign roles to
native groups• LCM’s ability to load native groups into the system
Configuration Steps for the Integration
Task Overview
• In EPM:• Configure EPM’s security to use the corporate
directory where the EBS users reside• Use SQLPlus or other means to export
responsibilities and users assigned to these responsibilities
• Use LCM to import the above data into Shared Services. This will create native EPM groups for each EBS responsibility
• Schedule these two tasks to run them periodically, as needed
Configuring EPM Security
• EPM security is administered and managed in Shared Services. You need to launch Shared Services Console and configure the corporate directory where the EBS users reside as a provider in Shared Services. The following slides detail these steps using OID as an example.
Configure EBS User Directory
Configure EBS User Directory
Configure EBS User Directory
Configure EBS User Directory
Configure EBS User Directory
Configure EBS User Directory Again
• Configure the EBS user directory once to be able to authenticate users based on their login attribute
• Configure the EBS user directory again with the email address as the login attribute, because users are extracted and imported from EBS based on the email attribute
• After configuring the EBS user directory with the email address as the login attribute, put that directory lower in the search order and disable group cache
Configure EBS User Directory Again – using email address
Configure EBS User Directory Again – using email address
Provide a valid
email address
here and click
autoconfigure
Configure EBS User Directory Again – using email address
Uncheck This
to disable
group cache
Configure EBS User Directory Again – using email address
Lower Search Order for New Directory Configured
Use LCM to Create Migration Definition File
• Use the LCM UI in Shared Services Console to build a migration definition file that will be used to import the responsibilities data
• Once LCM data has been extracted as shown, add the EBS extracted data in the format specified to the groups.csv file that is found under the folder you will specify in the LCM UI at: $MIDDLEWARE_HOME\user_projects\epmsystem1\import_export\admin@Native Directory
Create Migration Definition File for LCM
Create Migration Definition File for LCM
Create Migration Definition File for LCM
Create Migration Definition File for LCM
Create Migration Definition File for LCM
Save Migration Definition File
Execute Migration
The Exported Shows up on the Filesystem
Extract EBS Security• The following three slides show the sample SQL that can
be used to extract the security from EBS. You will need to format the output as shown in the “Sample Format for Groups.csv” slide.
• Merge the results of the two queries into a single CSV file.• Insert the headers and static text as shown in red in
the .csv file prior to importing into Shared Services.• Note that in the slide that shows the sample format for
goups.csv, the text shown in red is mandatory and static.• The sample query has a condition in the “where” clause to
filter based on a given application name. Use the application name in EBS that will be used for managing user security for EPM.
Extract Responsibilities in .csv FormatExtract the responsibilities so that these will be the native groups. You may use the
following sample but customize to your specific implementation.select distinct'"'||R.RESPONSIBILITY_NAME||'"',',Native Directory'
from
APPS.FND_USER_RESP_GROUPS G
, APPS.FND_USER U
, APPS.FND_RESPONSIBILITY_VL R
, APPS.FND_APPLICATION_VL A
where (1=1)
/* joins */
and R.APPLICATION_ID = A.APPLICATION_ID
and G.RESPONSIBILITY_ID = R.RESPONSIBILITY_ID
and G.RESPONSIBILITY_APPLICATION_ID = R.APPLICATION_ID
and G.USER_ID = U.USER_ID
/* filters */
and R.START_DATE < SYSDATE and nvl(R.END_DATE, SYSDATE) >= SYSDATE
and U.START_DATE < SYSDATE and nvl(U.END_DATE, SYSDATE) >= SYSDATE
and G.START_DATE < SYSDATE and nvl(G.END_DATE, SYSDATE) >= SYSDATE
/*and A.APPLICATION_SHORT_NAME = 'EPM'*/
and U.USER_ID is not null
Extract Responsibilities and Assignments in .csv Format
Use this query if using OID with EBS to extract the responsibilities and the users assigned to these responsibilities for the custom application created. You may use the following sample but customize to your specific implementation.
select '"'||R.RESPONSIBILITY_NAME||'"',',',',',',' , '"'||U.USER_NAME||'"', ',Native Directory'from APPS.FND_USER_RESP_GROUPS G , APPS.FND_USER U , APPS.FND_RESPONSIBILITY_VL R , APPS.FND_APPLICATION_VL Awhere (1=1) /* joins */ and R.APPLICATION_ID = A.APPLICATION_ID and G.RESPONSIBILITY_ID = R.RESPONSIBILITY_ID and G.RESPONSIBILITY_APPLICATION_ID = R.APPLICATION_ID and G.USER_ID = U.USER_ID /* filters */ and R.START_DATE < SYSDATE and nvl(R.END_DATE, SYSDATE) >= SYSDATE and U.START_DATE < SYSDATE and nvl(U.END_DATE, SYSDATE) >= SYSDATE and G.START_DATE < SYSDATE and nvl(G.END_DATE, SYSDATE) >= SYSDATE /*and A.APPLICATION_SHORT_NAME = 'EPM'*/and U.USER_NAME is not null
Extract Responsibilities and Assignments in .csv Format
Use this query if using EBS with native users to extract the responsibilities and the users assigned to these responsibilities for the custom application created. The email address in EBS should match the external directory as well. You may use the following sample but customize to your specific implementation.
select '"'||R.RESPONSIBILITY_NAME||'"',',',',',',' , '"'||U.EMAIL_ADDRESS||'"', ',Native Directory'from APPS.FND_USER_RESP_GROUPS G , APPS.FND_USER U , APPS.FND_RESPONSIBILITY_VL R , APPS.FND_APPLICATION_VL Awhere (1=1) /* joins */ and R.APPLICATION_ID = A.APPLICATION_ID and G.RESPONSIBILITY_ID = R.RESPONSIBILITY_ID and G.RESPONSIBILITY_APPLICATION_ID = R.APPLICATION_ID and G.USER_ID = U.USER_ID /* filters */ and R.START_DATE < SYSDATE and nvl(R.END_DATE, SYSDATE) >= SYSDATE and U.START_DATE < SYSDATE and nvl(U.END_DATE, SYSDATE) >= SYSDATE and G.START_DATE < SYSDATE and nvl(G.END_DATE, SYSDATE) >= SYSDATE /*and A.APPLICATION_SHORT_NAME = 'EPM'*/and U.EMAIL_ADDRESS is not null
Sample Format for Groups.csv – using email_address
#groupid,provider,name,description,internal_id
Sourcing Supplier Resp02 , Native Directory
Cash Management , Native Directory
General Ledger Super User , Native Directory#group_childrenid,group_id,group_provider,user_id,user_provider
Sourcing Supplier Resp02 , , , [email protected] , Native Directory
Cash Management , , , [email protected] , Native Directory
General Ledger Super User , , , [email protected] , Native Directory
Sample Format for Groups.csv – using user_id
#groupid,provider,name,description,internal_id
Sourcing Supplier Resp02 , Native Directory
Cash Management , Native Directory
General Ledger Super User , Native Directory#group_childrenid,group_id,group_provider,user_id,user_provider
Sourcing Supplier Resp02 , , , 555SECUSER14 , Native Directory
Cash Management , , , ARFINQA_02 , Native Directory
General Ledger Super User , , , EBUSINESS_AR , Native Directory
Import Using LCM
Administration Tasks after the first import and any subsequent
application creation
• In EPM:• Provision native groups created by the LCM import
to the appropriate role(s) in the application. This is a “one time” activity.
• If the groups and apps are high in number, bulk provisioning can be done via LCM.
Provision EPM Roles to EBS Responsibility Groups
Provision EPM Roles to EBS Responsibility Groups