Monitoring HFM security

Similar Messages

• HFM Security Issue - User can submit a journal by by-passing the approval step even though they are not an admin.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

  Hi All,
  I was wondering if anyone could help me with a HFM security issue on HFM 11.1.2.3 we are facing please?
  The problem is that a user can by-pass the journal approval stage and post directly after submitting if Custom4 access control=All is selected.
  If any of the other access controls (None, Read, Promote) for custom 4 are selected, the first two steps of the process are possible -
  input and approval of the journal are possible but final posting of the journal is not and returns an error that says:
  "User does not have the access right to perform this journal task"
  The options I have thought for a workaround are as follows:
  1.       1. Set up a 3rd user called data poster and remove submit journal role from user 1 (data inputter)
  2.       2. Put in place process control and use the various review levels (could be quite time consuming given there is no time left for development)
  Have anyone experienced this before and come up with a quick way of resolving this please? It would be very much appreciated.
  We have two types of users who are associated with groups in HFM and have the appropriate roles assigned to them to complete their tasks,
  they are:
  1. A data Inputter (who inputs base data and journals, who has access to create and submit journals)
  2.   2. A data reviewer (who approves journals)
  The process is as follows:
  1.       1. Logon as Data inputter to submit the journals
  2.       2. Logon as Data reviewer to approve the journals
  3.       3. Logon as Data inputter to post the Journals
  We are using the custom 4 member to identify different adjustment types. At the moment we are able to set it up in such a way whereby Steps 1 and 2 can be completed
  but once it comes back to step 3, we get an error as follows:
  "User does not have the access right to perform this journal task"
  (This error comes about when the access control on custom 4 is set to None, Read, Promote)
  Custom 4 Access Rights looks as follows:
  C4_ADJ01
  C4_ADJ02
  C4_ADJ03
  C4_ADJ04
  HFMDefault
  Read
  Read
  Read
  Read
  HFMLoad
  All
  Promote
  None
  Read
  HFMReview
  Read
  All
  All
  All
  When Custom 4=C4_ADJ01 all 3 steps can be completed but it by-passes step 2 (journal approval).
  For all other Custom 4 we complete steps 1 and 2 successfully but not step 3 due to access issues.
  Roles for the groups that users assigned look like the following:
  Test User Name
  Test User Name
  Access Rights
  1
  Base Data input/Journal Data input
  test_HFMLoad
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Enable write back in Web Grid
  Load Excel Data
  Generate Recurring
  Post Journals
  Create Unbalanced Journals
  Manage Templates
  Data Form Write Back from Excel
  Consolidate
  2
  Data Reviewer
  test_HFMReview
  Reviewer 1
  Review Supervisor
  Create Journals
  Read Journals
  Database Management
  Approve Journals
  Consolidate
  Reviewer 2
  Generate Recurring
  Manage Templates
  Create Unbalanced Journals
  Any help or advice would be much appreciated.
  Thanks in advance,
  M.

• Monitor Oracle Secure Backup by 12c

  Hi all,
  Is there any way to monitor oracle secure backup by cloud control 12c.
  regards,
  Utp

  The steps are as you reported in your initial thread:
  I have tried to show Oracle Secure Back in my EM as described in its Admin Guide
  a. Navigate to the ORACLE_HOME/hostname_SID/sysman/config directory
  and open the emoms.properties file in a text editor.
  b. Set osb_enabled=true and save the file.
  c. Stop the Oracle Enterprise Manager Database Control console as follows:
  emctl stop dbconsole
  d. Restart the Oracle Enterprise Manager Database Control console as follows:
  emctl start dbconsole
  But after this setting i am not able to see any thing in my EM.
  If this doesn't work, then please file a TAR

• HFM Security Class Java API

  Dear All,
  I'm trying to get HFM Security Class info using Java APIs. Recently I was able to connect to the Hyperion Shared Services using the hyperion css.jar java file. Is there a similar jar to access the Security classes and get users, groups and vice versa?
  Any examples would be great as well.

  Thanks for the reply. I was hoping this was not the case...
  In 9.2 I used these objects but I was hoping to move away from this and use provided API's.
  I'm using c# to talk to the object which I expose to java using web services so I guess that is what I'll be using!!!
  Cheers,

• HFM Security Class and Security

  Hi All my Peers,
  Can any one explain me What is the difference between Security Class and Security

  No offense, but if you don't understand these concepts well enough, your CV should probably be sent a far distance if you are trying to get an experienced consulting position. Understanding security is an important piece to the puzzle, especially when dealing with large amounts of financial data.
  With that said.......
  Security - Generally speaking, the goal of security is to control access to data, objects, programs, etc. In the Hyperion sense, security is managed in multiple different ways :
  - Program Access : Only users who are linked to Hyperion's Shared Services AND have the proper provisioned rights can open a program. (i.e. HFM, Reports, Workspace, FDM, etc, etc, etc.)
  - Provisioning : There are different types of rights per program that a user can have. Provisioning is the act of assigning these rights. (i.e. HFM has multiple rights such as Appliation Administrator, Default, Provisioning Manager, etc.)
  - Data / Object Access : Even if you have the right to enter the program, there is generally another layer of security which controls what you can do. For instance, inside of HFM, you can configure security for objects such as Data Forms and Data Grids. Furthermore, you can limit the user's ability to change or view data for specific entities, accounts, as well as other dimensions.
  - Security Classes : The security classes that you assign in the metadata are used during the act of assigning the Data / Object access controls. Users (and Groups) and assigned View Only, All (Read/Write), or None access to HFM Security Classes.
  This is a ridiculously high level overview. To get a much better understanding, I strongly recommend that you read the product documentation for the specific products you are using. If you are using 11.1.2.1 / HFM, here are a couple of documents that are of value :
  http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_admin.pdf - Administrators guide which has a section on security.
  http://docs.oracle.com/cd/E17236_01/epm.1112/hfm_user.pdf - Users' guide which talked to security in terms of forms/ grids
  General System 11 doc : http://docs.oracle.com/cd/E17236_01/nav/portal_5.htm
  Hope that helps

• HFM Security Access

  I have a query on HFM security which I have got from the business.
  1)     Change Doris and Jeanie access to read/display only in HFM production. We should have access to display all data in HFM. – I was not sure which access should I give to get this requirement.
  2)     In Process Management, Please provide “Start”, “Signoff”, “Approve”, “Reject”, “Publish” in process management for Rob Sage, Debbie Indrieri and Doris Lai. Also, Please provide “Promote” and “Submit” Access to Elisa Ha and Jaime Akiyama. – Shall I give Review Supervisor for Rob Sage, Debbie and Doris for this access and not sure which one should I give for Elisa and Jaime.
  Kindly help me in this regards.

  I don't use process management so I will not attempt to answer that part of your question.
  In regards to the first part, you need to go into Shared Services and assign those users the Read permission for the required security classes. For instance, if all entities are tied to a class called ALLENTITIES, you could go into Shared Services, click on projects, click on the project that holds your application, and then click on the application you are managing. Then you would search for the users/groups in question and add them to the selected list, next you would select the classes you want to assign them access to (i.e. ALLENTITIES). On the next screen you will see a grid with users/groups and classes. Go to the cells and set the Access Rights to read. (Be sure to hit the SAVE button when done)
  Alternatively, you can do a security extract from the application, make the updates in the security file, and load that back to the system.

• Automate HFM Security extract?

  Hi,
  HFM Security can be extracted in below methods
  1. In workspace > Extract Tasks> Extract Security
  2. In Shared service > Application Groups > Rt Click on App Name> Assign Access control > Security Reports
  Please let me know if any another ways to Extract security reports.
  Can we make Automate the "extracting security reports"?
  Thanks in Advance.
  Regards,
  AVSR

  Overview: create a migration definition file for HFM (migrating what information you need, in your case it would be security)... save the file, don't execute. Using cmd prompt, run the LCM utility.bat, supplying it with the information needed as well as the migration file. Automate it by creating a batch file to run your migration file and the utility. Schedule the batch file in task scheduler and it will run whenever needed.
  Search for it on the oracle knowledgebase. Theres a lot of info on LCM there.

• Monitoring a security camera

  Have you had experience connecting a security camera at home and monitoring it through Safari? My home configuration is a Mac Pro hard-wired to a router, though the router is also wireless. Ideally the camera would establish a wireless link to the router. While away from home, I'd like to be able to open a browser window into the camera, using my Macbook Pro. I have no iSight camera on the Mac Pro at home. Though less convenient, I could attach a camera to the Mac Pro through some port. Thanks!

  Welcome to Discussions, Drasticbunny
  Drasticbunny wrote:
  Have you had experience connecting a security camera at home and monitoring it through Safari?
  No.
  ... My home configuration is a Mac Pro hard-wired to a router, though the router is also wireless. Ideally the camera would establish a wireless link to the router. While away from home, I'd like to be able to open a browser window into the camera, using my Macbook Pro. I have no iSight camera on the Mac Pro at home. Though less convenient, I could attach a camera to the Mac Pro through some port. Thanks!
  (1) If you want to shop for one of the widely available dedicated internet security cameras, be sure that both the hardware and the software that is bundled with it are compatible with your internet service, router, Mac, and Mac OS version. If you ask, the seller should be able to guarantee compatibility or explain exchange privileges before you buy.
  (2) If you want to use a webcam operated by your Mac Pro, see this link for camera possibiities:
    http://discussions.apple.com/thread.jspa?threadID=2018211
  and this link to find some webcam/surveillance/nanny cam apps that may do what you want:
    http://www.ralphjohns.co.uk/EZJim/EZJimpage7.html
  EvoCam is one of the more popular apps that let you monitor security via an internet browser like Safari. Security Spy is another, but it currently has a know issue with the Safari browser when running Snow Leopard. Security Spy's download page lists certain other browsers are compatible now. Regardless of which app offers the features you want, carefully review System Requirements and compatibility info in their web pages for current status.
  EZ Jim
  Mac Pro Quad Core (Early 2009) 2.93Ghz w/Mac OS X (10.6.2)  MacBook Pro (13 inch, Mid 2009) 2.26GHz (10.6.2)
  LED Cinema Display  G4 PowerBook 1.67GHz (10.4.11)  iBookSE 366MHz (10.3.9)  External iSight

• HFM Security Report Automation?

  Is there a way to automate the running of the HFM (Hyperion Financial Management) Security Report in Shared Services.?
  version: 11.1.2.0
  Is this possible with using Task Automation? ---> If yes please provide details
  If this possible using other reporting tools like HFR, web analysis..etc ---> This is not recommended
  If any other way, Please provide details.
  Thanks All!!
  Regards,
  AVSR

  I think the best way to produce custom security files is using the HFM API. You can use this to report on group memberships and roles and class access. You can read all about it in the Web Developer's Guide Chapter 10. The chapter starts:
  The HFMwSecurity type library contains the HFMwSecurity component. This component
  provides methods that enumerate an application’s security classes, indicate whether a user has
  rights to perform a given task, and return other types of security information.
  I have seen these used to great effect.

• HFM security filter ?

  In HFM, I don't seem to have a way to achieve this:
  One user has write access to Entity A + all products
  The same user needs Read Only access to Entity B but a couple of the products only
  Because the security classes attached to Entity and Product(Custom2 for us) dimensions are layed out flat on Shared Service. I can only assign one type of access to the same security class.
  This is different in Essbase for example, I can create security filter and grante user access to different combination (intersection) of dimensions.
  Is there such thing as security filter in HFM?
  Thanks in advance!

  I do plan to assign unique security classes to entities and products.
  But how do we assign access to combos? In the Pivot table where you have all the security classes on the row, and all the users(groups) on the columns.
  The goal is to prevent the product line leader user from reading other products in the entity that he's not responsible for.
  For example, this user has Write access to E_Brazil, and all data loaded on C2 for Brazil. Then he needs to have Read access to E_China, but only C2_Golfball. We do not want him to see other products for China, however, he needs to load data to other products in Brazil. This is especially true with the Custom2 member [None] for all the data that do not require a product. Then what access shall we give to the security class C2_None ? It doesn't seem that we have a way to assign access to a combo, but just to each unique security classes ?

• CF8 Server Monitor over secure connection?

  Hi,
  Has anyone out there been able to get the CF8 Server Monitor
  to work over a secure "HTTPS" connection?
  It doesn't work for me. I get an error message, "ColdFusion
  Server is unavailable."
  Thanks.

  Yes, Server monitor works on https also.
  Are you able to access your CF admin through the https?
  ex:
  https://localhost:8500/CFIDE/administrator/index.cfm

• HFM Security Access Edit Logs - Audit

  I have been asked by our internal audit group to provide logs of when users access within HFM have been edited (i.e. added, changed roles, added to groups, etc.). Is there anyone else that has received this request, and more importantly how have you met this request (logs in the system, etc)?
  The only way I have been able to track this is offline via spreadsheets.
  Any/all advice is appreciated.
  Thanks.
  LJ
  Edited by: user8357096 on Mar 23, 2010 7:28 AM

  I have had a couple clients ask for something like this. At least now with user provisioning you can get reports of what the security was, like a snapshot. Then compare it to another time. But this will only tell you part of the story. If you are using groups for example, it possible a user gets added to one group then removed. You would not have access to that change in HFM, it would keep no record of it.
  I would recommend taking and extract and report and archiving them to reference.

• HFM Security Reports

  Does anyone know how to keep track of security in HFM as we can generate reports in Planning but i dont see how to manage the security in HFM. Thanks,Scorpio

  Scorpio,No there is no security reports option in HFM .If you have been using external authentication and NT groups ,I would advice you running a report on the NT groups .Thanksnaveen

• HFM security roles to perform only Extract tasks

  Hello,
  Could any one please tell me what roles I need to give for a user so that he can only perform extract tasks?
  I gave him Extended analytica and advanced user roles.
  But I could see Extract data and Extract journal tasks but not the rest of them.
  I am using HFM 9.3.1.
  Thanks
  Hemanth

  I have provisioned a new native user ID w/ extended analytics and default access but get this error message when running EA from application:
  (-2147208192) (An unknown error has occurred in the HsvData object.)
  Does anyone know what additional security should be provisioned?

• Weblogic 10.3.6 SNMP monitoring using secured port

  We will like to monitor Weblogic using Nagios by deploying WLSAgent.
  Currently, WLSAgent can only work through unsecured port. Out web-logic servers are currently configured to be accessible only through the secured port.
  Has anyone been able to get WLSAgent to work with secured port?
  Are there any known issues with using unsecured port?
  Thanks.

  The time-out you are getting is that related to a transaction?
  You can set the transaction time-out in the WebLogic console go to the JTA page for the domain, and change the value in the Timeout Seconds field.
  When you are using EJBs, you can also set the time-out on a EJB basis, instead of configuring the time-out for the whole domain.
  For example, in weblogic-ejb-jar.xml, you can configure the time-out by using:
  <weblogic-ejb-jar ...>
      <weblogic-enterprise-bean>
          <ejb-name>YOUR_EJB_NAME</ejb-name>
          <enable-call-by-reference>True</enable-call-by-reference>
          <stateless-session-descriptor>
              <pool>
                  <initial-beans-in-free-pool>25</initial-beans-in-free-pool>
                  <max-beans-in-free-pool>50</max-beans-in-free-pool>
              </pool>
          </stateless-session-descriptor>
          <transaction-descriptor>
              <trans-timeout-seconds>600</trans-timeout-seconds>
          </transaction-descriptor>
      </weblogic-enterprise-bean>
  </weblogic-ejb-jar>The transactions this EJB spawns can last for 10 minutes.