Security

Performance Management Architect supports these roles:

Performance Management Architect RolesTasks per Role

EPMA Administrator

Application Creator

Essbase Application Creator

Financial Management Application Creator

Planning Application Creator

Profitability Application Creator

The EPMA Administrator role is the parent of Application Creator. This role enables the following:

  • Access to all applications, including deployed applications where the user was not the individual who deployed the application.

  • Ability to manually mark a stalled job as timed out.

  • Ability to view hidden jobs.

  • Ability to run application diagnostics and run all tests and solutions on all applications.

  • Ability to run the Transaction History Purge Utility.

The Application Creator role enables administrators to create applications and change dimensions to which you have access permissions. When an Application Creator deploys an application from Performance Management Architect, you automatically become the application administrator.

Note:

All application creators can create Generic applications.

EPMA Administrator

Dimension Editor

Can import, delete, create, and change dimensions and dimension members. Can also assign access permissions (Dimension Owner and Readers/Writers) to the dimension. Cannot create applications.
Create IntegrationsCreate and execute data synchronizations.
Run IntegrationsExecute data synchronizations.
Calculation Manager Administrator

Financial Management Calculation Manager Administrator

Planning Calculation Manager Administrator

Administers and manages Calculation Manager functions.
Financial Management Calculation Manager AdministratorAdministers Calculation Manager functions in Financial Management
Planning Calculation Manager AdministratorAdministers Calculation Manager functions in Planning

The following table shows how Performance Management Architect roles map to levels of access.

Table 1. Levels of Access

RoleLevels of Access

Dimension Editor[1]

  • Dimension Owner for any shared dimension in the Shared Library

  • Can be explicitly assigned Dimension Owner, Dimension Writer, or Dimension Reader access to any local dimension in the Shared Library

Application Creators[2]
  • Dimension Owner for all dimensions in undeployed applications

  • Can be explicitly assigned Dimension Owner, Dimension Writer, or Dimension Reader access to any dimension in the Shared Library

Application Administrators[3]
  • Dimension owner for all dimensions in deployed applications

  • Can be explicitly assigned Dimension Owner, Dimension Writer, or Dimension Reader access to any dimension in the Shared Library

Calculation Manager Administrator

Calculation Manager Administrator role comprises these roles:

  • Financial Management Calculation Manager Administrator

  • Planning Calculation Manager Administrator

Administers and manages Calculation Manager functions

Financial Management Calculation Manager Administrator administers Calculation Manager functions in Financial Management

Planning Calculation Manager Administrator administers Calculation Manager functions in Planning

1 Only Dimension Editors can create dimensions in the Shared Library.

2 Only Application Creators or Application Administrators can create or add dimensions to an application.

3 Only Application Creators or Application Administrators can create or add dimensions to an application.

The following table describes common tasks performed in Performance Management Architect and required levels of access. Be aware of the following considerations:

Table 2. Common Tasks

Level of AccessDimension Level Tasks
Dimension Owner
  • Edit dimension structure or properties

  • Copy dimensions

  • Synchronize dimensions from or to dimensions

  • Add dimensions to applications

  • Remove dimensions

  • Delete dimensions

Dimension Writer
  • Edit dimension structure or properties

  • Copy dimensions

  • Synchronize from or to dimensions

  • Add dimensions to applications

Dimension Reader
  • Copy dimensions

  • Synchronize from dimensions

  • Add dimensions to applications

For additional information on roles, see the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide.

Scenarios:

If Bob Smith selects an application in the Application Library and does not have the Application Creator role for that application type or are a provisioned administrator for the application, a dialog box is displayed indicating that Bob Smith does not have access to this application. In addition, the menu items are disabled and the summary information is limited. Consider this example:

Bob Smith selects App2 for which he is not a provisioned administrator and he does not have any creator roles. Upon selecting the application a message is displayed informing him that he has no rights to this application. When Bob Smith right-clicks, all options are disabled.

If an application is not deployed, then all applicable options and summary information is available to users who are creators for that application type (Consolidation, Planning, Essbase (ASO), and Essbase (BSO)). Consider this example:

The Application Library contains five Planning Applications Views (App_6, App7, App8, and App9 (deployed) and App10 (undeployed) and five Consolidation applications (App1, App2, App3, and App4 (deployed) and App5 (undeployed). Bob Smith is a Consolidation Application Creator, Karen Jones is a Planning Application Creator, and Jim Harrington is an Admin for App1. Bob Smith can perform all applicable operations on App5 (deploy, edit, compare, and so on). Karen Smith can also perform all applicable operations on App10 (deploy, edit, compare, and so on).

Any user who is provisioned as an administrator for deployed applications can perform the full set of operations (delete, redeploy, migrate, and so on). Consider this example:

Jim Harrington, the administrator for App1, has full access to App1. Any user who is not a provisioned administrator, but is an application creator has access to all the operations that do not require product specific roles like edit, duplicate, compare, validate, and so on. Operations that require application specific roles will fail (delete, redeploy, and migrate). For example, Bob Smith will be able to edit and compare App1 through App4, but will not be able to delete, redeploy or migrate them.