Security and Auditing in HFM

Chris BarbieriEdgewater Ranzal

� One of the Largest Hyperion Practices in the U.S.

� Oracle / Hyperion Platinum Partner - Highest Status

About Edgewater Ranzal

15 Years� Vertical Expertise with High-

Profile Clients from Coast to Coast

� Sound Project Methodology Insures Project Success

� “One Stop Shop” for ALL EPM Implementation needs

15 Years700+ clients

1000+ projects

ConsolidationBusiness

Intelligence Planning

Our Services

ProjectManagement

InfrastructureData

Services

Agenda

● Roles● The verbsverbs : actions a user can perform● Review roles for:

● HFM● HFM● Reporting and Analysis● Shared Services

● Classes● The nounsnouns : objects on which you can perform

those actions

● Auditing and Reporting● Who did whatwhat, and whenwhen?

Shared Service Console

● Central module where most security management is performed

● EPM System predefines tasks or collections of tasks into Roles

● For now, let’s start with a user… Joe Admin

Provision

● For now, let’s start with a user… Joe Admin● Select the username, right-click, and Provision

Available Roles

● List of roles from registered products● Presented either by product, or Application

Group● All roles are listed and explained in the ● All roles are listed and explained in the

hss_admin.pdfhss_admin.pdf● \V25453-01\EPM System Installation Documentation

\EPM System Installation

Foundation Roles

● Roles are listed ina hierarchy● Called “Aggregate

Roles”Roles”● Access to the

parent yields its children

● Can have alternate roll-ups● Used in Reporting

and Analysis

EPMA Dimension Management

● Grant all users Shared Services “Dimension EditorDimension Editor” role

● Select each dimension in the dimension library, and choose “System” from category menu

Calc Manager

● Two HFM roles● Rules Designer● Rules Viewer

● One Shared services role● …per product

Provisioning Manager

● Role for each application and product● Allows the user to grant/remove role and class

access to other usersCannot provision themselves● Cannot provision themselves

● … unless they have the Shared ServicesAdministratorAdministrator role

● Application Administrator does not allow provisioning

Reporting and Analysis Roles

● Majority of roles relate to Interactive Reporting / Production Reporting

● Appendix “A” in the hss_admin.pdfhss_admin.pdf document lists all of the roles, by productlists all of the roles, by product

FR Role Recommendations

Role Administrator Report Writer Viewer

Reporting and Analysis Administrator

Yes

Report Designer implied YesReport Designer implied Yes

Explorer implied Yes Yes

● Administrator can do anything but provision other users

● Report Designer still needs the StudioStudio client● Explorer grants access to the full list of reports

● … subject to the folder/object level access

Hyperion Financial Management Roles: Administrator

● “AdministratorAdministrator” role permits all tasks● “ALL” access to all classes● … but not Provisioning ManagerProvisioning Manager

● Independent of access to the “Administration” menu items● These are not application specific

● Create Application● Enable/disable connections● Users on System, etc.

● EPM System configurator > Financial Management > Configure Application Server

Configure HFM SystemSystemAdministrators

● Application Security● Creator Group

● Can create new Classic applications

● Administrator Group● Administrator Group● Can be Native or External

group

● Almost always left at “*” = EVERYONE / WORLD

● Must be changed later, as part of security design process

Hyperion Financial ManagementRoles: Power User

● Typical setup, excluding Process Management

Hyperion Financial ManagementRoles: End User

● Typical setup, excluding Process Management

Secure at Group or User Level?

● Best practice is to apply security at the group level● Then manage group membership for the users

● This becomes a bad approach when #Groups > #Users

Native or External?

● Users● Leverage security policies from external providers

(MSAD/LDAP)● Native has no password policy management

● Groups● Greatest flexibility in Native groups● Allows IT security to control users● Hyperion admins are best suited to control access

● Place users into groups● Provision or assign class access as needed● Provide reports for auditing

Classes

1. Create classes● Dimension in EPMA● Create inside Shared Services module in

Classic

2. Assign to metadata or HFM documents ● Entities, Accounts, Customs, Scenarios● Grids/ forms/ journals/ system reports

3. Assign access to the classes● User or group must have at least one role

● If no other role applies, then grant Default role

Group Naming Schemes

● “Role ” access for the various modules●● rg_rg_EPMA_* for EPMA●● rg_rg_HFMAppName_* for the HFM application●● rg_rg_ReportWriters modify Financial Reports●● rg_rg_ReportWriters modify Financial Reports●● rg_rg_Security for access to Shared Services

● HFM dimension access groups●● eg_eg_HFMAppName_* = “entityentity” dimension access●● dsg_dsg_ HFMAppName_* = “data sourcedata source” dimension

access (Custom4)●● sg_sg_FMRLCA_* = “scenarioscenario” dimension access

Class Naming Schemes

● Prefix classes according to the dimension they secure●● ecec**: entity class●● ac*ac*: account class●● c1c*c1c*..c4c*c4c*: custom dimension class

● Where possible, use the dimension alias●● dscdsc**: DataSource class, instead of Custom4

●● sc*sc*: scenario class●● dc*dc*: document class

● Classes are only sorted alphanumerically● Not searchable

Assign Dimension Groups toClasses

● Right-click on HFM application

● Assign Access Control● Assign Access Control

Select HFM Users / Groups

● Only users or groups that have been directly assigned at least one role will show uprole will show up● If you use groups,

always use groups

● Dimension groups must have “DefaultDefault” role for the HFM app

● Users / Groups selected here are available for a report

Select HFM Classes

● Where the alphanumeric order, and the class prefix class prefix comes in handy…

● Classes selected are available for a report

Class Access Rights

Access Right DescriptionAll Full read/write access to the data or objects to which this class has been

assigned.Read Read rights to the data or objects to which this class has been assigned.

None No rights at all.

If “Enable Metadata Security Filtering” has been turned on for the application, users with “None” access to a class won’t even see the member in a metadata pick list, nor will they see an object with this class attached. If a user opens a grid, form, or report for an intersection where they have “None” rights, HFM will return “NoAccess” instead of the data value.

Metadata Overrides the Metadata Security filtering by allowing the member to be seen in a pick list, though the user will be unable to view the contained data.

This setting is not common

Assign Class Access

● Pivot as you like● Highlight rows/columns

● Change the Access Right for the selection● Click the check mark to activate● And save

HFM Role and Class Access Report

● Output to html, Excel, CSV, PDF

Sample Output

Shared Services Role Report

● Administration > View Report●● Show Effective Roles = YesShow Effective Roles = Yes

● Shows what users inherit from group membership

Sample Output

Configure Auditing in Shared Services

● Track changes in user provisioning

● Track configuration changeschanges● Not enabled, by default●● EnableEnable this for all products

and applications● Purge after so many days

● Save changes, restart services

Shared Services Audit Reports >>Security Reports

● Authentication and security changes

Security Reports: Detailed View

Shared Services Audit Reports >>Artifact Reports

● Lifecycle Management selections

Shared Services Audit Reports >>Config Reports

● Changes to settings in Shared Services

Speed Tip for Multiple External Providers

● Normally a user name is passed sequentially among the external providers: MSADEast; MSADWest; MSADEurope, etc.

● First, try using a Global CatalogTry using group filters to more quickly isolate the users ● Try using group filters to more quickly isolate the users you want● Advanced Filters on Groups

● Or go directly to a single provider

Data Audit in HFM

● Enable DataAudit on Account and Scenario● Non-FDM only, please

Administration > Data Audit

● Captures changes to <Entity Currency><Entity Currency>only

● Small increase in data load times● No impact on

consolidation time

Task Audit in HFM

● Always enabled● Captures lots of

informationinformation● … but not

everything

● Administration > Task Audit

Questions

Chris Barbiericbarbieri@ranzal.com+1.617.480.6173www.ranzal.com

Presentations

Calculation Manager: The New and Improved Applicati on to Create Hyperion Planning Business Rules – Monday, 11:15 am, Room 102C

Security and Auditing in HFM – Tuesday, 4:30pm, 101B

Best Practices for Using DRM with EPMA – Wednesday, 8:30am, 103A

Getting Started with Calc Manager for HFM – Wednesday, 8:30am, 101B

Advanced Topics in Calc Manager for HFM – Wednesday, 9:45am, 101B

Maximizing the Value of an EPM Investment with ERPi , FDM & EPMA – Wednesday, 11:15am, 101B

Taking your FDM application to the next level with Advanced Scripting – Friday, 8:30am, 101B

IFRS reporting within Hyperion Financial Management – Thursday, 10:30am, 101B

www.ranzal.com

Chris BarbieriChris Barbiericbarbieri@ranzal.com

+1.617.480.6173www.ranzal.com