HFM security Class

Hello Guys,
I've to create around 3500 security classes and same number for the HSS roles I'm wondering if there is a way to bulk upload from a txt or a csv file rather than create everityng manually.
Thanks
Fran

That's right: HFM's security extract has four sections: users/Groups, Security Classes, User/Group Role assignments, and User/Group class access. This can be easily coded outside of HFM and then loaded into the HFM application directly. Please note that security can only be loaded in Merge mode, so if you need to remove a user's access, you must do so from within Shared Services. Do not use the "Clear all security" mode unless you plan to rebuild the application entirely.
--Chris

Similar Messages

HFM Security Class Java API

Dear All,
I'm trying to get HFM Security Class info using Java APIs. Recently I was able to connect to the Hyperion Shared Services using the hyperion css.jar java file. Is there a similar jar to access the Security classes and get users, groups and vice versa?
Any examples would be great as well.

Thanks for the reply. I was hoping this was not the case...
In 9.2 I used these objects but I was hoping to move away from this and use provided API's.
I'm using c# to talk to the object which I expose to java using web services so I guess that is what I'll be using!!!
Cheers,

HFM Security Class and Security

Hi All my Peers,
Can any one explain me What is the difference between Security Class and Security

No offense, but if you don't understand these concepts well enough, your CV should probably be sent a far distance if you are trying to get an experienced consulting position. Understanding security is an important piece to the puzzle, especially when dealing with large amounts of financial data.
With that said.......
Security - Generally speaking, the goal of security is to control access to data, objects, programs, etc. In the Hyperion sense, security is managed in multiple different ways :
- Program Access : Only users who are linked to Hyperion's Shared Services AND have the proper provisioned rights can open a program. (i.e. HFM, Reports, Workspace, FDM, etc, etc, etc.)
- Provisioning : There are different types of rights per program that a user can have. Provisioning is the act of assigning these rights. (i.e. HFM has multiple rights such as Appliation Administrator, Default, Provisioning Manager, etc.)
- Data / Object Access : Even if you have the right to enter the program, there is generally another layer of security which controls what you can do. For instance, inside of HFM, you can configure security for objects such as Data Forms and Data Grids. Furthermore, you can limit the user's ability to change or view data for specific entities, accounts, as well as other dimensions.
- Security Classes : The security classes that you assign in the metadata are used during the act of assigning the Data / Object access controls. Users (and Groups) and assigned View Only, All (Read/Write), or None access to HFM Security Classes.
This is a ridiculously high level overview. To get a much better understanding, I strongly recommend that you read the product documentation for the specific products you are using. If you are using 11.1.2.1 / HFM, here are a couple of documents that are of value :
http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_admin.pdf - Administrators guide which has a section on security.
http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_user.pdf - Users' guide which talked to security in terms of forms/ grids
General System 11 doc : http://docs.oracle.com/cd/E17236_01/nav/portal_5.htm
Hope that helps

Where are HFM security classes created/maintained

Point me in the right direction please...
We are on 9.2.1
Thanks
Jeff

Ok, now we have two pieces of information, but still a third is missing for a complete answer:
1. Security is stored in relational tables as specified in the first answer
2. Security can be maintained by importing text files of appropriate format as specified in the second answer
3. Security can be maintained by using the SharedServices Web client, which is a more user friendly way to manage security
Using the Shared Services Web client (http://[servername]:[portnumber]/interop/, typically portnumber=58080) you must first provision the users to use the application, by selecting the proper user directory > users or groups > search for the active user you are interested and right click - provision. This leads you to a screen where you must specify which applications your user/group can access and the level of access.
Then by selecting the application under the appropriate project (projects > [project name] > [app name]) you can define classes and assign classes to users.
Regards
KN

Missing security classes

Hi all,
I have updated Security Class dimension via EPMA (added but also removed some classes). Deploy was successful and the application is in sync with EPMA.
When I wanted to update security class access via HSS, I couldn't find new classes and old ones (which I removed via EPMA) were still there.
How is that possible? I don't see any problem in interconnection between HFM and HSS but this seems that security classes haven't been refreshed in HSS.
Could anyone help me with this please?
BR
Vladino
EDIT
I can see newly added classes but I can see also old ones. This is really weird... I have duplicated the application, cleared all data and metadata but old classes are still there. :-/
Edited by: Vladino on Jul 11, 2011 1:49 PM

Solved.
The issue was because of migrating the old application into new one with different security classes. After clean deploy everything was fine but the migration (using command-line utility) replaced security settings with that coming from the old application.
Vladino

Shared Services Security Classes

Hello,
I wanted to know what the real value of having Security classes set up? I understand that having Security Classes on Shared Services is not mandatory. Under which circumstances should you use Security Classes and as I am involved in setting up Shared Services, I was wondering if I should use this option or not. We are currently in the development phase of HFM and Planning.
If anyone can shed light on this issue, it would be greatly appreciated. Thank you.
-- A

Hey guys,
I really appreciate the response.
The fact that Security Class may be assigned at the Entity level does ring bells. We do want to ensure that certain entities can only see their own data and not others.
I believe I will use Security class at the entity level for our company.
Can you give me some examples of assigning Security classes for HFM?
Wintee's suggestion of assign - ready only and stuff like that is okay but seems a bit generic. Thank you very much for your suggestion though Wintee.
I also wanted to know the exact difference between an administrator, delegated administrator, application administrator. Who assigns who?
If you had to make a hierarchy of users for Shared Services, what would it be: Admin, Delegated Admin, App. Admin, Provisioning Mgr, Directory Mgr? Who comes at the top? Thanks so much for your help so far guys...much appreciated.
-- A

HFM Security Report Automation?

Is there a way to automate the running of the HFM (Hyperion Financial Management) Security Report in Shared Services.?
version: 11.1.2.0
Is this possible with using Task Automation? ---> If yes please provide details
If this possible using other reporting tools like HFR, web analysis..etc ---> This is not recommended
If any other way, Please provide details.
Thanks All!!
Regards,
AVSR

I think the best way to produce custom security files is using the HFM API. You can use this to report on group memberships and roles and class access. You can read all about it in the Web Developer's Guide Chapter 10. The chapter starts:
The HFMwSecurity type library contains the HFMwSecurity component. This component
provides methods that enumerate an application’s security classes, indicate whether a user has
rights to perform a given task, and return other types of security information.
I have seen these used to great effect.

HFM security filter ?

In HFM, I don't seem to have a way to achieve this:
One user has write access to Entity A + all products
The same user needs Read Only access to Entity B but a couple of the products only
Because the security classes attached to Entity and Product(Custom2 for us) dimensions are layed out flat on Shared Service. I can only assign one type of access to the same security class.
This is different in Essbase for example, I can create security filter and grante user access to different combination (intersection) of dimensions.
Is there such thing as security filter in HFM?
Thanks in advance!

I do plan to assign unique security classes to entities and products.
But how do we assign access to combos? In the Pivot table where you have all the security classes on the row, and all the users(groups) on the columns.
The goal is to prevent the product line leader user from reading other products in the entity that he's not responsible for.
For example, this user has Write access to E_Brazil, and all data loaded on C2 for Brazil. Then he needs to have Read access to E_China, but only C2_Golfball. We do not want him to see other products for China, however, he needs to load data to other products in Brazil. This is especially true with the Custom2 member [None] for all the data that do not require a product. Then what access shall we give to the security class C2_None ? It doesn't seem that we have a way to assign access to a combo, but just to each unique security classes ?

Hierarchy in Security Class

Hi experts,
Can we create hierarchies in security class dimension? If yes, can you please let me know how to achieve this in CLASSIC? Any documentation on this would be extremely useful.
Regards,
Sounak

Security classes are never hierarchical in HFM, not in Classic nor in EPMA mode. Each class is independent of the other, and they can only be displayed in a flat list.
There are times we need to review the metadata in hierarchical format along with the assigned classes. For this you can use the HFMUtilities from Oracle. The following is from OTN:
Up to v9.3.1 HFMUtilities Utility is placed under ~:\Hyperion\FinancialManagement\Consultant Utilities folder which was shipped along with the product.
From v11.1.x HFMUtilities Utility is not shipped along with product bundle. The latest release of HFMUtilities Utility can be accessed via Oracle Technology Network at http://www.oracle.com/technology/products/bi/files/hfmutilities.zip. Latest utility can be used with all Hyperion Financial Management versions.
Note: This is a third part utility developed and maintained by Accelatis. Suggestion and queries related to HFMUtilities utility should be send to Jonathan Berry at [email protected] or [email protected].
--Chris

Provisioning, security classes etc.

Hi there,
I have several questions about setting up security in HFM application.
1. Provisioning
We have sevaral users that can be divided into two general groups - end users and consolidation users.
General users should use only project view with task lists. They shouldn't create any new grids or forms, only existing. And they should use export/import feature from forms.
Consolidation users should have access to almost all features.
What privileges should be each group provisioned in HSS?
2. Security classes
We have prepared entity dimension splitted into several hierarchies. Basic one is geographical, another are functional and entities are shared in these hierarchies. Let's say that we have SK region with SK entities (SK01, SK02...). I know that we should create security class for each entity to grant users access only to their own entity. But I'm not sure how to do that...
I have created two security classes - SK01 and SK02 - and associated them to appropriate entities. Then I have selected security for entities in app settings and selected "Entity" option in security node.
In shared services I have selected "All" for security class SK01 and "metadata" for security class SK02 (for my account for testing purposes only). But nothing happened - I'm still able to write to both entities.
The question is if there is any connection between security class settings and provisioned roles. I mean if this is because I'm provisioned with all rights in application (meaning "Application Administrator" in HSS).
Can anydoby help me with this please?
Thanks,
Vlado

In shared services, go to help and search for Financial Management Roles. This will bring you to a nice table of all available roles for HFM. Use this to determine who gets what. To limit users to Tasklists, be sure to not provision them to Advanced User.
Make sure you are very specific with those consolidation users. Many roles should be Admin only. The way I figured them out was to create fake users in Native Directory (one for each type of user) and provision a role at a time and test the functionality.
The above test will help with Security Classes as well. Your guess was correct, Administrator role overrides all security classes. You may not need a class per entity, just a class per group of entities that distinct set of people will need. You will also need classes applied to Parent entities that may or not be shared among your hierarchies. In your example this could be SK or it could be SK01 if that works. Try to keep the total number of classes down. You might end up assigning a unique combination of classes to each person in the system and that would be very difficult to maintain. Remember to assign the same access to the Default class as the highest access the user has. If in doubt, just grant All for the Default class. Default is assigned to all items in metadata unless you specify otherwise. For example, all accounts will have Default security and if a user only has Read, they will not be able to create a journal entry.
Here is how the class access works:
None - user cannot view or edit data
Read - user can view data
All - user can view and edit data
Metadata - I have not used this one.

Security Classes in HSV_SECACCESS table showing wrong OU

We moved some users from one OU to another in Active Directory. I then ran the updatenativedir utility.
However, when I provision the user with security classes for HFM in shared services, the records in the hsv_appname_secaccess table are still showing under the old OU. This will cause problems when the user tries to login and work.
Do I have to restart openLDAP and Shared Services to make these changes effective?
Thanks
Wags
version 9.2.1

long term you should speak to Oracle Consulting about migrating your Identity Attribute in your External Authentication provider from whatever it is currently to one that is location agnostic such as ObjectGUID. It is quite trivial to migrate from DN to ObjectGUID for the HFM product, but it may more complex for other products in the System 9 suite. From 9.2.0.3, 9.2.1, or all 9.3.1 versions Shared Services was enhanced to allow the use of ObjectGUID and then it does not matter when user or groups are moved around in the external provider (no more need for the UpdateNativeDir utility!)... this is the better solution.
having said that, you should check in Shared Services if this user who is getting assigned the security class access doesn't exist more than once in the Security Class matrix... probably you are still assigning security to his "old" ID, and need to be applying the security onto his new ID. If he really does only exist once, still with the wrong OU, after you have run the UpdateNativeDir utility, I would recommend a Support request.

HFM Security Access

I have a query on HFM security which I have got from the business.
1) Change Doris and Jeanie access to read/display only in HFM production. We should have access to display all data in HFM. – I was not sure which access should I give to get this requirement.
2) In Process Management, Please provide “Start”, “Signoff”, “Approve”, “Reject”, “Publish” in process management for Rob Sage, Debbie Indrieri and Doris Lai. Also, Please provide “Promote” and “Submit” Access to Elisa Ha and Jaime Akiyama. – Shall I give Review Supervisor for Rob Sage, Debbie and Doris for this access and not sure which one should I give for Elisa and Jaime.
Kindly help me in this regards.

I don't use process management so I will not attempt to answer that part of your question.
In regards to the first part, you need to go into Shared Services and assign those users the Read permission for the required security classes. For instance, if all entities are tied to a class called ALLENTITIES, you could go into Shared Services, click on projects, click on the project that holds your application, and then click on the application you are managing. Then you would search for the users/groups in question and add them to the selected list, next you would select the classes you want to assign them access to (i.e. ALLENTITIES). On the next screen you will see a grid with users/groups and classes. Go to the cells and set the Access Rights to read. (Be sure to hit the SAVE button when done)
Alternatively, you can do a security extract from the application, make the updates in the security file, and load that back to the system.

Creating Security Class in EPMA

I am unable to create security classes in HFM EPMA 11.1.2.2.3 - can some one please enlighten with the Security procedure for HFM in EPMA App.
Thanks in Advance

You need to create a "security class"dimension in EPMA and associate your HFM dimensions with it.
See the following page on how to work with HFM dimensions in EPMA;
http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_architect/frameset.htm?epma_hfm_prop.html

HFM Security Audit

Hi ,
Is there any process to get Security audit report (need a report like User's and their corresponding Security class and Groups for HFM,FDM and FR ) Each month.
Thanks,
Mo

Could you be more specific please? There are many reports throughout the products that provide different types of security information. This also varies by release. Please tell us what version you are using and what information you need and we can help.
Separately, I will be presenting Security and Auditing in HFM at Kaleidoscope the end of June in Long Beach, CA. At that time I'll go into detail on how to set up security and how to report on that. It will be a great conference with lots of good content, including this.
--Chris

HFM Security Issue - User can submit a journal by by-passing the approval step even though they are not an admin.

Hi All,
I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
"User does not have the access right to perform this journal task"
The options I have thought for a workaround are as follows:
1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
they are:
1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
2.   2. A data reviewer (who approves journals)
The process is as follows:
1.       1. Logon as Data inputter to submit the journals
2.       2. Logon as Data reviewer to approve the journals
3.       3. Logon as Data inputter to post the Journals
We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
but once it comes back to step 3, we get an error as follows:
"User does not have the access right to perform this journal task"
(This error comes about when the access control on custom 4 is set to None, Read, Promote)
Custom 4 Access Rights looks as follows:
C4_ADJ01
C4_ADJ02
C4_ADJ03
C4_ADJ04
HFMDefault
Read
Read
Read
Read
HFMLoad
All
Promote
None
Read
HFMReview
Read
All
All
All
When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
Roles for the groups that users assigned look like the following:
Test User Name
Test User Name
Access Rights
1
Base Data input/Journal Data input
test_HFMLoad
Reviewer 1
Review Supervisor
Create Journals
Read Journals
Database Management
Enable write back in Web Grid
Load Excel Data
Generate Recurring
Post Journals
Create Unbalanced Journals
Manage Templates
Data Form Write Back from Excel
Consolidate
2
Data Reviewer
test_HFMReview
Reviewer 1
Review Supervisor
Create Journals
Read Journals
Database Management
Approve Journals
Consolidate
Reviewer 2
Generate Recurring
Manage Templates
Create Unbalanced Journals
Any help or advice would be much appreciated.
Thanks in advance,
M.

Hi All,
I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
"User does not have the access right to perform this journal task"
The options I have thought for a workaround are as follows:
1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
they are:
1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
2.   2. A data reviewer (who approves journals)
The process is as follows:
1.       1. Logon as Data inputter to submit the journals
2.       2. Logon as Data reviewer to approve the journals
3.       3. Logon as Data inputter to post the Journals
We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
but once it comes back to step 3, we get an error as follows:
"User does not have the access right to perform this journal task"
(This error comes about when the access control on custom 4 is set to None, Read, Promote)
Custom 4 Access Rights looks as follows:
C4_ADJ01
C4_ADJ02
C4_ADJ03
C4_ADJ04
HFMDefault
Read
Read
Read
Read
HFMLoad
All
Promote
None
Read
HFMReview
Read
All
All
All
When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
Roles for the groups that users assigned look like the following:
Test User Name
Test User Name
Access Rights
1
Base Data input/Journal Data input
test_HFMLoad
Reviewer 1
Review Supervisor
Create Journals
Read Journals
Database Management
Enable write back in Web Grid
Load Excel Data
Generate Recurring
Post Journals
Create Unbalanced Journals
Manage Templates
Data Form Write Back from Excel
Consolidate
2
Data Reviewer
test_HFMReview
Reviewer 1
Review Supervisor
Create Journals
Read Journals
Database Management
Approve Journals
Consolidate
Reviewer 2
Generate Recurring
Manage Templates
Create Unbalanced Journals
Any help or advice would be much appreciated.
Thanks in advance,
M.

HFM security Class

Similar Messages

Maybe you are looking for