security and auditing in hfm
DESCRIPTION
Ranzal Practice Director, Chris Barbieri conducted this presentation at the recent ODTUG Kaleidoscope conference in Long Beach, California.TRANSCRIPT
![Page 1: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/1.jpg)
Security and Auditing in HFM
Chris BarbieriEdgewater Ranzal
![Page 2: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/2.jpg)
� One of the Largest Hyperion Practices in the U.S.
� Oracle / Hyperion Platinum Partner - Highest Status
About Edgewater Ranzal
15 Years� Vertical Expertise with High-
Profile Clients from Coast to Coast
� Sound Project Methodology Insures Project Success
� “One Stop Shop” for ALL EPM Implementation needs
15 Years700+ clients
1000+ projects
![Page 3: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/3.jpg)
ConsolidationBusiness
Intelligence Planning
Our Services
ProjectManagement
InfrastructureData
Services
![Page 4: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/4.jpg)
Agenda
● Roles● The verbsverbs : actions a user can perform● Review roles for:
● HFM● HFM● Reporting and Analysis● Shared Services
● Classes● The nounsnouns : objects on which you can perform
those actions
● Auditing and Reporting● Who did whatwhat, and whenwhen?
![Page 5: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/5.jpg)
Shared Service Console
● Central module where most security management is performed
![Page 6: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/6.jpg)
● EPM System predefines tasks or collections of tasks into Roles
● For now, let’s start with a user… Joe Admin
Provision
● For now, let’s start with a user… Joe Admin● Select the username, right-click, and Provision
![Page 7: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/7.jpg)
Available Roles
● List of roles from registered products● Presented either by product, or Application
Group● All roles are listed and explained in the ● All roles are listed and explained in the
hss_admin.pdfhss_admin.pdf● \V25453-01\EPM System Installation Documentation
\EPM System Installation
![Page 8: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/8.jpg)
Foundation Roles
● Roles are listed ina hierarchy● Called “Aggregate
Roles”Roles”● Access to the
parent yields its children
● Can have alternate roll-ups● Used in Reporting
and Analysis
![Page 9: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/9.jpg)
EPMA Dimension Management
● Grant all users Shared Services “Dimension EditorDimension Editor” role
● Select each dimension in the dimension library, and choose “System” from category menu
![Page 10: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/10.jpg)
Calc Manager
● Two HFM roles● Rules Designer● Rules Viewer
● One Shared services role● …per product
![Page 11: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/11.jpg)
Provisioning Manager
● Role for each application and product● Allows the user to grant/remove role and class
access to other usersCannot provision themselves● Cannot provision themselves
● … unless they have the Shared ServicesAdministratorAdministrator role
● Application Administrator does not allow provisioning
![Page 12: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/12.jpg)
Reporting and Analysis Roles
● Majority of roles relate to Interactive Reporting / Production Reporting
● Appendix “A” in the hss_admin.pdfhss_admin.pdf document lists all of the roles, by productlists all of the roles, by product
![Page 13: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/13.jpg)
FR Role Recommendations
Role Administrator Report Writer Viewer
Reporting and Analysis Administrator
Yes
Report Designer implied YesReport Designer implied Yes
Explorer implied Yes Yes
● Administrator can do anything but provision other users
● Report Designer still needs the StudioStudio client● Explorer grants access to the full list of reports
● … subject to the folder/object level access
![Page 14: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/14.jpg)
Hyperion Financial Management Roles: Administrator
● “AdministratorAdministrator” role permits all tasks● “ALL” access to all classes● … but not Provisioning ManagerProvisioning Manager
● Independent of access to the “Administration” menu items● These are not application specific
● Create Application● Enable/disable connections● Users on System, etc.
● EPM System configurator > Financial Management > Configure Application Server
![Page 15: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/15.jpg)
Configure HFM SystemSystemAdministrators
● Application Security● Creator Group
● Can create new Classic applications
● Administrator Group● Administrator Group● Can be Native or External
group
● Almost always left at “*” = EVERYONE / WORLD
● Must be changed later, as part of security design process
![Page 16: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/16.jpg)
Hyperion Financial ManagementRoles: Power User
● Typical setup, excluding Process Management
![Page 17: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/17.jpg)
Hyperion Financial ManagementRoles: End User
● Typical setup, excluding Process Management
![Page 18: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/18.jpg)
Secure at Group or User Level?
● Best practice is to apply security at the group level● Then manage group membership for the users
● This becomes a bad approach when #Groups > #Users
![Page 19: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/19.jpg)
Native or External?
● Users● Leverage security policies from external providers
(MSAD/LDAP)● Native has no password policy management
● Groups● Greatest flexibility in Native groups● Allows IT security to control users● Hyperion admins are best suited to control access
● Place users into groups● Provision or assign class access as needed● Provide reports for auditing
![Page 20: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/20.jpg)
Classes
1. Create classes● Dimension in EPMA● Create inside Shared Services module in
Classic
2. Assign to metadata or HFM documents ● Entities, Accounts, Customs, Scenarios● Grids/ forms/ journals/ system reports
3. Assign access to the classes● User or group must have at least one role
● If no other role applies, then grant Default role
![Page 21: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/21.jpg)
Group Naming Schemes
● “Role ” access for the various modules●● rg_rg_EPMA_* for EPMA●● rg_rg_HFMAppName_* for the HFM application●● rg_rg_ReportWriters modify Financial Reports●● rg_rg_ReportWriters modify Financial Reports●● rg_rg_Security for access to Shared Services
● HFM dimension access groups●● eg_eg_HFMAppName_* = “entityentity” dimension access●● dsg_dsg_ HFMAppName_* = “data sourcedata source” dimension
access (Custom4)●● sg_sg_FMRLCA_* = “scenarioscenario” dimension access
![Page 22: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/22.jpg)
Class Naming Schemes
● Prefix classes according to the dimension they secure●● ecec**: entity class●● ac*ac*: account class●● c1c*c1c*..c4c*c4c*: custom dimension class
● Where possible, use the dimension alias●● dscdsc**: DataSource class, instead of Custom4
●● sc*sc*: scenario class●● dc*dc*: document class
● Classes are only sorted alphanumerically● Not searchable
![Page 23: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/23.jpg)
Assign Dimension Groups toClasses
● Right-click on HFM application
● Assign Access Control● Assign Access Control
![Page 24: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/24.jpg)
Select HFM Users / Groups
● Only users or groups that have been directly assigned at least one role will show uprole will show up● If you use groups,
always use groups
● Dimension groups must have “DefaultDefault” role for the HFM app
● Users / Groups selected here are available for a report
![Page 25: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/25.jpg)
Select HFM Classes
● Where the alphanumeric order, and the class prefix class prefix comes in handy…
● Classes selected are available for a report
![Page 26: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/26.jpg)
Class Access Rights
Access Right DescriptionAll Full read/write access to the data or objects to which this class has been
assigned.Read Read rights to the data or objects to which this class has been assigned.
None No rights at all.
If “Enable Metadata Security Filtering” has been turned on for the application, users with “None” access to a class won’t even see the member in a metadata pick list, nor will they see an object with this class attached. If a user opens a grid, form, or report for an intersection where they have “None” rights, HFM will return “NoAccess” instead of the data value.
Metadata Overrides the Metadata Security filtering by allowing the member to be seen in a pick list, though the user will be unable to view the contained data.
This setting is not common
![Page 27: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/27.jpg)
Assign Class Access
● Pivot as you like● Highlight rows/columns
● Change the Access Right for the selection● Click the check mark to activate● And save
![Page 28: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/28.jpg)
HFM Role and Class Access Report
● Output to html, Excel, CSV, PDF
![Page 29: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/29.jpg)
Sample Output
![Page 30: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/30.jpg)
Shared Services Role Report
● Administration > View Report●● Show Effective Roles = YesShow Effective Roles = Yes
● Shows what users inherit from group membership
![Page 31: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/31.jpg)
Sample Output
![Page 32: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/32.jpg)
Configure Auditing in Shared Services
● Track changes in user provisioning
● Track configuration changeschanges● Not enabled, by default●● EnableEnable this for all products
and applications● Purge after so many days
● Save changes, restart services
![Page 33: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/33.jpg)
Shared Services Audit Reports >>Security Reports
● Authentication and security changes
![Page 34: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/34.jpg)
Security Reports: Detailed View
![Page 35: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/35.jpg)
Shared Services Audit Reports >>Artifact Reports
● Lifecycle Management selections
![Page 36: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/36.jpg)
Shared Services Audit Reports >>Config Reports
● Changes to settings in Shared Services
![Page 37: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/37.jpg)
Speed Tip for Multiple External Providers
● Normally a user name is passed sequentially among the external providers: MSADEast; MSADWest; MSADEurope, etc.
● First, try using a Global CatalogTry using group filters to more quickly isolate the users ● Try using group filters to more quickly isolate the users you want● Advanced Filters on Groups
● Or go directly to a single provider
![Page 38: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/38.jpg)
Data Audit in HFM
● Enable DataAudit on Account and Scenario● Non-FDM only, please
![Page 39: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/39.jpg)
Administration > Data Audit
● Captures changes to <Entity Currency><Entity Currency>only
● Small increase in data load times● No impact on
consolidation time
![Page 40: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/40.jpg)
Task Audit in HFM
● Always enabled● Captures lots of
informationinformation● … but not
everything
● Administration > Task Audit
![Page 42: Security and Auditing in HFM](https://reader031.vdocument.in/reader031/viewer/2022013105/54c0e5d44a795958388b45c5/html5/thumbnails/42.jpg)
Presentations
Calculation Manager: The New and Improved Applicati on to Create Hyperion Planning Business Rules – Monday, 11:15 am, Room 102C
Security and Auditing in HFM – Tuesday, 4:30pm, 101B
Best Practices for Using DRM with EPMA – Wednesday, 8:30am, 103A
Getting Started with Calc Manager for HFM – Wednesday, 8:30am, 101B
Advanced Topics in Calc Manager for HFM – Wednesday, 9:45am, 101B
Maximizing the Value of an EPM Investment with ERPi , FDM & EPMA – Wednesday, 11:15am, 101B
Taking your FDM application to the next level with Advanced Scripting – Friday, 8:30am, 101B
IFRS reporting within Hyperion Financial Management – Thursday, 10:30am, 101B