� One of the Largest Hyperion Practices in the U.S.
� Oracle / Hyperion Platinum Partner - Highest Status
About Edgewater Ranzal
15 Years� Vertical Expertise with High-
Profile Clients from Coast to Coast
� Sound Project Methodology Insures Project Success
� “One Stop Shop” for ALL EPM Implementation needs
15 Years700+ clients
1000+ projects
ConsolidationBusiness
Intelligence Planning
Our Services
ProjectManagement
InfrastructureData
Services
Agenda
● Roles● The verbsverbs : actions a user can perform● Review roles for:
● HFM● HFM● Reporting and Analysis● Shared Services
● Classes● The nounsnouns : objects on which you can perform
those actions
● Auditing and Reporting● Who did whatwhat, and whenwhen?
● EPM System predefines tasks or collections of tasks into Roles
● For now, let’s start with a user… Joe Admin
Provision
● For now, let’s start with a user… Joe Admin● Select the username, right-click, and Provision
Available Roles
● List of roles from registered products● Presented either by product, or Application
Group● All roles are listed and explained in the ● All roles are listed and explained in the
hss_admin.pdfhss_admin.pdf● \V25453-01\EPM System Installation Documentation
\EPM System Installation
Foundation Roles
● Roles are listed ina hierarchy● Called “Aggregate
Roles”Roles”● Access to the
parent yields its children
● Can have alternate roll-ups● Used in Reporting
and Analysis
EPMA Dimension Management
● Grant all users Shared Services “Dimension EditorDimension Editor” role
● Select each dimension in the dimension library, and choose “System” from category menu
Provisioning Manager
● Role for each application and product● Allows the user to grant/remove role and class
access to other usersCannot provision themselves● Cannot provision themselves
● … unless they have the Shared ServicesAdministratorAdministrator role
● Application Administrator does not allow provisioning
Reporting and Analysis Roles
● Majority of roles relate to Interactive Reporting / Production Reporting
● Appendix “A” in the hss_admin.pdfhss_admin.pdf document lists all of the roles, by productlists all of the roles, by product
FR Role Recommendations
Role Administrator Report Writer Viewer
Reporting and Analysis Administrator
Yes
Report Designer implied YesReport Designer implied Yes
Explorer implied Yes Yes
● Administrator can do anything but provision other users
● Report Designer still needs the StudioStudio client● Explorer grants access to the full list of reports
● … subject to the folder/object level access
Hyperion Financial Management Roles: Administrator
● “AdministratorAdministrator” role permits all tasks● “ALL” access to all classes● … but not Provisioning ManagerProvisioning Manager
● Independent of access to the “Administration” menu items● These are not application specific
● Create Application● Enable/disable connections● Users on System, etc.
● EPM System configurator > Financial Management > Configure Application Server
Configure HFM SystemSystemAdministrators
● Application Security● Creator Group
● Can create new Classic applications
● Administrator Group● Administrator Group● Can be Native or External
group
● Almost always left at “*” = EVERYONE / WORLD
● Must be changed later, as part of security design process
Secure at Group or User Level?
● Best practice is to apply security at the group level● Then manage group membership for the users
● This becomes a bad approach when #Groups > #Users
Native or External?
● Users● Leverage security policies from external providers
(MSAD/LDAP)● Native has no password policy management
● Groups● Greatest flexibility in Native groups● Allows IT security to control users● Hyperion admins are best suited to control access
● Place users into groups● Provision or assign class access as needed● Provide reports for auditing
Classes
1. Create classes● Dimension in EPMA● Create inside Shared Services module in
Classic
2. Assign to metadata or HFM documents ● Entities, Accounts, Customs, Scenarios● Grids/ forms/ journals/ system reports
3. Assign access to the classes● User or group must have at least one role
● If no other role applies, then grant Default role
Group Naming Schemes
● “Role ” access for the various modules●● rg_rg_EPMA_* for EPMA●● rg_rg_HFMAppName_* for the HFM application●● rg_rg_ReportWriters modify Financial Reports●● rg_rg_ReportWriters modify Financial Reports●● rg_rg_Security for access to Shared Services
● HFM dimension access groups●● eg_eg_HFMAppName_* = “entityentity” dimension access●● dsg_dsg_ HFMAppName_* = “data sourcedata source” dimension
access (Custom4)●● sg_sg_FMRLCA_* = “scenarioscenario” dimension access
Class Naming Schemes
● Prefix classes according to the dimension they secure●● ecec**: entity class●● ac*ac*: account class●● c1c*c1c*..c4c*c4c*: custom dimension class
● Where possible, use the dimension alias●● dscdsc**: DataSource class, instead of Custom4
●● sc*sc*: scenario class●● dc*dc*: document class
● Classes are only sorted alphanumerically● Not searchable
Assign Dimension Groups toClasses
● Right-click on HFM application
● Assign Access Control● Assign Access Control
Select HFM Users / Groups
● Only users or groups that have been directly assigned at least one role will show uprole will show up● If you use groups,
always use groups
● Dimension groups must have “DefaultDefault” role for the HFM app
● Users / Groups selected here are available for a report
Select HFM Classes
● Where the alphanumeric order, and the class prefix class prefix comes in handy…
● Classes selected are available for a report
Class Access Rights
Access Right DescriptionAll Full read/write access to the data or objects to which this class has been
assigned.Read Read rights to the data or objects to which this class has been assigned.
None No rights at all.
If “Enable Metadata Security Filtering” has been turned on for the application, users with “None” access to a class won’t even see the member in a metadata pick list, nor will they see an object with this class attached. If a user opens a grid, form, or report for an intersection where they have “None” rights, HFM will return “NoAccess” instead of the data value.
Metadata Overrides the Metadata Security filtering by allowing the member to be seen in a pick list, though the user will be unable to view the contained data.
This setting is not common
Assign Class Access
● Pivot as you like● Highlight rows/columns
● Change the Access Right for the selection● Click the check mark to activate● And save
Shared Services Role Report
● Administration > View Report●● Show Effective Roles = YesShow Effective Roles = Yes
● Shows what users inherit from group membership
Configure Auditing in Shared Services
● Track changes in user provisioning
● Track configuration changeschanges● Not enabled, by default●● EnableEnable this for all products
and applications● Purge after so many days
● Save changes, restart services
Speed Tip for Multiple External Providers
● Normally a user name is passed sequentially among the external providers: MSADEast; MSADWest; MSADEurope, etc.
● First, try using a Global CatalogTry using group filters to more quickly isolate the users ● Try using group filters to more quickly isolate the users you want● Advanced Filters on Groups
● Or go directly to a single provider
Administration > Data Audit
● Captures changes to <Entity Currency><Entity Currency>only
● Small increase in data load times● No impact on
consolidation time
Task Audit in HFM
● Always enabled● Captures lots of
informationinformation● … but not
everything
● Administration > Task Audit
Presentations
Calculation Manager: The New and Improved Applicati on to Create Hyperion Planning Business Rules – Monday, 11:15 am, Room 102C
Security and Auditing in HFM – Tuesday, 4:30pm, 101B
Best Practices for Using DRM with EPMA – Wednesday, 8:30am, 103A
Getting Started with Calc Manager for HFM – Wednesday, 8:30am, 101B
Advanced Topics in Calc Manager for HFM – Wednesday, 9:45am, 101B
Maximizing the Value of an EPM Investment with ERPi , FDM & EPMA – Wednesday, 11:15am, 101B
Taking your FDM application to the next level with Advanced Scripting – Friday, 8:30am, 101B
IFRS reporting within Hyperion Financial Management – Thursday, 10:30am, 101B