HFM Security Access

Similar Messages

• HFM Security Access Edit Logs - Audit

  I have been asked by our internal audit group to provide logs of when users access within HFM have been edited (i.e. added, changed roles, added to groups, etc.). Is there anyone else that has received this request, and more importantly how have you met this request (logs in the system, etc)?
  The only way I have been able to track this is offline via spreadsheets.
  Any/all advice is appreciated.
  Thanks.
  LJ
  Edited by: user8357096 on Mar 23, 2010 7:28 AM

  I have had a couple clients ask for something like this. At least now with user provisioning you can get reports of what the security was, like a snapshot. Then compare it to another time. But this will only tell you part of the story. If you are using groups for example, it possible a user gets added to one group then removed. You would not have access to that change in HFM, it would keep no record of it.
  I would recommend taking and extract and report and archiving them to reference.

• HFM Security Issue - User can submit a journal by by-passing the approval step even though they are not an admin.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

• Monitoring HFM security

  I am using Hyperion 11.1.2.1. and want to monitor some HFM security.
  Is there any way we can find that :
  how many number of users are currently accessing a particular HFM Application and can identify them with their user-details and login-details whenever required ?
  how many number of users are currently accessing the whole HFM Application(Schema) and can identify them with their user-details and login-details whenever required ?
  -----Sunny

  Hi Sunny,
  As the subject was about HFM Security i have given you the query or details which i was aware about HFM.
  1.I mean to say for the tables i have listed in the query there are other columns as well so if you want to get more details then you can select which are all the columns you would require and add them accordingly in the query.
  2.Yeah its possible to get the details about user connected to application even. here is the query you need to change for this as below
  select h.sservername,h.sappname,s.susername,to_char((to_date('01/1900','MM/YYYY')+h.dstarttime-2),'DD/MM/YYYY hh24:mi:ss'),h.lactivitycode,h.sactivitydesc
  from hsv_users_on_system h,hsv_activity_users s
  where h.luserid in s.luserid
  order by sservername
  Also as you were asking for Historical/past login times & details here is the below query which will help you in analysing the things better with activity they did and time they logged in and carried out activity.
  select g.servername,g.appname,to_char((to_date('01/1900','MM/YYYY')+g.starttime-2),'DD/MM/YYYY hh24:mi:ss'),to_char((to_date('01/1900','MM/YYYY')+g.endtime-2),'DD/MM/YYYY hh24:mi:ss'),g.strdescription,s.susername
  from Appname_task_audit g,hsv_activity_users s
  where g.activityuserid in s.luserid (optional if you want to search excluding admin id then you can add this line to existing query at the end [and s.susername not like '%admin%'])
  As the audit logs are specific to applications you need to replace "appname" in the query with your application name for which you wanted to check audit.
  Ex: if your application name is abcd then your query should be something like this
  select g.servername,g.appname,to_char((to_date('01/1900','MM/YYYY')+g.starttime-2),'DD/MM/YYYY hh24:mi:ss'),to_char((to_date('01/1900','MM/YYYY')+g.endtime-2),'DD/MM/YYYY hh24:mi:ss'),g.strdescription,s.susername
  from abcd_task_audit g,hsv_activity_users s
  where g.activityuserid in s.luserid (optional if you want to search excluding admin id/any specific user  then you can add this line/change  existing query at the end [and s.susername not like '%admin%'])
  Hope this helps !!!!
  Thanks
  Amith

• HFM Security Class Java API

  Dear All,
  I'm trying to get HFM Security Class info using Java APIs. Recently I was able to connect to the Hyperion Shared Services using the hyperion css.jar java file. Is there a similar jar to access the Security classes and get users, groups and vice versa?
  Any examples would be great as well.

  Thanks for the reply. I was hoping this was not the case...
  In 9.2 I used these objects but I was hoping to move away from this and use provided API's.
  I'm using c# to talk to the object which I expose to java using web services so I guess that is what I'll be using!!!
  Cheers,

• HFM Security Class and Security

  Hi All my Peers,
  Can any one explain me What is the difference between Security Class and Security

  No offense, but if you don't understand these concepts well enough, your CV should probably be sent a far distance if you are trying to get an experienced consulting position. Understanding security is an important piece to the puzzle, especially when dealing with large amounts of financial data.
  With that said.......
  Security - Generally speaking, the goal of security is to control access to data, objects, programs, etc. In the Hyperion sense, security is managed in multiple different ways :
  - Program Access : Only users who are linked to Hyperion's Shared Services AND have the proper provisioned rights can open a program. (i.e. HFM, Reports, Workspace, FDM, etc, etc, etc.)
  - Provisioning : There are different types of rights per program that a user can have. Provisioning is the act of assigning these rights. (i.e. HFM has multiple rights such as Appliation Administrator, Default, Provisioning Manager, etc.)
  - Data / Object Access : Even if you have the right to enter the program, there is generally another layer of security which controls what you can do. For instance, inside of HFM, you can configure security for objects such as Data Forms and Data Grids. Furthermore, you can limit the user's ability to change or view data for specific entities, accounts, as well as other dimensions.
  - Security Classes : The security classes that you assign in the metadata are used during the act of assigning the Data / Object access controls. Users (and Groups) and assigned View Only, All (Read/Write), or None access to HFM Security Classes.
  This is a ridiculously high level overview. To get a much better understanding, I strongly recommend that you read the product documentation for the specific products you are using. If you are using 11.1.2.1 / HFM, here are a couple of documents that are of value :
  http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_admin.pdf - Administrators guide which has a section on security.
  http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_user.pdf - Users' guide which talked to security in terms of forms/ grids
  General System 11 doc : http://docs.oracle.com/cd/E17236_01/nav/portal_5.htm
  Hope that helps

• Automate HFM Security extract?

  Hi,
  HFM Security can be extracted in below methods
  1. In workspace > Extract Tasks> Extract Security
  2. In Shared service > Application Groups > Rt Click on App Name> Assign Access control > Security Reports
  Please let me know if any another ways to Extract security reports.
  Can we make Automate the "extracting security reports"?
  Thanks in Advance.
  Regards,
  AVSR

  Overview: create a migration definition file for HFM (migrating what information you need, in your case it would be security)... save the file, don't execute. Using cmd prompt, run the LCM utility.bat, supplying it with the information needed as well as the migration file. Automate it by creating a batch file to run your migration file and the utility. Schedule the batch file in task scheduler and it will run whenever needed.
  Search for it on the oracle knowledgebase. Theres a lot of info on LCM there.

• Providing un-secured access to a web report.

  Hello Experts,
  We have been sending out 'Load Status' emails on a daily basis for various BW loads. Recently we discontinued this process and set up a report based on one of the statistics cube. We got out the link for this web-report to all the users in our daily load status distribution list.
  The problem now is that when you click on the link, it pops out a window asking for the log-on information to our production system. But it looks like a few of the users do not have access to the production system and are hence unable to access this web-report.
  Is there any way to allow un-secured access to this particular web-report to all users i.e.without a screen asking for log-on information?Is it possible to set up a generic user id for this report that allows all the users to access this report without actually giving them access to our production system?
  Thanks
  Arvind

  Arvind,
  What is your BI system version ?
  if it is 3.x - then the URL will have a link to your server followed by a Question mark "?" and then some parameters.
  The value till the ? mark is the Web service for the same - you can make this Anonymous in SICF but then this would mean that all queries can be accessed through this URL ...
  else create an RFC enabled function module based on RRW3_Query_View_data and then use this for your query and expose the same as a web service and make it anonymous ... or have a BSP page to do the same....

• Link does not work for-End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4

  Link does not work for
  End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System 5.4
  How do we get Cisco to fix?
  see attachment

  Give it a couple of days - it looks like they just sent out the notification before the notice was published on the public page.
  Once the ACS 5.4 EoS/EoL notice is published you should see it linked from this page.

• Creating Historical based Security Access Type

  I am trying to create a Security Access Type for PPLJOB that will look at the Reg_Region of an employee and if the historical rows of JOB contain the reg_region, use the employee in a Data Permission for Security. I want to know if anyone has tried this before and how the SQLID for Where needed to be coded. I created a SQLID with the following statement which didn't pull any employees:
  PA.EMPLID = JOB.EMPLID AND PA.EMPL_RCD = JOB.EMPL_RCD AND JOB.EFFDT = (SELECT MAX(EFFDT) FROM PS_JOB JOB2 WHERE JOB.EMPLID = JOB2.EMPLID AND JOB.EMPL_RCD = JOB2.EMPL_RCD AND JOB2.EFFDT <= %CurrentDateIn) AND JOB.EFFSEQ = (SELECT MAX(EFFSEQ) FROM PS_JOB JOB3 WHERE JOB.EMPLID = JOB3.EMPLID AND JOB.EMPL_RCD = JOB3.EMPL_RCD AND JOB.EFFDT = JOB3.EFFDT) AND JR.EMPLID = JOB.EMPLID AND JR.EMPL_RCD = JOB.EMPL_RCD AND JR.EFFDT = JOB.EFFDT AND JR.EFFSEQ = JOB.EFFSEQ AND JOB.REG_REGION <> %Bind(SCRTY_KEY1) AND EXISTS (SELECT 'X' FROM PS_JOB JOB4 WHERE JOB.EMPLID = JOB4.EMPLID AND JOB.EMPL_RCD = JOB4.EMPL_RCD AND JOB4.EFFDT < JOB.EFFDT AND JOB4.REG_REGION = %Bind(SCRTY_KEY1))

  Thank you for the feedback Carl. Again, I am new to this, so please be patient with me. I am not sure what you mean about adding the parameter to the record selection formula. I have drug the parameter field into the report so that it will prompt for parameters before running, but I do not think that is what you are talking about. Please advise.
  To your question about the Submit Date field in the report, when I open up the report and I point at the field for Submit Date the popup shows HPD_Help_Desk.Submit_Date (DateTime). That being the case, I think the answer to your question is that the data type of the data being returned is DateTime. Thanks again for the assistance.

• Problem with Cisco Secure Access Server 3.0

  Hi All,
  Please what is my problem? I use Cisco Secure Access Server Version 3.0 for Windows 2000/NT Servers to authenticate users on our wireless network. I however wish to assign monthly time limits to each user after which he/she will no longer have access until next month or the timer is reset. I tried this with the "User Usage Quota" under User setup. I set the Server to "Limit user to X hours of online time per Month" and enabled the "Use these settings" and also checked the box by the side of the option. I saved and restarted my server. Unfortunetly the settings did not work for all the users whose quotas I set.
  What Am I doing wrong. Please assist.
  Chafe

  Do you have your AP's sending accounting data? If not, ACS has no way of knowing how long they've been online?
  You can utilize your ACS logging to see what your accounting looks like to confirm whether you are receiving accounting packets or not?
  HTH
  Jeff

• A simple report to list security access on all folders

  Hi there
  I want a simple report to list security access on all folders (group wise)
  any help ...??
  Thanks.
  Rakesh.

  Hi AnTiiiKa,
  For this issue, you can first retrieve all the users on the site, then get all permissions of each user. With this PowerShell Script you could retrieve all Permissions for a Specific User for a SiteCollection
  on all Webs and Subwebs, Lists and Items. Here is an article about how to get  all Roles and Groups from the User and the URL.  
  SharePoint SP2010 - Retrieve all User Permissions via PowerShell:
  http://sp2010userperm.codeplex.com/
  save the report to a csv (excel file):
  $web = Get-SPWeb http://address/site/site/site
  $user=$web.AllUsers
  Get-SPWeb YOURURL | Get-SPUserEffectivePermissions $user | Export-Csv -NoTypeInformation
  -Path c:\perms.csv
  Please inform me freely if you have any questions.
  Thanks

• Cisco Secure Access Control Server Solution Engine OR Cisco Secure Access Server ?

  Which product is really affected, the Cisco Secure Access Control Server Solution Engine which is a hardware applliance with software from 3.2 to 4.2 or the Cisco Secure Access Control Server Software appliance available for installing as a virtual machine into VMware ESX/ESXi 5.0 with 5.X software ?
  Thank you for clarifying
  Best regards
  Marco

  Hi Thomas,
  You can download ACS for windows 4.1 or 4.2 from the below listed link:
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval
  For ACS 5.x, please visit cisco.com
  Download software > Security  > Cisco Secure Access Control System 5.x  > Secure Access Control System Software
  HTH
  Regards,
  Jatin
  Plz rate helpful posts-

• Minimum set of ACLs / security access required for getting MBeanHome and Runtime MBeans

  Hi,
  Where can I get information regarding the "minimum set" of ACLs and security access/permission
  required for
  a) Accessing weblogic.management.MBeanHome [Local and Admin interfaces] and RemoteMBeanServer
  interfaces
  b) Use MBeanHome and RemoteMBeanServer interface to look up MBeans [especially
  Runtime MBeans] for Cluster, Server instances, EJBs, JDBC, Execute Queues, etc?
  Any help or hint is appreciated!
  Regards,
  DKV

  "DKV" <[email protected]> wrote in message
  news:3f4e8429$[email protected]..
  >
  Hi,
  Where can I get information regarding the "minimum set" of ACLs andsecurity access/permission
  required for
  I believe this was answered in the management jmx newsgroup.

• 'SNMP Security access violation' from Leopard

  Hi all,
  We're noticing on Leopard (not Tiger) that when a user tries to add a printer and lets the "Default" printer type browse the network, our switches log the following error +"SNMP Security access violation from <IP adress>+".
  This is going to be a security problem for us when we implement a new system that uses SNMP.
  This didn't occur in Tiger, and even happens if we disable Boujour and SNMP on the Leopard clients.
  Can anyone please advise what is happening and how I might be able to stop these SNMP traps being sent when browsing for a printer??
  Thanks in advance.

  Hi Jon,
  This information may be useful to you:
  http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627124348873889228353475&threadId=398409
  Regards,
  Peter.