Security Setup

Hi,
We are having HFM used for reporting and consolidation.
Two Specific issues/questions
1) We are having seperate Development, UAT and production environments. However the security setup/AD groups for all three environments are same. We cannot create different security groups in three different environments as it will affect meta data level changes.So the issue is that , person having UAT environment is also able to access the production system, as AD groups for security class are same. Is there a way we can diffentiate the security of three different environments?
2) HFM offers application adminsitrator roles. However, we are having 3 different team:
A) One performing change management such as meta data level changes
B)Second one performing security
C)Third one performing maintainance actiivites such as dispensation, bypass,validation tolerane limit load excahgne rate.
Is there a way we can segregate these responsibilites by setting up different access/roles for the users.
Your help would be much appreciated.

Hi,
In regards to question #1 :
Option a - Use Native Groups. If you were using Native Groups as opposed to the AD groups, you could keep everyone assigned to the same groups and simply have different levels of access between the apps. A lot of systems will use Native Groups with external directories (i.e. Active Directory) for users. This probably isn't something of interest since you already have everything in AD and would be a lot of hassle to rework....
The other options I propose really depend on what exactly are you trying to accomplish in DEV vs PROD in regards to security. They are somewhat hackish but would solve your issue....
Option b - If you want everyone to have full access to everything in DEV as opposed to more limited access in prod, give the WORLD built in group access to all of your security classes in DEV only.
Option c - If you want everyone to have the same entity / account access just a different level (i.e. Read to Write), then you can just extract the production security file and replace all the security class access items from Read to All, etc.
Option d / e - If you want to give people different account / entity access as opposed to level of access, this is a bit trickier because any moves you make in AD would apply for all of the apps.... I would think this wouldn't be that common and maybe you only need this for a couple people? For the few instances of this, I think the best bet optiosn are : d.) create a Native Group and put them in that with the proper security class access. e.) Assign the user directly to the security class with the proper access in the environment. Security class access is not contained in AD and the changes would not automatically propagate..... If you have to do this for a "ton" of users, it wouldn't be much fun though.
In regards to question #2 -
A) - First of all, if someone has the HFM client or a text editor and access to the metadata file, anyone can make the changes. Your best bet is to control the extracting and loading aspect of this. The 'Load System' role will control who can load metadata to HFM.
B) - Provisioning Manager will allow changes to user access to the App
C) Not sure what you're looking for here. Exchange rates would be a data load so they would need to be able to load data to the system. This sounds like more of an Account / Entity access item so you would need to make sure the user has proper security class access in HFM.

Similar Messages

  • Security Setup not working

    Hi,
    As a part of security setup we have done the following things:
    - Users created and assigned as members of groups. One group is created per entity.
    - Groups have been provisioned for the application and given security class access
    - Security classes have been created and attached to metadata. for e.g, all entities have been attached a Sec class in properties.
    - In application settings, Node Security = Entity, Security for Entities is Checked, Enable Metadata Sec Filtering is also checked.
    Even after this, the security setup doesnt seem to be working. A user with minimal provision (only Data Form Writeback from Excel) and no security class access is also able to see all the entities, also other forms, grids, etc which have been attached diff security classes. He is able to edit the forms and grids.
    Can anyone help out as to what is it that we are missing?

    What role(s) do the users have? Any user with the Administrator role bypasses class access checking and is assumed to have full access to everything. No other role provides this bypass.
    Editing forms and grids has nothing to do with Entity security. If the forms and grids have no class assigned to them, they use the [Default] class which I suggest all users have All rights to anyway. If there are grids/forms you do not want users to change, you should assign a specific class to them, other than [Default].
    Enable Metadata security filtering should restrict users from seeing the members for which they have None access to, but as long as they have Read or All access, they will see the members in a pick list.
    --Chris                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  • Security setup operations failed: creating system keys

    I have just downgraded my T60 laptop from Vista to windows xp using the lenovo CD's.
    Everything seems to be working well, except that each time I boot up the computer, the lenovo security setup software runs.  If I follow the menus all the way through, I get to the following error on the last screen:
    "your security settings have been configured however, one or more setup operations failed: creating system keys"
    There was also a message that previously briefly flashed during the bootup (on the "bios" screen?) which stated that the system was designed to use fingerprints to protect something or other, but this was not enabled.  However:  I then ran all updates for windows xp and for lenovo drivers etc.  This message has now gone away (and unfortunately I didn't write it down).
    I'm guessing the failure to "create system keys" results in the software running each time I boot up.
    Another possibility:  I have not yet enabled the symantec security, as I intend to uninstall it and use other virus protection software.  Could this be causing the"failure to create system keys"?
    (The fingerprint reader works fine, and reads my fingerprint at the windows logon screen.)
    **UPDATE**:  uninstalled symantec security software, and this had no effect.
    Message Edited by orson_m on 12-29-2008 02:47 PM

    I have just downgraded my T60 laptop from Vista to windows xp using the lenovo CD's.
    Everything seems to be working well, except that each time I boot up the computer, the lenovo security setup software runs.  If I follow the menus all the way through, I get to the following error on the last screen:
    "your security settings have been configured however, one or more setup operations failed: creating system keys"
    There was also a message that previously briefly flashed during the bootup (on the "bios" screen?) which stated that the system was designed to use fingerprints to protect something or other, but this was not enabled.  However:  I then ran all updates for windows xp and for lenovo drivers etc.  This message has now gone away (and unfortunately I didn't write it down).
    I'm guessing the failure to "create system keys" results in the software running each time I boot up.
    Another possibility:  I have not yet enabled the symantec security, as I intend to uninstall it and use other virus protection software.  Could this be causing the"failure to create system keys"?
    (The fingerprint reader works fine, and reads my fingerprint at the windows logon screen.)
    **UPDATE**:  uninstalled symantec security software, and this had no effect.
    Message Edited by orson_m on 12-29-2008 02:47 PM

  • Shared Service Security Setup - Demo Doc

    Hello Friends,
    Was just checking if anyone of you have a quick small document which would explain the security setup module in Shared services
    with Users, Roles, Groups, filters
    Type of access READ WRITE, META READ WRITE etc in a pictorial format.
    Just have to give a demo to my fellows.
    Thanks in advance
    MS

    Try
    http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200/apas02.html
    http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200/ch09s04s08.html
    http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200/ch09s04s07s01.html
    http://docs.oracle.com/cd/E17236_01/epm.1112/esb_dbag/dsefilt.html
    Cheers
    John
    http://john-goodwin.blogspot.com/

  • Security Setup Wizard keeps appearing on startup

    For some reason, the Security Setup Wizard keeps appearing everytime I logon.  There seems to be an error when it is completing the last steps of the process.  I enter all the information requested and get to the last page and I get an error message that it cannot create the "system keys."  What are the system keys and how do I fix this error?
    If I cannot fix the error so that the wizard can complete its tasks, how do I prevent it from running on startup in the first place?  I checked the run list in the registry but it doesn't seem to be listed there.

    Hi sclexman,
    Thank you for your good instructions and prompt reply.  I don't often see such patient or helpful people outside of the ThinkPad community!
    My system has been running beautifully for well over a year.
    I am running Windows XP Professional on my IBM ThinkPad T60p.
    Typing something like ThinkPad "Security Setup Wizard" into Google with quotation marks, you will get better results.
    I literally get exactly what is described above by the other people.
    My problem is the Wizard which keeps popping up every time the computer restarts, but the "system keys" step is where the wizard gets stuck, so I thought that might be the cause of the problem.
    I put off setting up my security software with fingerprint reader for years, and I just got around to it yesterday.  The wizard popped up every time I started up since I got it, but when I went through the wizard and set everything up, it finally stopped popping up.
    Shortly after, I  went poking through the advanced settings of the ThinkVantage Client Security Solution program and accidentally clicked "Reconfigure security settings".  This brought up the same wizard again, and made me re-enter all of my passwords and security questions, which was quite a hassle.  This is the time it failed at the "system keys" part of setup; the first time took longer, but it was successful.
    My big reward at the end of this was supposed to be the wizard leaving me alone at startup, but he will not stop his familiar haunt!
    Any help is appreciated.
    Thanks,
          Thomas
    Security Setup Wizard that won't stop popping up:
    Wizard after initial successful completion.  If done over, it won't get past the second step.
    I don't want to try creating my own system key as your WikiHow link describes, as I'm not entirely sure what I'm doing, and I don't want to actually break my system's security!  Everything is working perfectly now security-wise, except for this pop-up window!!!
    P.S.
    I took so long to reply because when I tried to change my e-mail address to the one I check most often, I was completely locked out of my account.  I did not receive any confirmation e-mail no matter how many times I clicked re-send.  Today I changed it back to my Hotmail account, and it came within five minutes, so I'm back in. Since Hotmail works, I am guessing that the spam filter on my school's e-mail servers is cranked up too high, rather than any problem on Lenovo's part.

  • What does 'security setup forms that accept sql statement' mean?

    I was referring one white paper 'Best Practices for Securing Oracle E-Business Suite'.
    I would like to know what does 'security setup forms that accept sql statement' mean in that?
    My question is
    Where can the SQL statements be entered?
    It would be better if I can have some examples of the same. I am trying to understand this statement.
    Edited by: Kavipriya on 30 Mar, 2011 3:37 PM

    It is explained in the same docs.
    Best Practices for Securing the E-Business Suite [ID 189367.1] -- Page 26, under "LIMIT ACCESS TO FORMS ALLOWING SQL ENTRY" section.
    Best Practices For Securing Oracle E-Business Suite Release 12 [ID 403537.1] -- Page 22, under "LIMIT ACCESS TO FORMS ALLOWING SQL ENTRY" section.
    Thanks,
    Hussein

  • BO XI 3.1 Security setup

    Hi,
    Can anybody help me to provide security model for BO XI 3.1 platform. We are migrating from BO 5.1.x to BO XI 3.1.
    As Xi 3.1 security setup has changes compare to XI R2. Please let me know the details and suggest to proceed.
    Thanks in Advance.
    Cheers,
    Krsna

    Hi,
    You can check this forum post, very handy :
    http://www.forumtopics.com/busobj/viewtopic.php?t=119849&highlight=security+mortals
    For the details, read everything and you will have an idea on how to start.
    Samuel.

  • Security Setup Wizard

    How can I turn off the security setup wizard that runs every time I boot the system up?

    How can I turn off the security setup wizard that runs every time I boot the system up?

  • MultiPool suspension failures and security setup

    Hi,
    I am testing a multi-pool on 81sp5 and when I pull the plug on one of the underlying databases I get the following error (& the pool goes to the Unhealthy state but not to the Suspended state).
    <07-Feb-2007 14:46:46 o'clock GMT> <Error> <JDBC> <BEA-001254> <MultiPool PhxAvlMultiPool unable to
    disable connection pool phxAvlPoolA, got exception: weblogic.common.resourcepool.ResourcePermissions
    Exception: User "<anonymous>" does not have permission to perform operation "admin" on resource "phx
    AvlPoolA" of application "null" of type "ConnectionPool".>
    Does this mean to use the multi-pool effectively I also need to modify the security setup? (I am currently using the defaults). And does that mean I should grant admin privs on the pools to the anonymous user (which seems wrong)?
    NB If I specify the CountOfRefreshFailuresTillDisable attribute, then I still see the error message but the pool goes to the Suspended state anyway; presumably via some other means.
    Cheers,
    Trent

    Dave Woolaway wrote:
    Hi,
    I am testing a multi-pool on 81sp5 and when I pull the plug on one of the underlying databases I get the following error (& the pool goes to the Unhealthy state but not to the Suspended state).
    <07-Feb-2007 14:46:46 o'clock GMT> <Error> <JDBC> <BEA-001254> <MultiPool PhxAvlMultiPool unable to
    disable connection pool phxAvlPoolA, got exception: weblogic.common.resourcepool.ResourcePermissions
    Exception: User "<anonymous>" does not have permission to perform operation "admin" on resource "phx
    AvlPoolA" of application "null" of type "ConnectionPool".>
    Does this mean to use the multi-pool effectively I also need to modify the security setup? (I am currently using the defaults). And does that mean I should grant admin privs on the pools to the anonymous user (which seems wrong)?
    NB If I specify the CountOfRefreshFailuresTillDisable attribute, then I still see the error message but the pool goes to the Suspended state anyway; presumably via some other means.
    Cheers,
    TrentHi. This is a known bug with a fix available. Ask support for the
    patch for CR251945, CR251945_81sp5.3.jar
    Joe

  • No icon for security setup

    I have a new Linksys wireless router that I successfully installed yesterday.  It seems to work fine.  But I cannot setup the security because there is no icon in my system tray in the lower right corner of my screen.  There are lots of icons there but no Linksys icons.  I reinstalled the router but still no icon.  I have looked at the entire tray, not just the most used icons.
    Any suggestions?
    Amy

    Amy are you talking about wireless security?
    Try to go to http://www.linksys.com/kb.
    look for answer id 949
    it has explicit intsructions on how to setup wireless security.
    I read this website alot and it teaches you alot of things,
    "Give them nothing... But take from them everything..."
    -Leonidas "300"

  • Roll based security setup in jsf

    hi all,
    can anyone write me the procedure how to setup roll based security that is, when a user login to my page, menu will be created that i have set for that user in database.
    i also need to know the process, how to set role in database....
    Thank you

    i want to put all information include user access
    role in database.
    please tell me, how to do this..
    Thank you1. create a table called USERS.
    2. create columns in this database that include but are not limited to, USERNAME, ROLE.
    3. Populate the table.
    4. When a user logins, query the table.
    5. Direct the user to the appropriate JSP based on the role using RequestDispatcher's facilites.

  • Wireless Router Security Setup

    Sorry in advance if this is a stupid question but I am fairly new to my mac. (love it by the way)
    We have DSL at home and recently bought a Belkin Wireless G router. I put in the cd that came with it and selected the Mac option for install. Now, after this it took only a few seconds and was done. All connected and up and running in nothing flat. My wife was able to connect via her PC laptop no problem.
    I want to secure this wireless connection and I can't quite figure out how. Oddly enough there is no Belkin icon for me to click on to get into any properties. When I type belkin into my spotlight search nothing comes up. I assume I should be setting up the security directly on my mac somehow but just not sure how.???
    Have tried reading and searching but still can't find anything. Right now I am assuming my question is just too simple so no one else has this problem but I just can't get my pea sized intellect to figure it out.
    Thanks All!

    Well, you do have Security on your Mac, but what you want is to address the router's Setup page
    Run Safari and type this into the url bar...
    http://192.168.2.1
    You should see a Menu there.
    Come to think of it, this is probably the best source on how to...
    http://www.portforward.com/english/routers/wireless/routerindex.htm
    I think this might be your Router.
    http://www.portforward.com/english/routers/wireless/Belkin/F5D7230-4/F5D7230-4in dex.htm
    Message was edited by: BDAqua

  • Cisco 3550 SMI switch for security setup ?

    I have a 3550 SMI IOS 12.2 switch, I want to setup http, https, dns services for internet. I do not need to set up any mail or web server.
     The connection as follows:
    Internet ---------Modem----------3550-----------Computer
    Modem has no security function, all the security setting will be on 3550 switch. So what is the best approach ?
    Is it layer 2 or layer 3 security ? and can I run VPN for the internet surf ? Please kindly advise.
    Thanks,
    Susan

    Thanks for the Reply.
    When I config the switch I find out some interesting things, I am no sure if the
    configuration is correct or I miss something ? Please help take a look.
    access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny   ip host 0.0.0.0 any
    access-list 101 deny   ip host 255.255.255.255 any
    access-list 101 deny   tcp any any eq bgp
    access-list 101 deny   eigrp any any
    access-list 101 permit udp any any eq domain
    access-list 101 permit tcp any any eq www log
    access-list 101 permit tcp any any eq 443 log
    access-list 101 deny   ip any any log
    int fa0/1
    switchport
    switchport access v 10
    switchport mode access
    access group 101 in
    int vlan 1
    no ip add
    That work normal
    But if when I put access list 101 to vlan interface 10, my computer can access the internet. ???
    access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny   ip host 0.0.0.0 any
    access-list 101 deny   ip host 255.255.255.255 any
    access-list 101 deny   tcp any any eq bgp
    access-list 101 deny   eigrp any any
    access-list 101 deny   ip any any log
    int vlan 10
    ip add 192.168.1.1 255.255.255.0
    access group 101 in
    int fa0/1
    switchport
    switchport access v 10
    switchport mode access
    int vlan 1
    no ip add
    For both case, Vlan 1 is down, I connect nothing and assign nothing to vlan 1.
    So is the configuration has problem ? or
    Something to do with vlan 1 ?
    or something I miss ? 
    Thanks

  • Internet Security setup

    Hello,
    I would like to setup my Xserve as an Internet Gateway and DNS server for a small network. The WAN interface for the server would be connected to a ISP Cable Modem, and set to the Primary Interface. I was wondering what device to put protect the network (From the Cable Modem to the Server interface)
    because I tried doing this before and the network was breached. Also, I was wondering how I could connect the Server to a fiber optic switch (To share the internet and file services from the server).
    Thanks

    I would like to setup my Xserve as an Internet Gateway and DNS server for a small network.
    Why?
    Think about that very carefully before you answer. The XServe makes a very poor internet gateway device - or at the very least, a very expensive one. For the most part, your typical $50 home router does a better job.
    DNS isn't an issue - it's perfectly reasonable to run your own DNS server for your network, but as a gateway system there are many many factors to consider.
    First off is configuration. Pretty much, Mac OS X Server has an on/off toggle switch for whether it should share the network connection, but that's it. There's no reasonable interface for managing public vs. private services, and no interface for managing port forwarding to allow external clients to get to internal systems.
    What this means is that at the very least you need to be comfortable with configuring the firewall and NAT daemons via the command line.
    It also means you need to be VERY careful in setting up the other services you run on this machine - by default every service will listen on every interface, so if you run an Open Directory server, or an AFP server, or a Calendar server, or a print server, or any other server, then that service will be available to random internet clients. You have to go out of your way to secure these services to only listen on the internal network.
    That is, of course, unless you only run the NAT service, but then that's a pretty expensive box for just running NAT, and that's why I say a just get a cheap old NAT router and be done with.
    You could put a firewall in front of the server but you're now just adding to cost, and the chances are that firewall will handle NAT just as easily (if not more so) than Mac OS X Server.

  • Wireless AP that will allow more than one security setup

    I have a customer that is looking to install a new AP and have
    it accessible by their employee's and visitors.  So is there an AP out there that will allow you to setup more than one SSID and have one of the SSID's with access to the local network/internet and the other SSID set to have only access to the Internet??
    Thanks in advance for any thoughts on this.
    Mike

    We used the 1131 AP.  We set up 2 different WLAN's.
    Business WLAN = 172.16.x.y with WPA security
    Guest WLAN = 192.168.x.y with WEP security
    The AP was connected to a 3560 switch on a trunk port.  So the Guest WLAN is in a different VLAN and access was controlled through an ACL.  Guest can only access the Internet.
    I'm sure some of the other Cisco AP's wil do the same thing.

Maybe you are looking for