Hierarchy in Security Class

Similar Messages

• Shared Services Security Classes

  Hello,
  I wanted to know what the real value of having Security classes set up? I understand that having Security Classes on Shared Services is not mandatory. Under which circumstances should you use Security Classes and as I am involved in setting up Shared Services, I was wondering if I should use this option or not. We are currently in the development phase of HFM and Planning.
  If anyone can shed light on this issue, it would be greatly appreciated. Thank you.
  -- A

  Hey guys,
  I really appreciate the response.
  The fact that Security Class may be assigned at the Entity level does ring bells. We do want to ensure that certain entities can only see their own data and not others.
  I believe I will use Security class at the entity level for our company.
  Can you give me some examples of assigning Security classes for HFM?
  Wintee's suggestion of assign - ready only and stuff like that is okay but seems a bit generic. Thank you very much for your suggestion though Wintee.
  I also wanted to know the exact difference between an administrator, delegated administrator, application administrator. Who assigns who?
  If you had to make a hierarchy of users for Shared Services, what would it be: Admin, Delegated Admin, App. Admin, Provisioning Mgr, Directory Mgr? Who comes at the top? Thanks so much for your help so far guys...much appreciated.
  -- A

• Missing security classes

  Hi all,
  I have updated Security Class dimension via EPMA (added but also removed some classes). Deploy was successful and the application is in sync with EPMA.
  When I wanted to update security class access via HSS, I couldn't find new classes and old ones (which I removed via EPMA) were still there.
  How is that possible? I don't see any problem in interconnection between HFM and HSS but this seems that security classes haven't been refreshed in HSS.
  Could anyone help me with this please?
  BR
  Vladino
  EDIT
  I can see newly added classes but I can see also old ones. This is really weird... I have duplicated the application, cleared all data and metadata but old classes are still there. :-/
  Edited by: Vladino on Jul 11, 2011 1:49 PM

  Solved.
  The issue was because of migrating the old application into new one with different security classes. After clean deploy everything was fine but the migration (using command-line utility) replaced security settings with that coming from the old application.
  Vladino

• Securing class files

  Hello,
  I read all these topics about securing class-files,
  and about encryptors and stuff like that
  so I tought this could be possible :
  I've made an application and you can run it by using an exe-file.
  In the same directory you find the class-files.
  Now I archived the class files with winrar, and set a password on it.
  I tried to use the exe-file to run the application, but it can't.
  Obvisiously, it can't find the mainclass.
  So I was wondering if there is a way to make clear to the exe -file, that the main class is in that zip-file, and that you need <this password> to get in to the zip-file.
  I think it's possible, but I don' know how to do it.
  I thought Google would know it, but he don't.
  ...

  The collision wasn't "stumbled" across it was found
  because the researchers
  found a way (from your link) to "reduce the search
  space".I didn't say "the collision was "stumbled" across"...
  >
  This means that, under certain circumstances, inputs
  producing the same hash
  can be found for other inputs + hashes.That is what I said...
  >
  Did you have a look at the PDF ?
  http://eprint.iacr.org/2004/199.pdf
  This doesn't damage the use of MD% for verifyingthat
  file contents are unchanged, so to OP - go aheadand
  use it.Well, it does because it means that there is the
  potential for another
  file that is not the same to return the same
  sum - hence the program
  won't realise the difference.And the situation is no worse now that before the duplication was found. Any encryption/hashing routine can create duplicate hashes - because none of them have an infinitely large numberspace.

• Can applet load own security class, class loader

  i tried this own security class extends SecurityManager class but exception thrown as applet cannot initate new security manager class.
  i have done throw policy file entry to allow applet to write file in client machine.
  i feel this extra burden novice user...
  what is alternative way....
  plz..

  An applet should never be allowed to install its own security manager. That is why it is burdensome.

• Provisioning, security classes etc.

  Hi there,
  I have several questions about setting up security in HFM application.
  1. Provisioning
  We have sevaral users that can be divided into two general groups - end users and consolidation users.
  General users should use only project view with task lists. They shouldn't create any new grids or forms, only existing. And they should use export/import feature from forms.
  Consolidation users should have access to almost all features.
  What privileges should be each group provisioned in HSS?
  2. Security classes
  We have prepared entity dimension splitted into several hierarchies. Basic one is geographical, another are functional and entities are shared in these hierarchies. Let's say that we have SK region with SK entities (SK01, SK02...). I know that we should create security class for each entity to grant users access only to their own entity. But I'm not sure how to do that...
  I have created two security classes - SK01 and SK02 - and associated them to appropriate entities. Then I have selected security for entities in app settings and selected "Entity" option in security node.
  In shared services I have selected "All" for security class SK01 and "metadata" for security class SK02 (for my account for testing purposes only). But nothing happened - I'm still able to write to both entities.
  The question is if there is any connection between security class settings and provisioned roles. I mean if this is because I'm provisioned with all rights in application (meaning "Application Administrator" in HSS).
  Can anydoby help me with this please?
  Thanks,
  Vlado

  In shared services, go to help and search for Financial Management Roles. This will bring you to a nice table of all available roles for HFM. Use this to determine who gets what. To limit users to Tasklists, be sure to not provision them to Advanced User.
  Make sure you are very specific with those consolidation users. Many roles should be Admin only. The way I figured them out was to create fake users in Native Directory (one for each type of user) and provision a role at a time and test the functionality.
  The above test will help with Security Classes as well. Your guess was correct, Administrator role overrides all security classes. You may not need a class per entity, just a class per group of entities that distinct set of people will need. You will also need classes applied to Parent entities that may or not be shared among your hierarchies. In your example this could be SK or it could be SK01 if that works. Try to keep the total number of classes down. You might end up assigning a unique combination of classes to each person in the system and that would be very difficult to maintain. Remember to assign the same access to the Default class as the highest access the user has. If in doubt, just grant All for the Default class. Default is assigned to all items in metadata unless you specify otherwise. For example, all accounts will have Default security and if a user only has Read, they will not be able to create a journal entry.
  Here is how the class access works:
  None - user cannot view or edit data
  Read - user can view data
  All - user can view and edit data
  Metadata - I have not used this one.

• Security Classes in HSV_SECACCESS table showing wrong OU

  We moved some users from one OU to another in Active Directory. I then ran the updatenativedir utility.
  However, when I provision the user with security classes for HFM in shared services, the records in the hsv_appname_secaccess table are still showing under the old OU. This will cause problems when the user tries to login and work.
  Do I have to restart openLDAP and Shared Services to make these changes effective?
  Thanks
  Wags
  version 9.2.1

  long term you should speak to Oracle Consulting about migrating your Identity Attribute in your External Authentication provider from whatever it is currently to one that is location agnostic such as ObjectGUID. It is quite trivial to migrate from DN to ObjectGUID for the HFM product, but it may more complex for other products in the System 9 suite. From 9.2.0.3, 9.2.1, or all 9.3.1 versions Shared Services was enhanced to allow the use of ObjectGUID and then it does not matter when user or groups are moved around in the external provider (no more need for the UpdateNativeDir utility!)... this is the better solution.
  having said that, you should check in Shared Services if this user who is getting assigned the security class access doesn't exist more than once in the Security Class matrix... probably you are still assigning security to his "old" ID, and need to be applying the security onto his new ID. If he really does only exist once, still with the wrong OU, after you have run the UpdateNativeDir utility, I would recommend a Support request.

• Is there a way to delete a security class?

  I have added an incorrect security class in shared services.
  Does anyone know how I can delete it?
  Thanks!

  In Shared Services when looking at or setting up security, there is a small trash can icon which can be used to delete a class. It's just to the right of "available classes" and just above the scrollbar.

• Security class cross validation

  Hello
  One of the dimensions of the application is Country (customer location).
  User A - works with legal entity A, needs to see managarial data for region North America
  User B - works with legal entity B, needs to see managarial data for region Brazil
  I need to set security class as follows:
  User A to see its legal entity A with all members of Country dimension (so the user would see all the data of its entity)
  AND
  User A to see the consolidated data (i.e. all legal entities) for region North America
  If I grant user A with TopCountry, he would be able to see all the data in the consolidation, which is not what I want.
  Does anyone know how to do it, if it's possible at all?
  Thanks
  Lilach

  why would user A see all the data in the consolidation if you grant him with TopCountry security class? If every entity below TopCountry is assigned a different security class then he would only see the consolidated data for TopCountry

• Entity security class change

  If i wanted to change the security class attribute of an Entity, what is the process? Is it as simple as changing the attribute and loading metadata? Or does it require more extensive manual effort similar to changing a currency?

  I generally leave CLASSES having the same name as the ENTITY and I manage access with GROUPS. I really don't see the value in CLASSES, especially since you can manage USER / GROUP access in real time whereas if you decide you need to tweak a CLASS assignment to an entity, you have to reload metadata, etc, etc, etc. Additionally, I prefer to nest the groups so that you are not assigning users all over the place for no good reason. (i.e. 'Parent' Groups are members of the groups directly below them, etc)
  Structure (Class)
  ACME (Class = ACME)
  ------Pyro (Class = PYRO)
  ----------Rockets (Class = ROCKETS)
  ----------FlameThrow (Class = FLAMETHROW)
  ------Mechatronics (Class = MECHATRON)
  ----------RollerSkates (Class = ROLLERSK)
  For my Full Access security, I'd setup the following groups....
  Group
  hfmfaROLLERSK --> Assign Full Access to Class ROLLERSK
  hfmfaMECHATRON ->Assign Full Access to Class MECHATRON, Add as a Member of hfmfaROLLERSK
  hfmfaFLAMETHROW --> Assign Full Access to Class FLAMETHROW
  hfmfaROCKETS --> Assign Full Access to Class ROCKETS
  hfmfaPYRO --> Assign Full Access to PYRO, Add as a member of hfmfaROCKETS and hfmfaFLAMETHROW
  hfmfaACME --> Assign Full Access to ACME, Add as a member of hfmfaPYRO and hfmfaMECHATRON
  If I need a user who need access to all of ACME he gets added to hfmfaACME
  If I need a user to have access to Rockets, he just gets added to hfmfaROCKETS.
  FWIW

• Security class requires java.security file???

  What is the use of java.security file? Which
  classes refer this file while creating the instance?
  Can we create a class file that will refer this security
  file?
  When the java program loads security class it needs java.security class?
  In what type situation security class look into java.security file???
  Pls help me
  regards,
  namanc

  Open the java.security file up in notepad or something.

• HFM Security Class Java API

  Dear All,
  I'm trying to get HFM Security Class info using Java APIs. Recently I was able to connect to the Hyperion Shared Services using the hyperion css.jar java file. Is there a similar jar to access the Security classes and get users, groups and vice versa?
  Any examples would be great as well.

  Thanks for the reply. I was hoping this was not the case...
  In 9.2 I used these objects but I was hoping to move away from this and use provided API's.
  I'm using c# to talk to the object which I expose to java using web services so I guess that is what I'll be using!!!
  Cheers,

• HFM Security Class and Security

  Hi All my Peers,
  Can any one explain me What is the difference between Security Class and Security

  No offense, but if you don't understand these concepts well enough, your CV should probably be sent a far distance if you are trying to get an experienced consulting position. Understanding security is an important piece to the puzzle, especially when dealing with large amounts of financial data.
  With that said.......
  Security - Generally speaking, the goal of security is to control access to data, objects, programs, etc. In the Hyperion sense, security is managed in multiple different ways :
  - Program Access : Only users who are linked to Hyperion's Shared Services AND have the proper provisioned rights can open a program. (i.e. HFM, Reports, Workspace, FDM, etc, etc, etc.)
  - Provisioning : There are different types of rights per program that a user can have. Provisioning is the act of assigning these rights. (i.e. HFM has multiple rights such as Appliation Administrator, Default, Provisioning Manager, etc.)
  - Data / Object Access : Even if you have the right to enter the program, there is generally another layer of security which controls what you can do. For instance, inside of HFM, you can configure security for objects such as Data Forms and Data Grids. Furthermore, you can limit the user's ability to change or view data for specific entities, accounts, as well as other dimensions.
  - Security Classes : The security classes that you assign in the metadata are used during the act of assigning the Data / Object access controls. Users (and Groups) and assigned View Only, All (Read/Write), or None access to HFM Security Classes.
  This is a ridiculously high level overview. To get a much better understanding, I strongly recommend that you read the product documentation for the specific products you are using. If you are using 11.1.2.1 / HFM, here are a couple of documents that are of value :
  http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_admin.pdf - Administrators guide which has a section on security.
  http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_user.pdf - Users' guide which talked to security in terms of forms/ grids
  General System 11 doc : http://docs.oracle.com/cd/E17236_01/nav/portal_5.htm
  Hope that helps

• Creating  Security Class in EPMA

  I am unable to create security classes in HFM EPMA 11.1.2.2.3 -  can some one please enlighten with the Security procedure for HFM in EPMA App.
  Thanks in Advance

  You need to create a "security class"dimension in EPMA and associate your HFM dimensions with it.
  See the following page on how to work with HFM dimensions in EPMA;
  http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_architect/frameset.htm?epma_hfm_prop.html

• HFM security Class

  Hello Guys,
  I've to create around 3500 security classes and same number for the HSS roles I'm wondering if there is a way to bulk upload from a txt or a csv file rather than create everityng manually.
  Thanks
  Fran

  That's right: HFM's security extract has four sections: users/Groups, Security Classes, User/Group Role assignments, and User/Group class access. This can be easily coded outside of HFM and then loaded into the HFM application directly. Please note that security can only be loaded in Merge mode, so if you need to remove a user's access, you must do so from within Shared Services. Do not use the "Clear all security" mode unless you plan to rebuild the application entirely.
  --Chris