HFM security roles to perform only Extract tasks

Similar Messages

• Automate HFM Security extract?

  Hi,
  HFM Security can be extracted in below methods
  1. In workspace > Extract Tasks> Extract Security
  2. In Shared service > Application Groups > Rt Click on App Name> Assign Access control > Security Reports
  Please let me know if any another ways to Extract security reports.
  Can we make Automate the "extracting security reports"?
  Thanks in Advance.
  Regards,
  AVSR

  Overview: create a migration definition file for HFM (migrating what information you need, in your case it would be security)... save the file, don't execute. Using cmd prompt, run the LCM utility.bat, supplying it with the information needed as well as the migration file. Automate it by creating a batch file to run your migration file and the utility. Schedule the batch file in task scheduler and it will run whenever needed.
  Search for it on the oracle knowledgebase. Theres a lot of info on LCM there.

• SDK C# - query Security Role Properties like Views, Tasks etc

  Hi,
  i have a Problem with getting information from the securityroles in SCSM. In C# i cant get the views, Tasks, templates etc. which are in the security roles. Can anybody give me a hint how i can query this configuration in c#.
  Thank you in advance.

  So the "real need" is that your security roles are confusing and not well defined, so to address this, you'd like to make or find a tool that tells you quickly roles a given user is in, then you could go about troubleshooting
  the security issue.
  I'd like to offer an alternative: fix your security roles.
  a ideal* service manager implementation has 3 security roles.
  Administrators, who can see and manage everything,  
  Analysts, who can work incidents complete activities and shepherd things through the process, but can't really change how the system operates
  Everyone Else, who get
  implied permissions and not much else.
  Sometimes those roles are broken out into different responsibility groups, which are queue filtered, but typically those are the three classes of people in service manager.
  Those roles groups should be applied to the departmental or job groups that correspond to the people who do this job, i.e. you work in the helpdesk, therefore you get helpdesk rights in SCSM.
  If you are going to stray from this ideal, you should have a good reason for it.
  *note: ideal is not "most" or even "a good", ideal is exactly what it sounds like, an ideal goal state that isn't restricted to practical needs. Practical business needs are going to modify this ideal, but it isn't going
  to change the goal, just how close you can get.

• HFM Security Issue - User can submit a journal by by-passing the approval step even though they are not an admin.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

• HFM Security Report Automation?

  Is there a way to automate the running of the HFM (Hyperion Financial Management) Security Report in Shared Services.?
  version: 11.1.2.0
  Is this possible with using Task Automation? ---> If yes please provide details
  If this possible using other reporting tools like HFR, web analysis..etc ---> This is not recommended
  If any other way, Please provide details.
  Thanks All!!
  Regards,
  AVSR

  I think the best way to produce custom security files is using the HFM API. You can use this to report on group memberships and roles and class access. You can read all about it in the Web Developer's Guide Chapter 10. The chapter starts:
  The HFMwSecurity type library contains the HFMwSecurity component. This component
  provides methods that enumerate an application’s security classes, indicate whether a user has
  rights to perform a given task, and return other types of security information.
  I have seen these used to great effect.

• Need api for changing security role in web.xml !!

  My requirement is to change the value of the deployment descriptor "security-role" (in web.xml) through an api and inturn to persist the new value in web.xml. Also I need to know if this change is automatically redeployed or an explicit redeployment is needed ? In that case how do I redeploy using an api call ?
  I found a lot of apis related to roles like createRole, removeRole etc.. But there are no apis to change the name of the role and inturn persist in web.xml.
  Do I need to provide any more information ? Let me know
  Thanks,
  Karthick

  why and when do you change security-role? try to use ant task (perhaph you need xpath also). it´s the better when you perform task about life´s cycle of application.
  please, describe your problem.
  of course in you change web.xml you must restart the application.

• Problem mapping LoginModule roles to ejb security roles

  I have "successfully" managed to implement the DBSystemLoginModule. When I run my application I successfully authenticate to the database, the login module successfully retrieves the users roles from the database and adds them to the subject:
  PassiveCallbackHandler cbh = new PassiveCallbackHandler(username, password);
  LoginContext lc = new LoginContext("current-workspace-app", cbh);
  lc.login();
  I then perform a lookup on a bean using the same user:
  Hashtable env = new Hashtable();
  env.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
  env.put("java.naming.security.principal",username);
  env.put("java.naming.security.credentials",password);
  env.put("java.naming.provider.url", "ormi://localhost:23891/current-workspace-app");
  Context ic = new InitialContext(env);
  final SessionEJBHome sessionEJBHome =
  (SessionEJBHome) PortableRemoteObject.narrow( ic.lookup( "SessionEJB" ), SessionEJBHome.class );
  Finally, I create an instance of the bean and call a method of this bean.
  SessionEJB sessionEJB;
  sessionEJB = sessionEJBHome.create( );
  sessionEJB.testMe( );
  I am expecting (hoping) that the roles retrieved from the database by the login module may be used to authenticate the ejb methods. i.e. if (in ejb-jar.xml) the method "testMe" has a method-permission with role-name of "ABC" then this method may only be accessed if the user is a member of the "ABC" role retrieved from the database by the login module. However I get the message:
  "username is not allowed to call this EJB method"
  When I add a security-role-mapping in orion-ejb-jar.xml mapping the role "ABC" to the group "ABC" (and impliesALL="true") then the method is called successfully. However, if I add a security-role-mapping mapping the role "DEF" to the group "DEF" (which the user is not a member of) the ejb method is (wrongly) called successfully (with implies all="false" the method always fails). In other words there seems to be no mapping of the roles retrieved by the login module to the ejb security roles.
  Can anyone please enlighten me on how I can achieve the mapping of the ejb security roles to the roles obtained from the login module.
  Thanks
  PS I have this problem with JDeveloper 10.1.3 (Developer Preview 10.1.3.0.2.223 and Early Access 10.1.3.0.3.3412)

  Hi Sebastian,
  yes, it is possible to do such mapping. And here how it works:
  1. define security roles in the ejb-jar.xml within the <security-role>. For example:
  <security-role>
       <role-name>test</role-name>
  </security-role>
  2. then you map the roles those roles to server security roles using the <security-role-map> tag of the ejb-j2ee-engine.xml descriptor.
  <security-permission>
     <security-role-map>
        <role-name>test</role-name>
        <server-role-name>myUMErole</server-role-name>
     </security-role-map>
  </security-permission>
  the myUMErole must be defined in the UME!
  Does this answer your question?

• Change SQL 2012 Security roles after installation

  I installed SQL 2012 SP1  Standard edition and during the setup it asked me for the users for various service . I choose to keep them as default  
  After the installation i could see the services were not started, so i changed everything to Local System 
  Also in future i may need to change them to run under some domain service account.
  What steps do i have to take to make sure approprate rights are granted to the accounts that run the SQL services. I could see Local System just had Public security role.
  Can someone guide me on verifying what the security roles for accounts should be.

  running them as domain account is  a good thing and it does not need to part of admin group.
  make sure your domain account has access backup paths/locations.
  Also, make sure your account has "perform volume maintanence tasks" - to make use of INF.
  Is your system 64 bit or 32 bit. if 64 bit, you are okay else you will need to enable lock pages in the memory for the service.
  Below are the links to some articles that talk about this:
  http://www.mssqltips.com/sqlservertip/2503/how-to-create-secure-sql-server-service-accounts/
  http://blogs.msdn.com/b/askjay/archive/2011/02/28/required-rights-for-sql-server-service-account.aspx
  http://technet.microsoft.com/en-us/library/ms191543(v=sql.110).aspx
  http://blogs.msdn.com/b/sqlserverfaq/archive/2010/05/28/inf-permissions-required-for-sql-server-service-account-to-use-ssl-certificate.aspx
  Hope it Helps!!

• Security Role Won't Grant Table Access

  When I log into the my production server there only two tables (dbperties & Trans) showing under tables when the  Dbase is selected.  I checked the server roles and I only have “Public” access. I can see the views that have been
  created. I have been added to the Group membership and added to one of our vendor groups but  I still can't see the additional tables. 
  However, when I log into the Development site it’s showing all the iMIS tables and I have both “Public” & “SysAdmin” roles.
  Should I be added to the
  “SysAdmin” role as well?
  Thanks in advance.
  DJ

  Hi,
  According to your description, as Erland’s post, if you are a member of Active Directory groups with administrative privileges , it means that you have full permissions on the Windows-level objects, such as the rights to read/write folders, but it does not
  mean that your account is administrator in SQL Server except for creating a login name with this account and granting to sysadmin role.
  Usually, the members of sysadmin role have administrative privileges on all server databases and resources, and can perform any activity in SQL Server. Generally, DBA is granted the sysadmin permission. If you need to perform any activity in SQL Server,
  your account should be added to the sysadmin role. You can right-click sysadmin in Object Explorer/Security/Server Roles in SQL Server Management Studio (SSMS) ,then add your account. Please note that only a sysadmin member has  rights to grant users
  different permissions in SQL Server.
  Public role is a special database role that exists in every user database, and by default, every database user is automatically assigned to this built-in role. If you just need to access and modify all the objects of a database , it’s not necessary to being
  a sysadmin member in SQL Server , you can add your account to the db_owner database role.
  For more information, please review the following this article: Server and Database Roles in SQL Server.
  Thanks
  Lydia Zhang

• Ticketadmin and Custom Security Role

  A friendly hello to all readers!
  I'm facing the following problem:
  We want our customer to enter his tickets into the WebCRM. For this task I've created two new Security Roles ('GP User' and 'GP Key User'). The 'GP User' Role is working fine. Members of this Role just can enter tickets and watch the status.
  Members of the Role 'GP Key User' are also part of the Role 'Licensed User'. This users are only allowed to work on the tickets and the knowledge-base in the administration panel.
  The problem now is, that this special Users can't change the status of an ticket and are not allowed to assign the ticket to another person. (But in batch operation they can!).
  What can I do to enable the full functionality on admin/support/ticketadmin.aspx?
  Hints:
  - The user of role 'Key User' are not assigned to the internal account.
  - Version: 2007.0.631.11
  Thanks!

  If you go to Admin > Definitions > Security Roles you can select a role to see what that role has access too. This role is in addition to the licensed user role and determines what will show up on the admin menu and what pages they can access directly.
  You could either screenshot the Support Admin's list of permissions or run it directly on the sql db.
  Even if a menu item is not listed, it would still be possible for the user to type in the direct url of a specific page for any pages they have access to. For example the permission for Web Page admin/support will allow that role to access any page in the support directory. To restrict, you might just give access to admin/support/tickets.aspx or other aspx pages directly.
  Before praxis was acquired by SAP we used to have a custom theme strictly for support that had links to 4 ticket related functions only. Might reduce some confusion.
  James

• Doing Active Directory System Discovery security roles

  Hi Experts
  I am assigning users who have specific roles in SCCM2012 (Reporting, application management etc) , they are not assigned with permissions which is the same as Full Administrator or Operation Manager. 
  The team would like to run Active Directory System Discovery on the Primary Site server to detect the computer objects found in the AD once they have joined the new computers to the domain, they are unable to perform RUN on the Active Directory System Discovery
  as the option is not available to them. Possible to advise, which additional security roles should I assign to them so that the RUN command can appear?? They are unable to do this with the current permission as listed below, RUN is not listed when they right
  click on Active Directory System Discovery, unlike the Full Administrator:
  Application Administrator
  Application Author
  Application Deployment Manager
  Operating System Deployment Manager
  Read-only Analyst
  Remote Tools Operator
  Software Update Manager

  Hi,
  You could create a Custom role and modify the rights.
  Administration workspace >Security >Security Roles >Select a Built-in role >Click Copy on the ribbon.
  Otherwise, Role-based Administration Modeling and Auditing Tool helps administrators to model and audit RBA configurations.
  http://www.microsoft.com/en-us/download/details.aspx?id=36213
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• HFM Security Access

  I have a query on HFM security which I have got from the business.
  1)     Change Doris and Jeanie access to read/display only in HFM production. We should have access to display all data in HFM. – I was not sure which access should I give to get this requirement.
  2)     In Process Management, Please provide “Start”, “Signoff”, “Approve”, “Reject”, “Publish” in process management for Rob Sage, Debbie Indrieri and Doris Lai. Also, Please provide “Promote” and “Submit” Access to Elisa Ha and Jaime Akiyama. – Shall I give Review Supervisor for Rob Sage, Debbie and Doris for this access and not sure which one should I give for Elisa and Jaime.
  Kindly help me in this regards.

  I don't use process management so I will not attempt to answer that part of your question.
  In regards to the first part, you need to go into Shared Services and assign those users the Read permission for the required security classes. For instance, if all entities are tied to a class called ALLENTITIES, you could go into Shared Services, click on projects, click on the project that holds your application, and then click on the application you are managing. Then you would search for the users/groups in question and add them to the selected list, next you would select the classes you want to assign them access to (i.e. ALLENTITIES). On the next screen you will see a grid with users/groups and classes. Go to the cells and set the Access Rights to read. (Be sure to hit the SAVE button when done)
  Alternatively, you can do a security extract from the application, make the updates in the security file, and load that back to the system.

• CRM 2011: Can you control which form is used based not security roles, but on a field value?

  I see that you can control which form is used based on security roles, but can you control it based on other field values?  I'd like a new record to use a different form until a given status is updated.  I have a status of draft and active. So
  it would be nice if I could use form1 for those in draft, form2 for those that are active.  But I only see where you can control that via the security roles.
  I can code all of this via JavaScript, but having the ability to use two separate forms would be nice.  Is that even possible.
  Best regards,
  Jon Gregory Rothlander

  Hello,
  Recheck following article - http://gonzaloruizcrm.blogspot.com/2014/11/avoiding-form-reload-when-switching-crm.html
  Dynamics CRM MVP/ Technical Evangelist at SlickData LLC
  My blog

• Unable to assign all security roles to a user with a new custom security role

  Dear All,
  Happy New Year.!
  I have a query regarding the assignment of Security Roles to new users in CRM. Normally we assign the security roles to new users via an Admin user who has 'System Administrator' security role assigned to him/her. This works perfectly fine, and we can assign
  any desired security role to the new user.
  However, in our case, we need to delegate the user creation rights to some of the client partners. We do not want to give them access to all the Administration functions; hence we created a new Security Role, lets say 'Support User Role'. We have provided
  'Create', 'Append', 'Append To', and 'Assign' rights on 'User' entity for this new security role. With this security role, we are able to create new users now, but we are only able to assign 'Agent' security role, not any other security roles.
  For example, if user 'x' has Security Role defined as 'Support User Role'. If 'x' tries to add a new user 'y', then 'x' is only able to assign 'Agent' security role to 'y', but not any other security role. As per business requirement, 'x' should be able
  to assign some other security roles, including 'Support User Role', to new user 'y'.
  I believe that there is something missing in Security Role configuration, which is causing the above problem. We compared both 'Support User Role' and 'System Administrator' security roles, but not able to figure out which minimum rights we can provide to
  'Support User Role' so that users with this security role can only add new users (with any security role), and that they are not having access on any other Administration features as well.
  Appreciate any help that you can provide on the above issue.
  Thanks in anticipation.

  Hi,
  Can you check if you have organization level Read access for Securitity Role and Organization level Assign access for Security role.
  Refer:-
  http://www.magnetismsolutions.com/blog/paulnieuwelaar/2013/04/22/permissions-required-to-manage-roles-in-dynamics-crm-2011
  Hope this helps!!!
  Thanks,
  Prasad
  Make sure to "Vote as Helpful" and "Mark As Answer",if you get answer of your question

• Problem with security role

  Hello,
  I have Enterpise Portal 7.0 SP13 instance (only Java stack installed). My enviroment is AIX 5.3 and Oracle 10.
  This instance has a lot of security alerts in the default trace log, like this:
  #1.5^H#C2B30000C03D006400000039000A9084000443246AFD6467#1199723599717#com.sap.engine.services.security.roles.SecurityRoleImpl##com.sap.engine.services.security.roles.SecurityRoleImpl#j2ee_admin#1208####41667d10bd3e11dccc51c2b30000c03d#SAPEngine_Application_Thread[impl:3]_5##0#0#Error#1#/System/Security/Audit/J2EE#Java###:Authorization check for caller assignment to J2EE security role [ : ].#3#ACCESS.ERROR#SAP-J2EE-Engine#guests#
  Anyone knows what is it?
  Regards
  Rodrigo

  I found the bug : in LDAP I've got a user also called OIDGroup1 (the same as group's name).