Importing Access Permissions

The ImportSecurity utility loads access permissions for users or groups from a text file into Planning. (To add users or groups, see the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide.) Importing access permissions overwrites existing access assignments only for imported members, data forms, data form folders, task lists, Calculation Manager business rules, and Calculation Manager business rule folders. All other existing access permissions remain intact. The SL_CLEARALL parameter clears all existing access permissions; you can use it with other parameters to replace existing access permissions. See also Exporting Access Permissions.

The ImportSecurity utility requires users to be provisioned to the Planning application before it assigns access. For example:

The ExportSecurity utility automatically creates the SecFile.txt file, from which you can import access permissions. If you prefer, you can also manually create the SecFile.txt file using these guidelines:

Each line must contain these items, separated by one of these delimiters: comma (,) Tab, semi-colon (;), pipe (|), colon (:), space ( ). Comma is the default.

Item

Description

username or group name

The name of a user or group defined in Shared Services Console.

To import access permissions information into a group with the same name as a user, append this information to the line in the SecFile.txt file that pertains to the group: sl_group

For example:

admin,member1,READ,MEMBER

admin,member1,READ,MEMBER,SL_GROUP

artifact name

The named artifact for the imported access permissions (for example the member, data form, task list, folder, or Calculation Manager business rule). Example: Account1.

If an artifact name contains a character that you are using as the delimiter, enclose the name in double quotes. For example, if you are using a space as the delimiter, enclose the name South America in double quotes: “South America”.

access permissions

READ, READWRITE, or NONE. If there are duplicate lines for a user/member combination, the line with READWRITE access takes precedence. For example, for these lines:

User1,Member1,READ,@ICHILDREN

User1,Member1,READWRITE,@ICHILDREN

Access permissions for User1 to Member1 are applied as READWRITE.

For Calculation Manager business rules and folders only: specify launch access permissions as either NONE or LAUNCH.

Essbase access flags

@CHILDREN, @ICHILDREN, @DESCENDANTS, @IDESCENDANTS and MEMBER.

Security implementation for these functions is identical to Essbase.

Note:

For task lists, only MEMBER can be used. For folders, only @IDESCENDANTS can be used.

artifact type

For artifacts other than members, distinguish which artifact you are importing security for with artifact type identifier:

  • SL_FORM—for data forms

  • SL_COMPOSITE—for composite data forms

  • SL_TASKLIST—for task lists

  • SL_CALCRULE—for Calculation Manager business rules (not business rules in Business Rules)

  • SL_FORMFOLDER—for data form folders

  • SL_CALCFOLDER—for folders containing Calculation Manager business rules

Note:

The ExportSecurity utility automatically adds the required artifact type identifiers in the SecFile.txt file. If you manually create the SecFile.txt file, you must add the artifact type identifiers.

Note:

The ExportSecurity utility does not support exporting access permissions to task lists for administrators, so you must manually add such records to the SecFile.txt file before you can import them.

Sample lines from a file:

User1,Account1,READ,@CHILDREN

Group2,DataForm08,READWRITE,MEMBER,SL_FORM

User3,TaskList09,READWRITE,MEMBER,SL_TASKLIST

NorthAmericaGroup,Sales,READWRITE,@IDESCENDANTS,SL_FORMFOLDER

  To import access permissions into Planning:

  1. Locate the ImportSecurity utility by navigating to the planning1 directory (for the full path, see About EPM Oracle Instance).

  2. From the Command Prompt, enter this case-sensitive command, one space, and the parameters, separating each with a comma. Enclose the parameters with double quotation marks:

    ImportSecurity [-f:passwordFile]appname,username,[delimiter],[RUN_SILENT],[SL_CLEARALL]”

    where:

    Parameter

    Description

    [-f:passwordFile]

    Optional: If an encrypted password file is set up, use as the first parameter in the command line to read the password from the full file path and name specified in passwordFile. See Suppressing Password Prompts in Planning Utilities.

    appname

    Name of the Planning application to which you are importing access permissions.

    username

    Planning administrator user name.

    delimiter

    Optional: SL_TAB, SL_COMMA, SL_PIPE, SL_SPACE, SL_COLON, SL_SEMI-COLON. If no delimiter is specified, comma is the default.

    RUN_SILENT

    Optional: Execute the utility silently (the default) or with progress messages. Specify 0 for messages, or 1 for no messages.

    [SL_CLEARALL]

    Optional: Clear existing access permissions when importing new access permissions. Must be in uppercase.

    For example:

    ImportSecurity “app1,admin,SL_TAB,1”

    To clear all access permissions, enter:

    ImportSecurity “app1,admin,,,,SL_CLEARALL”

  3. If prompted, enter your password.

  4. After you execute the utility, check the log file importsecurity.log in the EPM_ORACLE_INSTANCE/diagnostics/logs/planning directory to verify the results. For the full path, see About EPM Oracle Instance.