Security and Auditing in HFM

Chris Barbieri Edgewater Ranzal

About Edgewater Ranzal

One of the Largest Hyperion Practices in the U.S. Oracle / Hyperion Platinum Partner - Highest Status 15 Years 700+ clients 1000+ projects Vertical Expertise with HighProfile Clients from Coast to Coast Sound Project Methodology Insures Project Success One Stop Shop for ALL EPM Implementation needs

Our Services

Consolidation

Business Intelligence

Planning

Data Services

Project Management

Infrastructure

Agenda

Roles

verbs: The verbs actions a user can perform Review roles for:

HFM Reporting and Analysis Shared Services

Classes

The nouns objects on which you can perform nouns: those actions Who did what and when what, when?

Auditing and Reporting

Shared Service Console

Central module where most security management is performed

Provision

EPM System predefines tasks or collections of tasks into Roles For now, lets start with a user Joe Admin

Select the username, right-click, and Provision

Available Roles

List of roles from registered products Presented either by product, or Application Group All roles are listed and explained in the hss_admin.pdf

\V25453-01\EPM System Installation Documentation \EPM System Installation

Foundation Roles

Roles are listed in a hierarchy

Called Aggregate Roles Access to the parent yields its children

Can have alternate roll-ups

Used in Reporting and Analysis

EPMA Dimension Management

Grant all users Shared Services Dimension Editor Dimension Editor role Select each dimension in the dimension library, and choose System from category menu

Calc Manager

Two HFM roles

Rules Designer Rules Viewer per product

One Shared services role

Provisioning Manager

Role for each application and product Allows the user to grant/remove role and class access to other users

Cannot provision themselves unless they have the Shared Services Administrator role Application Administrator does not allow provisioning

Reporting and Analysis Roles

Majority of roles relate to Interactive Reporting / Production Reporting Appendix A in the hss_admin.pdf document lists all of the roles, by product

FR Role Recommendations
Role Reporting and Analysis Administrator Report Designer Explorer Administrator Yes Report Writer Viewer

implied implied

Yes Yes Yes

Administrator can do anything but provision other users Report Designer still needs the Studio client Explorer grants access to the full list of reports

subject to the folder/object level access

Hyperion Financial Management Roles: Administrator

Administrator role permits all tasks Administrator

ALL access to all classes but not Provisioning Manager

Independent of access to the Administration menu items

These are not application specific

Create Application Enable/disable connections Users on System, etc.

EPM System configurator > Financial Management > Configure Application Server

Configure HFM System Administrators

Application Security

Creator Group

Can create new Classic applications

Administrator Group

Can be Native or External group

Almost always left at * = EVERYONE / WORLD Must be changed later, as part of security design process

Hyperion Financial Management Roles: Power User

Typical setup, excluding Process Management

Hyperion Financial Management Roles: End User

Typical setup, excluding Process Management

Secure at Group or User Level?

Best practice is to apply security at the group level

Then manage group membership for the users

This becomes a bad approach when #Groups > #Users

Native or External?

Users

Leverage security policies from external providers (MSAD/LDAP) Native has no password policy management Greatest flexibility in Native groups Allows IT security to control users Hyperion admins are best suited to control access

Groups

Place users into groups Provision or assign class access as needed Provide reports for auditing

Classes
1.

Create classes

Dimension in EPMA Create inside Shared Services module in Classic Entities, Accounts, Customs, Scenarios Grids/ forms/ journals/ system reports User or group must have at least one role

2.

Assign to metadata or HFM documents

3.

Assign access to the classes

If no other role applies, then grant Default role

Group Naming Schemes

Role access for the various modules

rg_EPMA_* for EPMA rg_ rg_HFMAppName_* for the HFM application rg_ rg_ReportWriters modify Financial Reports rg_ rg_Security for access to Shared Services rg_ eg_HFMAppName_* = entity dimension access eg_ entity dsg_HFMAppName_* = data source dimension dsg_ data source access (Custom4) sg_FMRLCA_* = scenario dimension access sg_ scenario

HFM dimension access groups

Class Naming Schemes

Prefix classes according to the dimension they secure

ec*: entity class ec* ac*: ac* account class c1c*..c4c* c1c* c4c*: custom dimension class
Where possible, use the dimension alias dsc*: DataSource class, instead of Custom4 dsc*

sc*: sc* scenario class dc*: dc* document class Not searchable

Classes are only sorted alphanumerically

Assign Dimension Groups to Classes

Right-click on HFM application Assign Access Control

Select HFM Users / Groups

Only users or groups that have been directly assigned at least one role will show up

If you use groups, always use groups

Dimension groups Default must have Default role for the HFM app Users / Groups selected here are available for a report

Select HFM Classes

Where the alphanumeric order, and the class prefix comes in handy Classes selected are available for a report

Class Access Rights

Access Right All Read None Description Full read/write access to the data or objects to which this class has been assigned. Read rights to the data or objects to which this class has been assigned. No rights at all. If Enable Metadata Security Filtering has been turned on for the application, users with None access to a class wont even see the member in a metadata pick list, nor will they see an object with this class attached. If a user opens a grid, form, or report for an intersection where they have None rights, HFM will return NoAccess instead of the data value. Metadata Overrides the Metadata Security filtering by allowing the member to be seen in a pick list, though the user will be unable to view the contained data. This setting is not common

Assign Class Access

Pivot as you like Highlight rows/columns

Change the Access Right for the selection Click the check mark to activate And save

HFM Role and Class Access Report

Output to html, Excel, CSV, PDF

Sample Output

Shared Services Role Report

Administration > View Report Show Effective Roles = Yes

Shows what users inherit from group membership

Sample Output

Configure Auditing in Shared Services

Track changes in user provisioning Track configuration changes

Not enabled, by default Enable this for all products and applications Purge after so many days

Save changes, restart services

Shared Services Audit Reports> > Security Reports

Authentication and security changes

Security Reports: Detailed View

Shared Services Audit Reports> > Artifact Reports

Lifecycle Management selections

Shared Services Audit Reports> > Config Reports

Changes to settings in Shared Services

Speed Tip for Multiple External Providers

Normally a user name is passed sequentially among the external providers: MSADEast; MSADWest; MSADEurope, etc. First, try using a Global Catalog Try using group filters to more quickly isolate the users you want

Advanced Filters on Groups

Or go directly to a single provider

Data Audit in HFM

Enable DataAudit on Account and Scenario

Non-FDM only, please

Administration > Data Audit

Captures changes to <Entity Currency> only Small increase in data load times

No impact on consolidation time

Task Audit in HFM

Always enabled Captures lots of information

but not everything

Administration > Task Audit

Questions

Chris Barbieri cbarbieri@ranzal.com +1.617.480.6173 www.ranzal.com

Presentations

Calculation Manager: The New and Improved Application to Create Hyperion Planning Business Rules Monday, 11:15 am, Room 102C Security and Auditing in HFM Tuesday, 4:30pm, 101B Best Practices for Using DRM with EPMA Wednesday, 8:30am, 103A Getting Started with Calc Manager for HFM Wednesday, 8:30am, 101B Advanced Topics in Calc Manager for HFM Wednesday, 9:45am, 101B Maximizing the Value of an EPM Investment with ERPi, FDM & EPMA Wednesday, 11:15am, 101B Taking your FDM application to the next level with Advanced Scripting Friday, 8:30am, 101B IFRS reporting within Hyperion Financial Management Thursday, 10:30am, 101B

www.ranzal.com

Chris Barbieri cbarbieri@ranzal.com +1.617.480.6173 www.ranzal.com