Group Security in Planning

Similar Messages

• User and Group Security Provisioning

  Hi,
  I have a question regarding Group security in Planning. I am using EPM system 11. My basic question is, if I create a new Planning user (interactive user with no default access to dimensions), and assign that user to a Planning group, does the user automatically inherit all the dimension access assigned to that Group? From my experience, it seems that I must explicitly assign each User access to the dimensions they should be able to Read or Write, and that simply adding them to a group that has been given Write access to the Expense Account (for example) does not give a newly added user to that Group Write access.
  A quick note - when creating new Users, I first create and provision them in Shared Services. However, in order to be able to log in with them, I must recreate the user in EAS's User Directory. This seems redundant to make a user twice, but is the only way I am able to successful login with new users, otherwise the Planning login page says "failed to sync with user provisioning". I have not done this same procedure for the Groups I have created (i.e. I have made and provisioned the Groups in Shared Services, but not recreated them in EAS). Is it possible that this is why Users aren't inherittiing the access rights of the Group? I can provide more information if needed, any help or comments are appreciated. Thanks in advance.

  user3x3 wrote:
  1) EAS method is to open EAS, then open the Essbase Server Node, right-click on security, and click Externalize Users. When I do this there is no right-click option to externalize the users, and since it can only be done once and then not reversed I assume the previous administrator already did this. Since this is not availalbe, I must use the second method.
  If you log in with an administrator account you should see the "Externalize Users" option even if you have already externalized.
  I take it you did not configure your system, I take it was documented so you could have a look how it was configured.
  If essbase is on a different server than shared services then maybe the essbase server was not registered with the shared services registry when it was configured, that might the reason why you are getting the shared services error when you try to convert to shared services security, basically it doesn't know where shared services is. If that is the case then it will need to be configured again.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Implicit Fact and Group Security Filters

  Hi All,
  Can somebody confirm for me if the Group Security filter as specified under 'Hr Org-Based security' is supposed to be applied in answers when the only reference to the fact table is via its selection as the implicit fact within the presentation catalog.
  E.g User selects Dim1, Dim 2 and Fact Measure , the query is filtered correctly by users organisation, when the fact measure is removed, OBIEE keeps the same fact table within the generated SQL as it is the implicit fact used to join the two dimension tables together. The results this time are not filtered by organization and its possible to return dimension records for fact rows that are from a different Org - In this case the user can return absense start and end dates for employees outside of his org (Customer wants this prevented)
  Is this expected behaviour ?
  Thanks.

  Hi John
  Thanks for your suggestion
  I tried this and He still doesnt have write access
  He doesnt need to be able to lock and send values via essbase ... However when we are in planning, He cant submit data to the dimension members mentioned above.. i.e the cells are all green
  I have checked and doubled check the security on the dimension members (and form security) in the form that he cant edit
  Do you have any other suggestions?
  Thank you
  PD

• Any utility or tool which extracts/exports security from planning application

  <p>Hi Everyone,<br><br>Would like to know if there is any utility or tool whichextracts/exports security from planning application.<br>By security i mean dimensional level security plus users andgroups.<br>Or SQL queries to fire on planning repository.<br>Or any workaround.<br><br>Thanks,</p>

  I'm not 100% certain, but you can try the ESD tool on the hyperion community portal (www.hyped.biz). It was designed for Essbase, but it's possible that it will work properly on a planning cube. Besides dumping security, it captures server, app, and db settings, flags user and group exceptions, validates filters, and generally gives some nice feedback.<BR><BR>-Doug.

• Advanced Security Manager (Planning)

  Hello, I am trying to find a utility which can export all the security from Planning to a *.txt file. Please let me know if its possible. I heard about Advanced Security Manager where i can download this thing. Thanks,Scorpion

  You can download ASM from Essbase.com. Here is the link..http://dev.hyperion.com/download/utilities/Thanks, Ricky - [email protected]

• Page & Page Group Security

  Looking for a fast way to check all the Page & Page Group Security? to see what they are all set to w/o having to go though everything manually.
  Thanks

  Did you ever find a solution to this?

• User and group security

  Not sure if this fits here, but here goes...
  I have a subportal folder, with a community in side. Inside the community, I have groups. If I give one group the admin level authority, is it just for that community and all of its content, or is it the whole portal. The admin docs are very granular on user and group security throughout the various ways of applying it. WHat I am trying to do is give a group admin control over a singel community as well as full admin control of all groups in the communities admin folder. BUT just those things.
  thanks

  If I recall correctly, there is no inheritance of user and group rights in PT, at least not in 5.x. If you give some rights on a specific object/folder to a specific group, then it will be for that object only and none of its children.
  You do have a choice of propagating of user rights down the ownership tree however. I.e., if you select a community and set some rights for yourself, it will prompt you if you want to propagate the same permissions down the chain, to all of its children. If you say yes, it will replacepermissions on all its children by creating copies. If you say no, you'll have to go and apply different permissions on each child individually.
  Ruslan.

• Cross Dimensional Security in Planning

  Got a scenario where the customer is asking for cross dimension security in planning and not sure if it's possible
  Simple Example
  Assume 2 dimensions. Account and Entity
  Entity has 2 members E1234 and E1235
  Account has 2 members Axxx1 and Axxx2
  User is User1
  User should have the following access (assume it's all ReadWrite)
  Axxx2 but only for E1234 (so can't ReadWrite for Axxx1 in E1234)
  Axxx1 but only for E1235 (so can't ReadWrite for Axxx2 in E1235)
  Based on the SecFile.txt
  I could write
  User1,Axxx2,ReadWrite,Member
  User1,Axxx1,ReadWrite,Member
  User1,E1234,ReadWrite,Member
  User1,E1235,ReadWrite,Member
  But I have now given him/her access to everything.....
  I'm worried the answer is that you can't do it. I know you could do it in Essbase itself but can't figure out something for Planning.
  My problem is actually far more complicated than this but if I could do understand this simple example I think I can do everything I need.

  One way to get around this issue is to physically merge the dimensions where you need cross-dimensional security. It's not a great solution, and with large dimensions can be completely impractical due to the number of potential combinations. But if one of your dimensions is small, it can work.
  In our case, we wanted cross-dimensional security on Entities and Departments. We didn't have to create a member for every combination of Entity/Department, because not all combinations were valid (or had data), so we were able to limit the combined dimension's size somewhat.
  - Jake

• Group Security Issue with Business Rules

  Hopefully you experts out there can follow this. We have about 200 users in our Planning application split into 3 categories (Admins, Interactive Users and Planners) via groups setup in Shared services. We also have an email group list setup in Outlook that has all 200 users in it that we use to send out emails to all users regarding the application. So in Shared Services we have the email group list as an assigned group in the Planners group. So as new people are added to the group list in email they are automatically included as a user in the Planning application. People that are Admins or Interactive Users are manually added to those groups in Shared Services. Everything seemed to be working fine until we tried blocking the Planners groups from running certain business rules in the application. We have clusters setup in Essbase to control access to the business rules. I went into the cluster and set the Planners group to cannot validate or launch on certain rules but found that I now could not run the business rules either even though I am an Admin and the Admin group has vaildate and launch privledges in the cluster. I believe the issue has to do with the fact that I am by default in the Planners group because I am in the email group list which is assigned to the Planners group in Shared Services. Other than setting up and managing 3 seperate email group lists and assigning them individually in Shared Services, does anyone know how I can manage business rules security using the 3 groups i have setup? I hope this makes sense. If not I can provide more detail. Thanks.

  Have you tried using Business Rules projects? Create a project for the admin Shared Services group and assign all rules to that group. Create a Planning project for planners and assign only rules that you want them to run. Any rule that planners should not have access to would be removed from the Planner business rules project, but still in the admin project for you to run.

• Alternative to apply dimension security in Planning?

  Hi all,
  I have created a new application and need to apply the security settings which are in the old version of the application. Is there any other way to do this accept going through Administration --> Dimension. View whether there is security on a member, note that what kind of security and which groups are assigned this security? For instance the Entity and Account dimension are very deep and there are lots of user groups, so it will take me ages to replicate this. Any other way to do this?
  Thanks in advance!
  Mathijs

  Hi John,
  We keep ending up with the error below where it says it failed to get identity for user admin. Do you have any idea what's going wrong? Thanks in advance (we're on version 9.3.1.4)
  Executed command:
  D:\hyperion\Planning\bin>
  ExportSecurity.cmd /A=prdhpl02,/U=admin,/P=password,/S_GROUP=BC-HQ2,/DELIM=!,/TO_FILE=BC-HQ2,/DEBUG=true
  Error:
  D:\hyperion\Planning\bin>ExportSecurity.cmd /A=prdhpl02,/U=admin,/P=password,/S_
  GROUP=BC-HQ2,/DELIM=!,/TO_FILE=BC-HQ2,/DEBUG=true
  Tue Aug 04 16:18:20 BST 2009 :: User Name=admin,appName=prdhpl02,searchCriterian
  ull,userSearchCriterianull,groupSearchCriteriaBC-HQ2,valuesDelimiter=!,fileName=
  BC-HQ2.txt,debug=true
  [04-Aug-2009 16:18:20]: Loading System Properties...
  [04-Aug-2009 16:18:20]: Need to create an Object. pool size = 0 creatredObjs = 0
  [04-Aug-2009 16:18:20]: Intializing System Caches...
  [04-Aug-2009 16:18:20]: Loading Application Properties...
  [04-Aug-2009 16:18:20]: Looking for applications for INSTANCE: []
  [04-Aug-2009 16:18:21]: The polling interval is set =10000
  Tue Aug 04 16:18:21 BST 2009 :: Logging into the application
  Arbor path retrieved: D:\Hyperion\common\EssbaseRTC\9.3.1
  [04-Aug-2009 16:18:22]: Setting ARBORPATH=D:\Hyperion\common\EssbaseRTC\9.3.1
  Old PATH: D:\oracle\product\10.2.0\agent10g\jlib;D:\oracle\product\10.2.0\agent1
  0g\bin;D:\oracle\product\10.1.3\OracleAS_1\jdk\bin;D:\oracle\product\10.1.3\Orac
  leAS_1\ant\bin;D:\oracle\product\10.2.0\client_1\bin;C:\Program Files\Windows Re
  source Kits\Tools\;C:\Program Files\Support Tools\;C:\Program Files\HP\NCU;C:\WI
  NDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NetIQ\AppMan
  ager\bin;C:\Program Files\NetIQ\Common\bin;D:\oracle\product\10.1.3\OracleAS_1\o
  pmn\bin;D:\Hyperion\common\CLS\9.3.1\bin\windows;D:\Hyperion\FinancialManagement
  \Common;D:\Hyperion\FinancialManagement\Server;D:\Hyperion\common\SAP\bin;D:\Hyp
  erion\FinancialManagement\Client
  [04-Aug-2009 16:18:22]: Old PATH: D:\oracle\product\10.2.0\agent10g\jlib;D:\orac
  le\product\10.2.0\agent10g\bin;D:\oracle\product\10.1.3\OracleAS_1\jdk\bin;D:\or
  acle\product\10.1.3\OracleAS_1\ant\bin;D:\oracle\product\10.2.0\client_1\bin;C:\
  Program Files\Windows Resource Kits\Tools\;C:\Program Files\Support Tools\;C:\Pr
  ogram Files\HP\NCU;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Pr
  ogram Files\NetIQ\AppManager\bin;C:\Program Files\NetIQ\Common\bin;D:\oracle\pro
  duct\10.1.3\OracleAS_1\opmn\bin;D:\Hyperion\common\CLS\9.3.1\bin\windows;D:\Hype
  rion\FinancialManagement\Common;D:\Hyperion\FinancialManagement\Server;D:\Hyperi
  on\common\SAP\bin;D:\Hyperion\FinancialManagement\Client
  New PATH: D:\Hyperion\common\EssbaseRTC\9.3.1\bin;D:\oracle\product\10.2.0\agent
  10g\jlib;D:\oracle\product\10.2.0\agent10g\bin;D:\oracle\product\10.1.3\OracleAS
  _1\jdk\bin;D:\oracle\product\10.1.3\OracleAS_1\ant\bin;D:\oracle\product\10.2.0\
  client_1\bin;C:\Program Files\Windows Resource Kits\Tools\;C:\Program Files\Supp
  ort Tools\;C:\Program Files\HP\NCU;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys
  tem32\Wbem;C:\Program Files\NetIQ\AppManager\bin;C:\Program Files\NetIQ\Common\b
  in;D:\oracle\product\10.1.3\OracleAS_1\opmn\bin;D:\Hyperion\common\CLS\9.3.1\bin
  \windows;D:\Hyperion\FinancialManagement\Common;D:\Hyperion\FinancialManagement\
  Server;D:\Hyperion\common\SAP\bin;D:\Hyperion\FinancialManagement\Client
  [04-Aug-2009 16:18:22]: New PATH: D:\Hyperion\common\EssbaseRTC\9.3.1\bin;D:\ora
  cle\product\10.2.0\agent10g\jlib;D:\oracle\product\10.2.0\agent10g\bin;D:\oracle
  \product\10.1.3\OracleAS_1\jdk\bin;D:\oracle\product\10.1.3\OracleAS_1\ant\bin;D
  :\oracle\product\10.2.0\client_1\bin;C:\Program Files\Windows Resource Kits\Tool
  s\;C:\Program Files\Support Tools\;C:\Program Files\HP\NCU;C:\WINDOWS\system32;C
  :\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\NetIQ\AppManager\bin;C:\Prog
  ram Files\NetIQ\Common\bin;D:\oracle\product\10.1.3\OracleAS_1\opmn\bin;D:\Hyper
  ion\common\CLS\9.3.1\bin\windows;D:\Hyperion\FinancialManagement\Common;D:\Hyper
  ion\FinancialManagement\Server;D:\Hyperion\common\SAP\bin;D:\Hyperion\FinancialM
  anagement\Client
  Setting Arbor path to: D:\Hyperion\common\EssbaseRTC\9.3.1
  [04-Aug-2009 16:18:23]: MAX_DETAIL_CACHE_SIZE = 20 MB.
  [04-Aug-2009 16:18:23]: bytesPerSubCache = 8802 bytes
  [04-Aug-2009 16:18:23]: MAX_NUM_DETAIL_CACHES = 2272
  Setting HBR Mode to: 2
  HBR Logging Config File : HBRServer.properties
  2009-08-04 16:18:23,703 WARN main com.hyperion.hbr.security.HbrSecurityAPI - Err
  or retrieving user by identity
  Embedded HBR initialized.
  [04-Aug-2009 16:18:23]: Regeneration of Member Fields Complete
  [04-Aug-2009 16:18:23]: Need to create an Object. pool size = 0 creatredObjs = 0
  [04-Aug-2009 16:18:23]: Thread main acquired connection com.hyperion.planning.o
  lap.HspEssConnection@1117a20
  [04-Aug-2009 16:18:23]: Thread main releasing connection com.hyperion.planning.
  olap.HspEssConnection@1117a20
  [04-Aug-2009 16:18:23]: Thread main released connection com.hyperion.planning.o
  lap.HspEssConnection@1117a20
  [04-Aug-2009 16:18:23]: Need to create an Object. pool size = 0 creatredObjs = 1
  java.lang.RuntimeException: failed to get identity fo useradmin
  at com.hyperion.planning.HspJSImpl.login(Unknown Source)
  at com.hyperion.planning.HspJSImpl.login(Unknown Source)
  at com.hyperion.planning.HyperionPlanningBean.Login(Unknown Source)
  at com.hyperion.planning.HyperionPlanningBean.Login(Unknown Source)
  at com.hyperion.planning.utils.HspExportSecurityCmd.execute(Unknown Sour
  ce)
  at com.hyperion.planning.utils.HspExportSecurityCmd.main(Unknown Source)
  java.lang.RuntimeException: Unable to aquire activity lease on activity 1 as the
  activity is currently leased by another server.
  at com.hyperion.planning.sql.actions.HspAquireActivityLeaseCustomAction.
  custom(Unknown Source)
  at com.hyperion.planning.sql.actions.HspAction.custom(Unknown Source)
  at com.hyperion.planning.sql.actions.HspActionSet.doActions(Unknown Sour
  ce)
  at com.hyperion.planning.sql.actions.HspActionSet.doActions(Unknown Sour
  ce)
  at com.hyperion.planning.HspJSImpl.aquireActivityLease(Unknown Source)
  at com.hyperion.planning.HspJSImpl.reaquireActivityLease(Unknown Source)
  at com.hyperion.planning.utils.HspTaskListAlertNotifier.reaquireTaskList
  ActivityLease(Unknown Source)
  at com.hyperion.planning.utils.HspTaskListAlertNotifier.processTaskListA
  lerts(Unknown Source)
  at com.hyperion.planning.utils.HspTaskListAlertNotifier.run(Unknown Sour
  ce)

• How to lock data independently for several groups in Hyperion Planning?

  I 'm developing a forecast application using Hyperion Planning 9.3.1 where the users shall be able to enter their monthly forecast numbers. We have two groups of users. Each group may have up to two forecast updates per month. The groups are independent – say, Group A may have one update for August and they want the numbers to be there by August 10th, while the Group B may have two updates for the same month with the first update to be completed by July 20th and second – by August 5th. Nobody knows in advance how many updates they are going to have for the month and when they are going to have them. Nothing should prohibit the users from updating their forecast numbers for the future months – say, they may enter their September forecast in July.
  Managers of both groups want to make sure that users don't change forecast numbers after the month close. If they plan to have two updates per month – they want data from the 1st update to be locked (become read-only) before they have 2nd update, and data from 2nd update locked after the month close; if they plan to have only one update per month – they want it locked after the month close.
  Any suggestions how I may structure the dimensions of this application to make sure that if I lock first August update for Group B on, say, August 3rd, the other group still can have it open until August 10th?
  Thanks!

  Hi John
  Well i have working knowledge in ODI, i did whole complete cycle and i did customization project for Oracle EBS to Data warehouse though ODI.
  What, I am NOT able to figure out How to LINK Hyperion Planning Outline to Oracle EBS HR Tables. cause in Hyperion Outline i m able to view Dimensions Not particular Column to map with EBS HR Table (column).
  Eample:
  In EBS HR we have Employee Number in Per_all_people_f but in Hyperion Planning Dimension is ONLY Employee.
  Your response highly appreciated.
  Chreeez
  Sher

• LDAP and Notes Group Security Authentication Troubles

  First, my apologies if this is in the wrong forum, but after looking at the forum names a few times this seemed the most appropriate.
  I have a PDF file that I would like to have access restricted to a certain group on my organization's directory server. I'm kind of the new guy here, so I'm not 100% certain on this, but I'm pretty sure that our setup is:
  A Lotus Domino LDAP server storing the directory information in a Lotus Notes database. Each user has a Notes certificate stored on the server for authentication to various databases we have on our intranet.
  I've entered the LDAP server information in the Security Settings... window in Acrobat, and I'm sure its correct as I can use the same information to browse the LDAP server with Softerra LDAP browser. There is no authentication required, but the server might restrict access based on domain; I'm not sure (shouldn't matter). Anyway, when I go to Manage Trusted Identities... then Add Contacts, then Search, I can never get any results to return.
  I wish to only allow users in a certain group, CN=ALLOWED - GROUP, to have access to the PDF. I feel that there should be a way to accomplish this with the Notes certificates. Anyone know what I'm doing wrong or need to do?
  If something I've said is wrong or unclear, I'd be happy to try again; this sort of thing isn't my forte.
  Thanks in advance,
  Mark

  > I guess the CA is the machine that's hosting the Lotus notes database
  No, the CA is merely an "entity". It's your Certificate Authority, the master certificate used to sign and authenticate all subsidiary certificates. You are talking about setting this up as a PKI for signature validation and managed security, right? Or am I way off base with your workflow and leading you away from where you should be (if so, feel free to ignore me - lots of people do)?
  Leonard is right though, for securing individual PDFs to a specific group you would need LiveCycle Rights Management ES. The security needs to be in the PDF itself otherwise its useless. Say you configure your security at an application level, as you are trying to do, and then someone copies the PDF to a USB key and takes it home. No longer on your network, so they can now freely open the document.

• Warning when i am trying to refresh security in planning

  Hello,
  We are getting a Warning we are getting a warning....This is for the first time i am seeing this in Version 11.
  WARNING: Refresh will recreate the outline for all the Essbase cubes used in this Application based on the current metadata definition in Planning for this application. Please back up your Outline file and export data from all databases before proceeding. Click &#039;Refresh&#039; to proceed.
  I want to know if i can go ahead and refresh the security if i get this warning and would even like to know why i am getting this.

  Hi,
  This is just a standard warning that everybody gets, it is just basically saying that you have been warned that anything goes wrong you should always have a backup.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• How to Integrate new material group into COPA planning KEPM

  Hi Sap Guru's
  Please help me in Integrate new material group into planning
  The planning coordinator is informed that a new material group is to be marketed in the coming year and that this new material group should be included in planning. To generate a default plan value automatically for this new material group, the planning coordinator uses the planning method Copy. In the Transform characteristic values function, the necessary entries are then made so that the sales quantities for an existing, comparable material group are copied to the new material group.
  How can i do the above process...
  Thanks
  Sap Guru

  HI,
  create a new characteristic (KEA5), choose transfer from SAP-table (the tab. where your fiels is available in material master (MARA)), choose the field from the list of available fields from MARA, enter text, save, activate. Assign the char. to your op. concern. Generate the operating concern.
  Aftre this steps the field is in yopur operating concern and the derivation rule can be seen in T-Code KEDR (rule created by SAP automatically). If not, add a derivation rule in KEDR (table lookup).
  best regards, Christian

• Secure APO Planning book by location

  Hello All - I am hoping you can help me. I have been trying to find a way to secure updates to a shared planning book in DP by Sales-Org. The Sales-Org in our environment is a "navigational attribute" and not a "characteristic". I tried creating a custom object using RSSM to no avail. I found some documentation that said you could use a user exit or BAdi method "SELECTION CHECK' (/SAPAPO/SDP_SELECTOR) to run additional authorization checks. I need to know whether this method could be used to secure a _Navigational Attribute?_ If so, what information do I need to provide to the developer to implement this exit?

  Hi,
  You would be able to tackle this partially by adding a new hidden key figure.
  Refer the example below;
  Kfig1. Stat forecast: Calculated using stat forecasting
  Kfig2. Adjusted forecast: user normally changes this
  Kfig3. Hidden copy of Adjusted forecast:
  Using macros copy 1st snap shot of stat forecast to Adjusted and Hidden. once adjustments are done, use Macro to compare Adjustments and Hidden copy of original values, or this can be a overnight batch job to generate alerts
  Hope this helps.
  Pradeep