Importing Access Permissions

The ImportSecurity utility loads access permissions for users or groups from a text file into Planning. (To add users or groups, see the Oracle Enterprise Performance Management System User Security Administration Guide.) Importing access permissions overwrites existing access assignments only for imported members, forms, form folders, task lists, Calculation Manager business rules, and Calculation Manager business rule folders. All other existing access permissions remain intact. The SL_CLEARALL parameter clears all existing access permissions; you can use it with other parameters to replace existing access permissions. See also Exporting Access Permissions.

The ImportSecurity utility requires users to be provisioned to the Planning application before it assigns access. For example:

  • If user mrauch is provisioned to the TotPlan application, this record will assign access permissions to mrauch successfully using the utility:

    mrauch,member1,READWRITE,MEMBER

  • If user ehennings is not already provisioned to the application, this record will fail to load:

    ehennings,member1,READWRITE,MEMBER

The ExportSecurity utility automatically creates the SecFile.txt file, from which you can import access permissions. If you prefer, you can also manually create the SecFile.txt file using these guidelines:

  • You must name the text file SecFile.txt and save it in the planning1 directory (for the full path, see About EPM Oracle Instance).

  • All users, groups, and artifacts must be defined in the application.

  • Before importing access permissions on a user-defined custom dimension, you must allow access permissions to be set on it by selecting Apply Security (see Enabling Access Permissions for Dimensions).

  • Each line in the SecFile.txt file must specify access permissions information.

Each line must contain these items, separated by one of these delimiters: comma (,) Tab, semi-colon (;), pipe (|), colon (:), space ( ). Comma is the default.

Item

Description

username or group name

The name of a user or group defined in Shared Services Console.

To import access permissions information into a group with the same name as a user, append this information to the line in the SecFile.txt file that pertains to the group: sl_group

For example:

admin,member1,READ,MEMBER

admin,member1,READ,MEMBER,SL_GROUP

artifact name

The named artifact for the imported access permissions (for example the member, form, task list, folder, or Calculation Manager business rule). Example: Account1.

If an artifact name contains a character that you are using as the delimiter, enclose the name in double quotation marks. For example, if you are using a space as the delimiter, enclose the name South America in double quotation marks: “South America”.

access permissions

READ, READWRITE, or NONE. If there are duplicate lines for a user/member combination, the line with READWRITE access takes precedence. For example, for these lines:

User1,Member1,READ,@ICHILDREN

User1,Member1,READWRITE,@ICHILDREN

Access permissions for User1 to Member1 are applied as READWRITE.

For Calculation Manager business rules and folders only: specify launch access permissions as either NONE or LAUNCH.

Essbase access flags

@CHILDREN, @ICHILDREN, @DESCENDANTS, @IDESCENDANTS and MEMBER.

Security implementation for these functions is identical to Essbase.

Note:

For task lists, only MEMBER can be used. For folders, only @IDESCENDANTS can be used.

artifact type

For artifacts other than members, distinguish which artifact you are importing security for with artifact type identifier:

  • SL_FORM—for forms

  • SL_COMPOSITE—for composite forms

  • SL_TASKLIST—for task lists

  • SL_CALCRULE—for Calculation Manager business rules

  • SL_FORMFOLDER—for form folders

  • SL_CALCFOLDER—for folders containing Calculation Manager business rules

Note:

The ExportSecurity utility automatically adds the required artifact type identifiers in the SecFile.txt file. If you manually create the SecFile.txt file, you must add the artifact type identifiers.

Note:

The ExportSecurity utility does not support exporting access permissions to task lists for administrators, so you must manually add such records to the SecFile.txt file before you can import them.

Sample lines from a file:

User1,Account1,READ,@CHILDREN

Group2,DataForm08,READWRITE,MEMBER,SL_FORM

User3,TaskList09,READWRITE,MEMBER,SL_TASKLIST

NorthAmericaGroup,Sales,READWRITE,@IDESCENDANTS,SL_FORMFOLDER

  To import access permissions into Planning:

  1. Locate the ImportSecurity utility by navigating to the planning1 directory (for the full path, see About EPM Oracle Instance).

  2. From the Command Prompt, enter this case-sensitive command, one space, and the parameters, separating each with a comma. Enclose the parameters with double quotation marks:

    ImportSecurity [-f:passwordFile]appname,username,[delimiter],[RUN_SILENT],[SL_CLEARALL]”

    where:

    Parameter

    Description

    [-f:passwordFile]

    Optional: If an encrypted password file is set up, use as the first parameter in the command line to read the password from the full file path and name specified in passwordFile. See Suppressing Password Prompts in Planning Utilities.

    appname

    Name of the Planning application to which you are importing access permissions.

    username

    Planning administrator user name.

    delimiter

    Optional: SL_TAB, SL_COMMA, SL_PIPE, SL_SPACE, SL_COLON, SL_SEMI-COLON. If no delimiter is specified, comma is the default.

    RUN_SILENT

    Optional: Execute the utility silently (the default) or with progress messages. Specify 0 for messages, or 1 for no messages.

    [SL_CLEARALL]

    Optional: Clear existing access permissions when importing new access permissions. Must be in uppercase.

    For example:

    ImportSecurity “app1,admin,SL_TAB,1”

    To clear all access permissions, enter:

    ImportSecurity “app1,admin,,,SL_CLEARALL”

  3. If prompted, enter your password.

  4. After you execute the utility, check the log file importsecurity.log in the EPM_ORACLE_INSTANCE/diagnostics/logs/planning directory to verify the results. For the full path, see About EPM Oracle Instance.