EPM System security determines user access to applications using the concept of roles. Roles are permissions that determine user access to application functions. Some EPM System products enforce object-level ACLs to further refine user access to their artifacts, such as reports and members.
Each EPM System product provides several default roles tailored to various business needs. Each application belonging to an EPM System product inherits these roles. Predefined roles from the applications registered with Shared Services are available from Shared Services Console. You may also create additional roles that aggregate the default roles to suit specific requirements. These roles are used for provisioning. The process of granting users and groups specific roles belonging to EPM System applications and their resources is called provisioning.
Native Directory and configured user directories are sources for user and group information for the provisioning process. You can browse and provision users and groups from all configured user directories from Shared Services Console. You can also use application-specific aggregated roles created in Native Directory in the provisioning process.
An illustrated overview of the authorization process:
After a user is authenticated, EPM System product queries user directories to determine the user's groups.
The EPM System product uses group and user information to retrieve the user's provisioning data from Shared Services. The product uses this data to determine which resources a user can access.
Product-specific provisioning tasks, such as setting product-specific access control, are completed for each product. This data is combined with provisioning data to determine the product access for users.
Role-based provisioning of EPM System products uses these concepts.