Escolar Documentos
Profissional Documentos
Cultura Documentos
User manual
Users management
One of the constant of a distributed application and thus of Tagetik is the login win-
dow where a user performs the authentication by entering username and password.
But behind this window there is not only the implementation of the "can I or not
access" mechanism. In an highly structured application various utilities need to be
scheduled, on the base of the type (role) of the user. For example some users can
access only the personnel costs management utilities, without knowing that the same
application manages other utilities. On the other hand, a second group of users may
fully control all the budget utilities and see the personnel cost data in "read only".
Moreover, it is often necessary to manage the data visibility to the various users in a
differed way. For example an entity with several production units may decide to give
visibility to data related to the production unit of the connected user only.
Thus beside the query "can I or not access" the system must schedule more specific
queries such as "which menus can I access? which activities can I perform? and on
which data?" etc...
In order to meet the abovementioned needs, Tagetik provides a user profiling system
that allows to protect sensitive data and to prevent data from being modified by not
licensed users. The profiling activity can be schematized in four steps:
Page 5
Users management
Create a user
A user can be created in two different ways:
l exclusive management in Tagetik. The user is created manually inside the
Repository of Tagetik. In this case we have a local user : the information
required to authenticate the credential of a user performing the login and the
information concerning the access rights are in the Repository of Tagetik;
l management of users in an external system (for example Active Dir-
ectory). At the moment of the login, the required data for the user authen-
tication and profiling are automatically copied in the Repository of Tagetik at
the first access and updated at the following accesses. In this case we have an
external user.
In Tagetik the users are created (manually or via copy utility) in the Repository
database and then copied (via the automatic Refresh Users utility) into each applic-
ation database the user can access. In the users table present in each application
database the user rights will be defined in the data model (namely what the user can
see and what insert / modify).
Page 6
Users management
l one users table in each application database (accessible from Setup & Admin /
Users Rights / Users Rights / Users Rights) where only the users authorized to
access that specific application database are stored and where the user rights
on the data model are defined.
Authentication
It is the process by which Tagetik checks if a user "Can access or not" the applic-
ation.Tagetik has its own user authentication system called "Default authentication"
based on its own Repository with its own users table. But several entities already
have a centralized authentication system of "active directory" type based, for
example, on LDAP technology that contains all information about users, password,
access rights.Tagetik is able to capitalize these repositories so as to perform an
external authentication. Thus external authentication means that when a user gives
his credentials(username and password) for the login, Tagetik accesses his inform-
ation stored in the external active directories in order to authenticate him in real
time.
We may say that the authentication is equal to a badge that allows to access a build-
ing.
Page 7
Users management
Whether the set authentication mechanism is different from the Tagetik's one, the
system requests to configure some parameters. This parameters can be specified:
l via System Properties set in the application Server.In this way the parameters
cannot be modified by the application and the abovementioned management
window displays its value with no way to modify it;
Page 8
Users management
Page 9
Create a new user
In Tagetik the users are created (manually or via copy utility) in the Repository
database and then copied (via the automatic Refresh Users utility) into each applic-
ation database the user can access. In the users table present in each application
database the user rights will be defined in the data model (namely what the user can
see and what insert / modify).
In the users table present in the Repository database, each user is identified by:
Page 10
Create a new user
l a code; It is the code the user must insert in the USERNAME field present in
the login opening window to access Tagetik;
l a description;
l an application language, namely language in which the application must be
displayed (menu items, headers, management windows fields names, warning
messages). Tagetik allows to define an Application default language to use
as an alternative when the default language set by the user is not available. To
be more precise, whether the application language is not available, the system
decides in which language to display the application by using the following rule:
it checks if the default application language is available, if not it looks for Eng-
lish and if neither this language is available it displays the application in Italian;
l a table language namely the language in which the system displays the
description of metadata elements;
l a nationality. Tagetik formats numbers and dates on the base of which nation-
ality is assigned to each user;
l a validity start date and a validity end date that, if set, prevent the user
from accessing the application whether the login date is not comprised between
them. For further details see Block user;
l a set of symbols employed by the system to display the indicators
inside the various windows (for example to highlight the unbalanced values
inside the data edit windows, the overrides in the management windows of
some tables or to understand/manage the status of a relationship inside the IC
matching cockpit). If the administrator enables the Use monocolor
symbols option the employed indicators will be black and white symbols
Page 11
Create a new user
whose shape is important, otherwise they will be symbols with the same shape
whose colour is important;
l a password rule.
The system, while creating a new user, assigns as default value to the application
language, application default language, table language and country information the
value set in the Repository configuration.
Utility
Preferences management
title bar;
o position the mouse cursor on an edge or a corner of the window, the cursor
turns into a double-headed arrow. By keeping clicked the button of the
mouse while the cursor is double-head shaped and by dragging the edge or
the corner of the window, the user can modify one size (edge) or two sizes
(corner) of the window.
l decide which columns must be displayed and in which order. This util-
ity affects only the grid part of the window;
l decide if determined columns must remain blocked and thus always vis-
ible when the content of the window is scrolled. This utility affects only the
grid part of the window;
l In presence of grid-detail windows, decide the proportion of the grid com-
pared to the detail . In order to modify the grid's height the user must use
the button present under the separation line between the grid and the detail.
Page 12
Create a new user
Once the user has performed such modifications, the new settings can be saved by
using the Save preferences button present in the buttons bar of the window so
as that, at the following opening, Tagetik displays it in compliance with the new set-
tings. The user can change the saved settings whenever he wants or reset the default
settings by using again the button . Indeed Tagetik, if preferences already exist for
a determined window, asks if the saved preferences must be overwritten or deleted
and thus the default settings re-enabled.
The preferences management is then performed for each user / window but Tagetik
provides also two utilities that allow to
l display for each user the saved preferences and thus to have a global vision on
all windows. This utility can be accessed from Repository / Users and Roles /
Users and Roles / Users / Element / Actions / Manage preferences;
l delete some preferences from more windows at the same time. This utility can
be accessed from Repository / Users and Roles / Users and Roles / Users / Ele-
ment / Actions / Manage preferences;
l copy the preferences set on a determined window from a user to another. This
utility can be accessed from Repository / Users and Roles / Users and Roles /
Users / Element / Actions / Copy preferences;
Page 13
Application rights
Application rights
What is a role
The role defines the activities a user can perform in Tagetik. A role is described by a
list of functions, that is a list of simple operations of the application that a user can
choose and perform. Typically the functions are:
l windows / tables managements
l data processing
l report
and in the most of cases a function corresponds to a menu key or to a window menu.
The Role defines if the User can use each function fully, only in display mode (as far
as tables are concerned) or if he cannot use it at all.
The functions present in a X role are only those available to the user who accesses a
database by using the X role.
$ALL A user provided with this role can access any util-
Page 14
Application rights
ity
$AUDIT A user provided with this role can visualize all data
and all the tables but he cannot modify them
Page 15
Application rights
$ANALYTICS A user with this role can see the reports published
on Tagetik Analytics Web portal according to his
rights but he cannot access the web side of the
application
l Custom role. These roles meet the need of defining specific groups of activ-
ities different from those scheduled by the system roles.
Page 16
Application rights
l starting from another role called "reference roles. In this case the func-
tions the systems considers related to the X role are gained:
o by summing all functions of the reference role;
o by applying overrides, in addition or subtraction, directly related to the
role.
Defining a role as sum of other roles (namely by using reference roles) is par-
ticularly useful when overrides are required; otherwise, the "sum" of the role's
functions can be gained by relating more roles to the single users, without defin-
ing further "sum" roles. The reference roles management windows can be
accessed from Repository / Users and Roles / Users and Roles / Roles / roles
table / Actions ( )/ Details / Reference roles (in this case the reference roles
can be defined only for the selected role) or from Repository / Users and Roles
/ Users and Roles / Roles / Users/Ref. Roles relationships / Reference roles
Page 17
Application rights
In both cases, during the saving, the system deploys the inserted data so as to gen-
erate a deployed table where, for each role, it specifies:
l the functions related to the role;
l for each function, if it is available to the user or if the user can only view the
table but not modify it.
Any modification applied to the role can be applied automatically to all custom
roles having this role as reference role just by deploying the roles.
Examples
Page 18
Application rights
3 - For the role, apply an override by enabling also the "0000227 - Administration -
Basic Admin - Data - Exchange Rates" function.
Example 2 : Let us assume we want to define "from scratch" a custom role that
allows us to access in read only both the master data tables and the data tables. The
steps to follow are:
1 - In the custom roles table, create a record having "USER_VIEW" as role and "User
view-only" as description;
2 - Assuming that FOUND_PARAM is the module containing all the functions related to
the tables management and GENERIC_DATAENTRY the module containing all the func-
tions related to the generic data entry (amounts, preconsolidation adjustments...),
define the functions to enable for the role as follows:
Page 19
Application rights
Example 3: Let us assume we want to create an user being at the same time admin-
istrator and consolidator but not contributor. In this case we can act in two ways:
l create a custom role having as reference roles the two system roles
$ADMINISTRATOR and $CONSOLIDATOR;
l not use the reference roles but just, during the relationship step of the user to
the application database on which it must be enabled, relate it to the two sys-
tem roles $ADMINISTRATOR and $CONSOLIDATOR . For further details about
the user / role / database relationship see Users / Roles relationship.
Utility
Copy
The definition of the functions related to a role can be performed manually or by copy-
ing it from another existing role and then performing the needed modifications. This
utility can be accessed from Repository / Users and Roles / Users and Roles / Roles /
Roles table / Actions ( )/ Copy enabled functions from and allows to copy the func-
tions definition from a custom role to another.
Page 20
Application rights
can access and at the same time, for each database, relate a role so as to specify the
list of activities the user can perform (set of visible menus).
Page 21
Application rights
Page 22
Application rights
Similarly each user that must inherit the roles from one or more reference
users will have the Inherit roles from Reference user option enabled in the
table (blue highlighted field in the previous image).
The definition of the reference users related to a user can be accessed from
Repository / Users and Roles / Users and Roles / Users / Element / Actions (
)/ Details / Reference Users.
users" option enabled, namely it will be a reference user for the roles;
o in the users table of the application database, the " Reference user for
other users" option disabled, namely it will not be a reference user for the
restrictions on data;
o$USER role in the application database
l the USER2, ..., USER10 users with the "Inherit roles from Reference user "
option enabled and, as reference user for the roles, the USER1 user
l A user can access a database if a role has been directly assigned to him in such
database or if at least one of his reference users has a role in such database.
l A user can access several databases at the same time with different roles.
Page 23
Application rights
Examples
Example 1: Let us assume to have a user USER1 and three application databases
TEST1, TEST2, PRODUCTION. While defining the user / database / role relationships
we can define
USER1 TEST1 ROLE X
USER1 TEST2 ROLE Y
In this case the user USER1 can work in the TEST1 and TEST2 databases but not in
PRODUCTION since no row relates the user to the PRODUCTION database. Moreover,
in TEST1 the user can perform all the activities defined for the role X while in TEST2
all the activities defined for the role Y.
Example 2: Let us assume we have defined "piecemeal" roles, namely several roles
each one enabling a limited group of activities: in this case, in order to enable the
user to all the activities, we can relate a list of roles in a certain database so as to
have the single role
USER 1/TEST1/ROLEK
USER 1/TEST1/ROLE L
USER1/TEST1/ROLEM
Example 3: Let us assume we have 10 users USER1, ..., USER10 that must perform
the same activities in the PRODUCTION database. In this case we can create a USER1
reference user, define his role in the PRODUCTION database and let the other 9 users
inherit the roles from USER1.
Area profiles
Tagetik allows the system administrator to delegate other peripheral administrators
to manage the authorizations of a users group (area).
This is realized introducing the concept of area profile.
An area profile is a fictitious user that, in terms of roles and restrictions on data, rep-
resents the limit of what the peripheral administrator is allowed to do.
The users belonging to a determined area and thus managed by the same area profile
cannot perform other activities than those assigned to the area profile; namely, they
cannot do more than the area profile can.
Page 24
Application rights
If a user is related to an area profile in the Repository, then for each application data-
base the list of functions assigned to him can never exceed the activities related to
the area profile for that application database.
If a user is related to an area profile in the application database, then in that applic-
ation database the elements of the single dimensions he can access cannot exceed,
dimension after dimension, the elements the area profile can access.
Page 25
Application rights
Page 26
Data Rights
Data Rights
The definition of the user's rights on data is the process by which Tagetik checks, for
all the utilities a user is allowed to access in an application database, whish data he
can see (visibility) and which ones he can insert / modify (editability). In this way the
system can have both the group of data visible to the user and the group of data the
user can edit (the two groups can be different from each other).
A distributed application like Tagetik generally involves few administrators and many
contributor users. That is why the request to limit the group of elements in which data
can be inserted/modified is very common. For Example, the contributor user A may
see and edit only data of the entity A00 while the contributor user B may see and edit
only data of the entity B00. Such rights can be defined by specifying which elements
of a dimension must be included into the editable elements set of a user.
n a node this implies automatically the visibility of the node and of all the
underlying entities.
o the entities the user can only display must be explicitly specified
Page 27
Data Rights
can process a consolidation scenario then he can automatically visualize it. The
consolidation scenarios the user can only display must be explicitly specified
filing. For example when there is a users class that must have a determ-
ined right on categories and on scenarios, it is possible to create a
reference user (in this case a fictitious one) that on scenarios and cat-
egories has the required rights and on the other dimensions has no vis-
ibility.
Thus a reference user is a user that can be given a reference by others so as to
inherit rights on data. A reference user can be a fictitious user or a real user.
The definition of the reference users can be performed in the users table of the
application database accessible from Setup & Admin / User rights / User rights
enabling the Reference users for other users option (field highlighted in
red in the following image).
Page 28
Data Rights
Similarly, each users that must inherit rights on data from one or more ref-
erence users will have the Inherit restrictions from the Reference user
option enabled in his table (field highlighted in blue in the previous image).
The definition of the reference users related to a user can be accessed from
Setup & Admin / User rights/ User rights / User rights / Actions ( )/ Details /
Reference Users.
Page 29
Data Rights
The permissions on the entity dimension are defined according to the rule that each
editable/submittable entity/node is automatically visible as well. Thus:
l whichever activity the user can perform on an entity, the visibility is not auto-
matically implied .
l whichever activity the user can perform on a node, the visibility of the node
and of all the entities below is automatically implied .
If needed, the entities which the user has in visibility only have to be explicitly spe-
cified.
For example for the user USER1 we can have:
Editability rights = entity A, B and C
Visibility rights = entity A, B, C (inherited from editability rights) and D (visibility
only)
In Tagetik by default a new user is "restricted" on the entities and not restricted
on the tasks. This means that until the entities he can access are not inserted manu-
ally, he has not visibility on any entity. But after defining the entities he can run,
unless there is a specific restriction, all tasks of the various Workflow Models.
Page 30
Data Rights
to the entities defined in the Actions( ) / Restrictions entity and task window
Page 31
Data Rights
Rights on entities
The management of rights on the entity dimension, when the restriction type is
"Restricted...", can be accessed from Setup&Admin / User rights / User rights / User
rights/ Actions ( defined in the Actions( ) / Restrictions entity and task window) /
Restrictions Entity and Task and then selecting the Entity section.
The description of the management of rights on entities is performed when the restric-
tion type is "Limited" because in the other cases the information to manage is just a
subset.
Page 32
Data Rights
o only one limited set of operational tasks that can be selected within a:
n Generic list (Run operational tasks - Generic list). In this case the
a:
n Generic list (Run Submission tasks - Generic list). In this case the
definition is performed in the Generic list Task tab of the Restriction
Entity and Task definition window and is valid fr the entities having the
"generic list" option enabled;
n Specific list (Run Submission tasks - Specific list). In this case the
definition is performed form the row menu (selecting the record via
double click or from the Actions/ Details) of the selected record. This
option allows to limit the user on the tasks to run in relation to the
entity
o no submission / approval task (Run submission tasks - None).
a:
Page 33
Data Rights
n Generic list (Run Submission tasks - Generic list). In this case the
definition is performed in the Generic list Task tab of the Restriction
Entity and Task definition window and is valid for the nodes having the
"generic list" option enabled;
n Specific list (Run Submission tasks - Specific list). In this case the
definition is performed form the row menu (selecting the record via
double click or from the Actions/ Details) of the selected record. This
option allows to limit the user on the tasks to run in relation to the node
o no submission/approval task (Run submission tasks - None).
a:
n Generic list (Run Submission tasks - Generic list). In this case the
definition is performed in the Generic list Task tab of the Restriction
Entity and Task definition window and is valid for the nodes having the
"generic list" option enabled;
n Specific list (Run Submission tasks - Specific list). In this case the
definition is performed form the row menu (selecting the record via
Page 34
Data Rights
double click or from the Actions/ Details) of the selected record. This
option allows to limit the user on the tasks to run in relation to the node
o no submission tasks (Run submission task - None)
4 - Visibility
in which are defined the entities which have not been specified in the "Contributor ele-
ments rights" tab of which we only want to display data. By default each entity / edit-
able / submittable node is automatically also visible. Thus:
l whichever activity the user can perform on an entity, its visibility is auto-
matically implied.
l whichever activity the user can perform on a node, the node's visibility and of
all the entities below is automatically implied
After completing the Entity rights definition, it is necessary to run the deployment
(via the button) in order to generate the detail tables the system uses when applying
the user rights. The result of the deployment is displayed in the "Deployed data" area
of the Restriction Entity and Task definition window.
Page 35
Data Rights
l Contributor nodes specific task list that shows the result of the specific
task list deployment namely the detailed list of approval / submission tasks
that can be run by the user for a specific contributor node
l Consolidator nodes specific task list that shows the result of the specific
task list deployment namely the detailed list of approval / submission tasks
that can be run by the user for a specific consolidator node
EXAMPLES
Let us assume that we have the following organizational hierarchy
Example 1: User with editability and visibility rights on all entities of the node B00
It is necessary to set the entity restriction type to "LIMITED", access the Restriction
Entity and Task definition window (via double click or from the Actions ( ) / Restric-
tion Entity and Task menu) and in the "Contributor elements rights" tab:
l select the node BOO - Subholding B on the left side of the window;
l enable the Insert data option in order to allow the user to collect and see data
on the four entities;
l specify that the user can run all the operational tasks setting the Run oper-
ational tasksoption with All;
l specify that the user can run the submission tasks setting Run submission
tasks with All;
l click on the button . The system inserts a record in the right side of the win-
dow using the "Add" action. This means that the user has the editability and vis-
ibility rights on all entities related to the node.
Page 36
Data Rights
Accessing the "Visibility" tab is not needed because in this example no visible entities
have to be added in addition to the entities to edit / submit on the first tab.
After saving the definition and running the "User rights - Entity rights" deployment,
the system displays in the "Entity" tab of the "Deployed data" area the list of the four
entities available to the user.
In the "Visibility" tab the system shows the entities of the node E B00 with restriction
type to edit/submit that means that the deployment generated these entities in vis-
ibility since they (or the related node) have been defined as to edit/submit entities in
the first tab "Entity rights" of the "Definition" area. This is due to the above men-
tioned logic according to which each entity / node to edit / submit is automatically vis-
ible as well.
Page 37
Data Rights
Example 2: Data entry exception management - User with editability and visibility
rights on all entities of the node B00 except entity B03. It is necessary to set the
entity restriction type to LIMITED and access the Restriction Entity and Task defin-
ition window (via double click or from the Actions ( ) / Restriction Entity and Task
menu). In order to set this restriction it is possible to define manually the list of "edit-
able" entities or working by exception as shown below:
l select the node BOO - Subholding B on the left side of the window;
l enable the Insert data option in order to allow the user to collect and see data
on the four entities;
l specify that the user can run all operational tasks setting the Run operational
tasksoption with All;
l specify that the user can run the submission tasks setting Run submission
tasks with All;;
l click on the button . The system inserts a record in the right side of the win-
dow via "Add" action. This means that the user has the editability and visibility
rights on all entities related to the node;
l select the Entity B03 on the left side of the window;
l click on the button . The system inserts a record on the right side of the win-
dow by "Delete" action. This means that the user has no rights on the entity
B03.
Page 38
Data Rights
,
After saving the definition and running the "User rights - Entity rights" deployment,
the system displays in the "Entity" and "Visibility" tabs of the "Deployed data" area,
the list of three entities available to the user. This list does not include the entity B03
and this means that the user cannot see, insert or modify data of this entity.
Please pay attention to the order in which the records are inserted because the
system processes them following the order in which they are displayed
Page 39
Data Rights
ticular, the button moves the selected record one position up and the button
moves it one position down;
l using the drag & drop
definition window (via double click or from the Actions ( ) / Restriction Entity and
Task menu) and in the "Entity rights" tab it is necessary to set the restriction as
defined in the example 2. Moreover, in this case it is necessary to access the "Vis-
ibility" tab and insert the Entity B03 that must be visible.
After saving the definition and the "User rights - Entity rights" deployment, the sys-
tem displays in the "Entity" and "Visibility" tabs of the "Deployed data" area, the list
of four entities available to the user. In this list, the first three entities have the
restriction To edit / submit and the entity B03 is visible only and has the Right type
field set to Visible only.
Example 4: Visibility inherited from the nodes restrictions: Submitter user of the
consolidation node A00.
A user that can submit on a consolidation or approval node, on a contributor node
(without read rights on the elements) has implicitly the visibility on all the node's ele-
ments.
Page 40
Data Rights
l click the button . The system inserts a record in the right side of the window
via "Add" Action
After saving the definition and running the "User rights - Entity rights" deployment,
the system displays the selected record in the "Nodes" tab of the "Deployed data"
area and in the "Visibility" tab all the entities belonging to the selected node with the
Right Type field set to "Visible inherited from to edit/submit".
Restriction on tasks
The task rights management is accessible from Setup & Admin / User Rights /User
Rights / Restriction Entity and Task selecting the "Generic task list" tab and it has to
be set if in the "Definition" area (see above) the "Run operational/submission tasks"
option has been set with "Generic list" in the various tabs
Page 41
Data Rights
The definition of the runnable tasks can be managed in two alternative ways:
l working on the tasks. For each available Workflow Model it is possible to
select the whole step or the whole task list or the single task the user can
access. For example, if a given user can perform various operations in the vari-
ous steps then it is possible to select within each step the tasks the user can
manage. For instance, in a Budget process a key account manager can insert
the quantity he expects to sell when collecting the information related to the
revenues and insert the costs of the department for which he is responsible
(example, access the Opex form) in the operational costs collection step;
l working by label. This modality is useful when the user is authorized to per-
form always the same operations in the various steps: for example, giving the
first approval or running the preliminary data processing of each step. In this
case, working by label is easier. Indeed the various tasks throughout the vari-
ous steps can be grouped by label. So assigning to each preliminary task (of
the various steps) the usual label "A", it is possible to assign only one restric-
tion row for that given user specifying that: the user is restricted on the label
"A" and he can run all the tasks related to this label.
The label that group the various tasks is defined and related to the various tasks
in each flow chart within the workflow model from the menu Setup & Admin / Work-
flow model / Workflow model / Action / Definition / WF by label.
Page 42
Data Rights
When task restriction has to be diversified by entity / node, in the various tabs it
is necessary to set the "Run operational / submission tasks" option with "Specific list"
and then define the various tasks by double clicking on the record. The restriction
definition window is like the one described for the "Generic list".
EXAMPLES
Example 1: User rights in a budget process.
Let us assume that the user has to run all the operational tasks of the Revenues Col-
lection step and of the Opex insertion task in the Opex/Capex step on all the entities
except the ones of North America where only the Global Assumption insertion task
(10GLAS) is enabled in the Payroll step.
This requires to set the entity right type to "LIMITED" and access the "Restriction
Entity and Task" window (via double-click or from the menu Actions ( ) / Restric-
tion Entity and Task). Then in the Entity Rights tab:
l select the root of the Regional View organizational hierarchy on the left side of
the window;
l enable theInsert data option;
l specify that the user must be limited on the operational tasks to run setting the
Run operational tasks option with Generic list;
l specify that the user must be limited on the submission tasks to run setting the
Run submission tasksoption with Generic list;
l click on the button . The system inserts a record in the rights side of the win-
dow using the "Add" action;
l select the node C00-North America of the organizational hierarchy in the left
side of the window;
l enable the Insert dataoption;
l specify that for that specific node, the runnable operational tasks are not those
in the generic task list setting the Run operational tasks option with Spe-
cific list;
l specify that for that specific node the submission nodes are not those in the gen-
eric task list setting the Run submission taskwithSpecific list;
l click on the button . The system inserts a record in the right side of the win-
dow using the "Add" action
Page 43
Data Rights
l click on the button . The system inserts a record in the right side of the win-
dow using the "Add" action;
l select for the budget process BDG - Budget & Planning the task 30OP - Opex of
the OPX - Opex Capex della fase 40_OP - Opex / Capex Plan task flowchart ;
l click the button . The system inserts a record in the right side of the window
using the "Add" action
Now double click on the row related to North America in the "Entity Rights" tab to
define the specific task list and in the displayed window:
Page 44
Data Rights
l select for the budget process BDG - Budget & Planning the task 10GLAS -
Payroll Global Assumptions of the task flowchart PPU - Payroll Planning USA of
the step 20_PP - Payroll Plan;
l click on the button . The system inserts a record in the right side of the win-
dow using the "Add" action;
After running the deployment ( ) the system displays in the Deployed data area:
l in the "Generic task list" tab the result of the generic task list deployment
namely the list of approval / submission task that can be run by the user;
l in the "Entity specific task list" the result of the specific task list deployment
namely the detailed list of the approval / submission tasks that can be run by
the user for all the entities related to the node C00-North America.
Page 45
Data Rights
Example 2: User rights on a given label "3" that groups all the data processing tasks
in the various steps.
Let us assume that within the workflow model related to the budget process BDG the
label 3 has been related to the task 30GRLS - Gross Sale.
In order to define the above mentioned restriction it is necessary to set the entity
right type to "LIMITED" and then access the Restriction Entity and Task window (via
double click or from the menu Actions ( ) / Restriction Entity and Task). Then in the
Entity rights tab:
l select the root of the Regional View organizational hierarchy on the left side of
the window;
l enable the Insert dataoption;
l specify that the user must be limited on the operational tasks to run setting the
Run operational tasks option with Generic list;
l specify that the user must be limited on the submission tasks to run setting the
Run submission tasksoption with Generic list;
l click on the button . The system inserts a record in the right side of the win-
dow using the "Add" action
Page 46
Data Rights
Once saved, access the "Generic task list" tab and in the "Label" tab:
l select for the budget process BDG - Budget & Planning the label 3
l click on the button . The system inserts a record in the sight side of the win-
dow using the "Add" action
Page 47
Data Rights
After saving and running the deployment ( ), the system displays in the Deployed
data area in the "Generic task list" tab all the runnable tasks with the label specified
during the definition step.
Restrictions on dimensions
These restrictions are applied on the elements of the following dimensions:
l account;
l Category;
l Custom dimensions;
l original scenario;
l Consolidation scenario
they act both on the editability (as far as the consolidation scenario is concerned, by
the word editability we mean the possibility of processing the scenario) and on the vis-
ibility. If a user can manage one element of such dimensions then he can auto-
matically also visualize it.
The elements of these dimensions that the user can only display must be explicitly
specified.
For example if a user is allowed to access a subset M (e.g. C1, C2) among the N exist-
ing categories (e.g. C1, C2, C3 and C4), then the user will be able to manage and see
data characterized by the M categories but he will not be able to see data char-
acterized by the remaining N-M categories (C3 and C4).
By default, in Tagetik any new user has all rights for the existing elements. It is pos-
sible to limit the editability and/or visibility by specifying manually the editable
and/or visible elements.
The only two exceptions are given by:
l the category for which it is assumed that each new user is a contributor,
namely that he has rights only for the contributor's categories;
l the consolidation scenario for which each new user as no rights for any con-
solidation scenario by default.
Page 48
Data Rights
and set for each of these dimensions the corresponding attribute with:
l Unrestricted. In this case the user has all rights for all existing elements for a
determined dimension;
l Limited. In this case the user has rights only for the elements explicitly
defined as editable/visible. The definition of such elements is performed by
using an apposite management window accessible from the "Restrictions on
dimensions" window menu;
l By area profile. In this case, if the user belongs to an area profile he inherits,
as editable/visible, all elements related to that profile.
Page 49
Data Rights
Accounts rights
The management of the user rights on the account dimension can be accessed from
Setup & Admin / Users rights / Users rights / Users rights / Restrictions on dimen-
sions by selecting the Account restrictionssection.
The definition can be performed:
l by single accounts or
l by nodes of a hierarchy defined on the account dimension; it is possible to add
or delete from the nodes single accounts and/or lower level nodes.
Independently if a single element or a node is given, it is necessary to specify expli-
citly which are the accounts in visualization only, otherwise the account will be both
editable and visible to the user.
Restrictions on categories
The management of user rights in the category dimension can be accessed from
Setup & Admin / User rights / User rights / User rights / Restrictions on dimensions
by selecting the Category restriction section.
We remind you that by default a new user has rights in editability and visibility on all
the contributor's categories.
The definition can be performed:
l by single categories or
l by nodes of the categories grouping; it is possible to add or delete from the
nodes single accounts and/or lower level nodes.
Independently if a single element or a node is given, it is necessary to specify expli-
citly which are the categories in visualization only, otherwise the category will be
both editable and visible to the user.
Page 50
Data Rights
Restrictions deployment
During the saving, the system automatically performs the deployment of the restric-
tions definition on the dimensions generating, dimension by dimension, the detailed
list of the editable and/or visible elements.
Page 51
Data Rights
By default in Tagetik any new user has management rights for all the existing ele-
ments. It is possible to limit such rights by defining the manageable elements manu-
ally.
Page 52
Data Rights
and set for each of these dimensions the corresponding attribute with:
l Unrestricted. In this case the user has all rights for all existing elements for a
determined dimension;
l Limited. In this case the user has rights only for the elements explicitly
defined as manageable. The definition of such elements is performed by using
an apposite management window accessible from the Restrictions on other
dimensions window menu:
l By area profile. In this case, if the user belongs to an area profile he inherits,
as manageable, all elements related to that profile.
Restrictions on forms
The list of forms a user can visualize can be accessed from Setup & Admin / User
rights / User rights / User rights / Restrictions on other dimensions, by selecting the
Form restriction section.
The definition can be performed:
l by single forms or
l by nodes of the form grouping; it is possible to add or delete from the nodes
single forms and/or lower level nodes.
Page 53
Data Rights
ETL Restrictions
The management of this restriction type can be accessed from Setup & Admin / User
rights / User rights / User rights / Restrictions on other dimensions and then selecting
the corresponding section.
The definition can be performed:
l by single elements;
l by nodes of the ETL or ETL Job or ETL Routine environments grouping; single
lowest level elements and/or nodes can be deleted or added to the nodes
Restrictions deployment
During the saving step, the system performs automatically the deployment of the
restrictions' definition on the dimensions by generating, dimension by dimension, the
detailed list of the visible elements.
Page 54
Appendix
Appendix
Block user
Only the administrator user can block a user restraining him from accessing Tagetik.
There are several ways to block a user:
l temporary block. By enabling the Blocked Temporarily option present on
the Repository database's users table (Repository / Users and Roles / Users
and Roles / Users / Element) or using the Block / Unblock user utility (Repos-
itory / Users and Roles / Users and Roles / Users / Element / Actions ( )/
Remove users / Block/Unblock users) the administrator blocks temporarily the
access to Tagetik. The temporary block of a user can occur also when a user
types a wrong password at the login exceeding the number of allowed
attempts. In such case the system automatically blocks the user and in order to
allow him to access again the administrator must disable the above mentioned
option. It is important to notice that in this case the temporary block affects all
the databases the user can access
l block user / database relationship. After defining the roles, the admin-
istrator defines for each user the list of the application databases where he can
Page 55
Appendix
work so as to specify which applications the user can access and at the same
time for each database relates one or more roles so as to specify the list of the
activities he can perform (set of visible menus). At this step it is possible to
enable the Block temporarily option so as to deny the access to a specific
database. This possibility is particularly employed during the creation of a new
user so as to restrain the user from accessing the application and performing
what is enabled for his roles before the administrator has defined possible
restrictions in visibility and insertion/certification on data.
l Block for time limit exceeded. Tagetik allows to relate a determined user
that must work on the application only for a determined period of time
(because he has a fixed term contract, because he is on loan from another
office...) to a start date and an end of validity so as that if the login is per-
formed in a date that is not comprised between these dates the system does
not allow the user to access the application. It is important to notice that a user
with an expired date keeps the definition of the roles and of the possible restric-
tions so as that, if it is necessary to extend his expired validity or to make him
a definitive user, the administrator does not have to redefine the full para-
meterization of such user. The time validity of a user can be set from two dif-
ferent points:
o from the Repository users table (Repository / Users and Roles / Users and
Roles / Users / Elements). In this case the definition of the validity time
affects all the databases the user can access;
Page 56
Appendix
o during the user / database / role relationship step (Repository / Users and
Roles / Users and Roles / Users / users/roles Relationships or directly from
he users table via the Repository / Users and Roles / Users and Roles /
l final block. Via the Delete users utility accessible from Repository / Users
and Roles / Users and Roles / Users / Element / Action ( )/ Users closings /
Delete users, the administrator can permanently block one or more users from
accessing the database. By blocking a user permanently, the system deletes all
his roles and the parameterization of all his restrictions. Tagetik always
records inside the audit log the operations performed through these utilities so
Page 57
Appendix
as to have always full control of who, when and how operated on data. A per-
manently blocked user is not physically deleted from the database but labelled
as Deleted (the Edit status field assumes this value). By default when the
Repository database users management window is opened, the deleted users
are not visible. To see them it is necessary to modify the filters present in such
window, particularly to delete the filter present on the Edit status attribute by
deleting the No value from the list;
Password rules
Tagetik allows to define password validity criteria in accordance with the security
need of the relative organizations so as to guarantee the creation of safe and hard to
decode passwords. The level of security offered by the passwords depends on the
complexity of the passwords. The passwords with a higher level of complexity are
harder to decode and thus guarantee an higher security level.
The password security table can be accessed from Repository / Setup / Setup /
Authentication / Tagetik: password rules.
Page 58
Appendix
Page 59
Appendix
Change password
Each user can change, whenever he wants, his own Tagetik password by the menu
User menu / Password ( ) at the top right of the home page. The system opens the
Change password window
The system does not consider the setting of this option if the authentication
system is not the Repository.
Page 60
Appendix
In this window the system displays the user who has to change his own pass-
word. In order to perform the modification it is necessary to:
o insert the new password. The selected password has to satisfy the pass-
word rule associated to the user;
o insert the new password again so as that the system can verify its cor-
rectness;
o confirm the modification by clicking on the Change password button.
Recode user
Tagetik allows to change the codes assigned to the various users.
The recode utility can be accessed from Repository / Users and Roles / Users and
Roles / Users / Element / Actions ( )/ Users closings / Recode Users and affects all
the users previously selected in the users table.
Page 61
Appendix
Page 62
Appendix
The users recode data processing is a potentially very long operation, above all if
performed on several users having access to several databases. Thus it is recom-
mended to run it on few users at a time.
After recoding an user, the audit log of the old codes (if the recode operation is run
several times the old codes might be many) can be consulted from Repository / Users
and Roles / Users and Roles / Users / Element / Actions ( )/ Users closings / Show
recoded users. The system displays the full chain of the recoding performed on the
selected user (from the oldest code to the more recent one).
Thus if, for example, for the user test1 that was subjected to two recoding, first in
test01 and then in testA01, the system displays:
Page 63
Appendix
Page 64
Glossary
Glossary
A
account
The Account represents the basic nature of each information
stored in Tagetik. In the account dimension the user can open
any measure or metric, both financial and statistical.
actual
The Actual represents a set of information which have already
occurred in relation to a past period For example, the costs
incurred in January are considered actual costs in February
application database
An application database is a database where all data and data
sizes concerning the application are stored. A typical installation
of Tagetik consists in a Repository database where all the inform-
ation about the system management are stored (users, roles,
licenses etc.) and an application database for each application to
manage
application language
The Application Language is the interface language, namely the
language by which the application is displayed (menu items,
headers, fields names in management windows, error mes-
sages)
audit
The Audit is the means by which Tagetik keeps trace of all the
activities done and all the possible errors occurred in the course
of time. The audit is aimed at allowing the user to keep trace of
all the steps of the activities (directly run by the system or with
the intervention of the user) run during a certain time interval.
B
budget
The Budget represents a goal that the Entity is meant to achieve
in a certain lapse of time. Usually the Budget is related to a one
year long time horizon (for example budget 2003); in case of
Page 65
Glossary
more that one year we talk about plan. For our work area, the
budget is a forecast of revenues, costs, actual balance sheet and
cash flow that the Entity is engaged to achieve in a determined
lapse of time
C
category
In Tagetik the Category dimensions allows to classify and seg-
ment data (in particular the structures) and to trace the way data
is generated
cell field
A cell field allows to recover and display within a form the attrib-
utes of the dimensions used as filters
consolidation currency
The Consolidation Currency is the currency by which the con-
solidation is generated. It usually corresponds to the currency of
the Holding (but not necessarily)
consolidation scenario
The Consolidation Scenario is the scenario that indicates the
entity that defines the characteristics of the consolidation peri-
meter: the Holding, the entities to consolidate, the consolidation
methods,the consolidation currency, the data original source
scenario etc. On this type of scenario are stored "consolidated"
data that cannot be modified manually. The Consolidation Scen-
ario is also the rule that explains Tagetik how to consolidate the
entities of a determined consolidation perimeter.
currency
The Currency is the national currency in which a transaction or a
financial statement are performed.
custom dimension
A Custom Dimension is a dimension that allows to meet specific
business model's needs (products, clients, cost centres, ...).
Tagetik allows to define and manage up to five custom dimen-
sions
Page 66
Glossary
D
data entry mode
The Data entry mode allows the user to insert new data and to
modify data present in a data entry form
data processing
A Data Processing is a process that works on data. It reads input
data and generates output data according to built in rules (that is
encoded within the system) or rules defined by the User.
database
A database is a collection of information set to be easily accessed
for consultation, modifications and updates
design mode
The Design mode allows to modify a form structure
dictionary
A Dictionary is a list of admitted values for an ETL dimension
document currency
The Document Currency represent the currency bay which a cer-
tain operation has been performed (regardless of the currency of
the entity that performed it)
drill down
The Drill down utility allows to analyze the single parts aggreg-
ated data is made up of
E
ETL
The ETL (Extraction, Trasformation & Loading) is a completely
configurable engine able to extract data from external sources
such as Excel, text files, warehouse data, ERP systems (SAP,
Oracle or Microsoft) or from a Tagetik database; it is able to
change and load data into several custom dimensions, both
internal (Tagetik database) and external (generic database,
Excel or text file) to Tagetik.
Page 67
Glossary
ETL dimension
An ETL dimension is a column of the staging table where the ETL
engine copies data extracted from one or more external sources
ETL domains
An ETL Domain represents a macro container that includes all
attributes and information concerning a ETL rule (configurations,
extraction formats, transformation and load rules)
ETL routine
An ETL Routine is the smallest data processing unit which can be
run in an ETL process and contains all the routine run information
and the link to the details for the data extraction, transformation
and loading
event scenario
The Event Scenario is a fictitious scenario used by Tagetik to man-
age events by date, particularly the events of the group structure
F
financial statement template
A Financial Statement Template is a particular aggregation struc-
ture of accounts or accounts / custom dimension which is gen-
erally used to create standard financial statement templates
(P&L and IAS balance sheet, IV directive, direct / indirect cash
flow) but also KPI and other needed indexes for the reporting
fiscal year
A Fiscal Year represents the financial year to which the entity
management is related. Usually the fiscal year accrues from the
1st of January to the 31st of December; but different dates can
be also chosen. Tagetik does not manages an out-and-out fiscal
years table; rather, their definition is implicit in the definition of
the scenarios.
forecast
The forecast is the budget data udpate. The forecast is elab-
orated during the course of the year when the Entity closes the
first actual situations. When the actual is compared to the
budget, differences can occur; these originate new forecasts
exactly named forecasts The Forecast is related to a specific
month: for example in March the forecast is made through the
Page 68
Glossary
form
a Form is a special Excel spreadsheet used by Tagetik inside its
reporting and data entry "unified" system based on Microsoft
Excel to interact directly with the application database of Tagetik
so as to display / extract database information and save data
inserted by the user into the database.
form filter
A Form Filter is a filter type which affects the whole form
function
A Function is a basic operation the user can perform. Typically
the functions are the management of tables, data processing,
reports. In most cases a function corresponds to a menu key or
to a window menu; in some cases to more simple operations.
The functions definition is only aimed at the roles definition
G
grouping
A grouping is a multi- level structure with unlimited depth and
multi-parent (each node or element of the dimension can be
related to several parent nodes) which allows to group / organize
a set of elements in order to meet the various business needs
H
hierarchy
A Hierarchy is a closely hierarchical multilevel structure that
allows to aggregate / sort a group of elements in order to meet
the various business needs
holding
The Holding is the Entity that controls all the other entities of the
group by the ownership of shareholdings (control or anyway rel-
evant shareholdings). It is the entity that presents the con-
solidation financial statement
Page 69
Glossary
M
matrix
The Matrix identifies the forms area in which data present on the
application database are displayed. Technically, the matrix rep-
resents the combination of several filters to apply to the Tagetik
dimensions so as to have the set of data to display, like a SQL
query
matrix filter
A Matrix Filter is a filter type which affects the whole area of a
form matrix and thus not only the rows or the columns
module
The Module represents a set of functions. Each function belongs
to one module only. The modules definition has two goals: - to
simplify the roles definition. Indeed, when assigning the func-
tions to a role, it is possible to use the module to assign to the
role all the functions belonging to the module. to check the sys-
tems functions accessibility according to license purchased by
the customer. The list of functions a module is made of is preset,
and the users can not modify it
N
navigation mode
The Navigation mode allows the user to display data of a report
or of a data entry form. When the Navigation mode is used it is
not possible to edit data
O
original scenario
The Original Scenario is the scenario used by Tagetik for all the
data inserts: Amount, Preconsolidation and Consolidation Adjust-
ments. It includes the concepts of fiscal year and data version
(for example 2008ACT to describe the fiscal year 2008 and the
actual data version, or 2008BDG to describe the fiscal year 2008
and the budget data version, or 2008F6 to describe the fiscal
year 2008 and the forecast version edited at the end of June)
Page 70
Glossary
P
parameter
A Parameter is a particular type of filter which can be used inside
a form whose value in unknown until the form is run
period
The Period represents the basic unit by which the fiscal year is
divided. Typically the Period represents the month (it manages
12 Periods) but a manual management is also possible in order
to meet the user's business needs.
period length
The Period length is a specific dimension of the Reporting which
allows to manage within a form aggregated data for example in
quarters, semesters, etc from cumulated data present on the
Tagetik application database
process
The Process represents a business cycle (budget, actual, fore-
cast...) having a start date and an end date. Each Process: - can
have a single expiration date or several intermediate expiration
dates; - is repeatable with different expiration dates (monthly,
quarterly, half-year, annual); - can run on the entire data model
or on a part of it
R
Repository
The Repository is a centralized database where the users who
can access Tagetik, the roles (both system and custom) assigned
to the users that define the activities an user can do are man-
aged
role
A Role define the activity that a User can do in Tagetik. A role is
described by a list of functions, that is a list of simple operations
of the application that a user can choose and perform. Typically
the functions are: management of tables, data processing,
report; usually a function corresponds to a menu key or to a win-
dow menu. The Role defines if the User can use each function
fully, only in display mode (as far as tables are concerned)or if he
cannot use it at all.
Page 71
Glossary
S
scenario
The Scenario represents, together with the period, the time
dimension of Tagetik and includes also the concept of data ver-
sion
scheduling
The Scheduling is the delayed run of a data processing or a job; it
defines parameters and launch-time
SharePoint
SharePoint is the Microsoft cooperative platform, based on .NET
Framework, that provides a complete environment for the man-
agement of files, contents, business processes, etc
snapshot scenario
The Scenario Snapshot is a scenario where to "Freeze" data
before further modifications
SQL model
A SQL Model is a SQL language query that can be simply used in
the management windows where an ETL filter is employed
T
tab filter
A Tab Filter is a filter type which affects the whole area of a tem-
plate present in the form
tables language
The Tables Language is the language by which the metadata ele-
ments' descriptions are displayed
template
A Template identifies each Excel sheet present inside a form
U
user
The User is who can access Tagetik
Page 72