This chapter provides an overview of security setup, secondary security setup, lists prerequisites and discusses how to:
Assign Planning and Budgeting roles to roles defined in PeopleTools.
Define Planning and Budgeting users.
Integrate with EPM Warehouse security.
Set up Planning and Budgeting security groups and secondary security groups.
Review security and secondary security by user.
Review Planning and Budgeting security reports.
You are required to set up security for Planning and Budgeting, which in turn defines how you configure and control your system. The ultimate goal is to develop an interface and functionality specific to your particular organization.
To implement Planning and Budgeting security setup, first link the Planning and Budgeting roles to a corresponding PeopleTools security role. You then designate users with these roles for access to the Planning and Budgeting system. The roles are associated with security groups that in turn grant user access to specific nodes on the planning center tree. The security groups are used in the building of model, scenario, and activity combinations.
Secondary security setup is optional. You can create a secondary security group to grant users access to dimension members, and you can associate the secondary security group with the activity scenarios. You use a dimension other than your planning center dimension to establish secondary security.
There are two different kinds of secondary security definitions used by Planning and Budgeting, and only one type of secondary security definition can be used at a time by each line item activity in a planning model:
EPM Warehouse security definitions.
Note. The EPM Warehouse security only refreshes the system version. If you copy the system version to another version, then you must manually update that version for any changes made to the system version.
When the EPM Warehouse security definitions are copied to the Planning and Budgeting database the following rules apply:
If a previously copied permission for a dimension value and Planning and Budgeting user have been modified to read-only, this will not be overwritten by the warehouse security.
The default user access for definitions copied from the warehouse is read-write.
The system deletes a definition if it was previously copied from a warehouse security group and it does not currently exist in the warehouse.
The system adds new definitions for those that do not exist in the Planning and Budgeting definitions.
For all the copied warehouse security definitions, only the read and read-write permissions in the Planning and Budgeting database can be modified from the Planning and Budgeting application. You can neither add nor delete dimension values.
Planning and Budgeting secondary security group definitions.
PeopleSoft delivers predefined Planning and Budgeting roles. You may use these roles or optionally replace them with a role name more descriptive of your situation. Use the PeopleTools pages to define a user role.
This section provides an overview, lists prerequisites, and discusses how to associate Planning and Budgeting roles with PeopleSoft roles. Planning and Budgeting delivers the following predefined roles:
The central budget office coordinator for an organization, this individual determines budget parameters and guidelines, builds the planning model, coordinates the overall budget process for the organization, and performs high-level forecasting and analysis. |
|
With budget responsibility for a planning center—typically a unit, department, or division within an organization—this individual may break a budget into smaller units for distribution to lower levels and establish additional guidelines for those smaller units to follow in the budgeting process. Budget analysts also do some forecasting and modeling for their overall budget. |
|
With responsibility for reviewing and approving submitted budget plans for a planning center, in many cases, a budget reviewer and a budget analyst may be the same individual. |
|
At the lowest level of budget preparation for a planning center, this individual provides line item, asset, and position budget amounts and justifications to higher-level users and does not usually perform budget allocations. When finished preparing a budget, the budget preparer submits a budget to a higher level planning center for review and approval. |
|
An additional user at the lowest level of budget preparation for a planning center, when access is granted this individual performs the same activities as the budget preparer. The system does not, however, let the casual preparers define their own private views for line item budgeting. When finished preparing a budget, the casual preparer submits a budget to a higher level planning center for review and approval. |
|
The system administrator is in charge of system security. |
Complete general PeopleSoft security setup including the following:
Define permission lists—the objects that control what a user can and cannot access.
Assign permission lists to user roles.
A user role is the link between a permission list and a user profile. A user role can use multiple permission lists, and a user profile can be assigned multiple roles. A user's system access is a combination of all of their user roles.
Set up a user profile to define an individual PeopleSoft user, and then link the user profile to one or more roles.
You must set up a user profile in the system before you can give a user access to the Planning and Budgeting system. In setting up a user profile, you create a user ID and associate roles with that user ID. The role assigns permission lists to the user.
See Also
PeopleTools PeopleBook: Security, “Working with Permission Lists”
PeopleTools PeopleBook: Security, “Roles”
PeopleTools PeopleBook: Security, “User Profiles”
Page Name |
Object Name |
Navigation |
Usage |
Planning & Budgeting Roles |
BP_ROLE_DEFN |
Planning and Budgeting, System Administration, Administer User Security, Planning and Budgeting Roles |
Assign Planning and Budgeting roles to PeopleTools specified roles. |
Access the Planning & Budgeting Roles page.
When you assign a user role to a budgeting role, you are essentially assigning permission lists to the budgeting role. This optional page lets you rename budgeting roles, which may be useful in enterprises where roles are labeled differently from the delivered Planning and Budgeting roles or where multiple languages are used.
PeopleSoft Role |
Enter a user role (defined in PeopleTools) for each of the delivered budgeting roles. Preparer and casual preparer require a PeopleSoft role assigned. Other budgeting roles are optional. Leave these blank if you are not using in Planning and Budgeting |
See Enterprise PeopleTools Security, Roles and permission lists, Roles
Before granting access to the Planning and Budgeting system or sending automatic emails to those involved in the budgeting process, define and identify your budgeting system users from the user profiles you set up using PeopleTools.
Page Name |
Object Name |
Navigation |
Usage |
BP_USER_SELECT |
Planning and Budgeting, System Administration, Administer User Security, User List |
Define specific user access to Planning and Budgeting and synchronize user profiles from PeopleSoft EPM Warehouse. |
Access the Define Planning and Budgeting Users page.
The Define Planning and Budgeting Users page displays all users that have a planning and budgeting role assigned in the system. You must designate which of these users may have access to Planning and Budgeting applications with a check.
Update Users |
Once you have assigned a planning and budgeting role to a user, click this button to synchronize user profiles in the PeopleSoft EPM Warehouse. |
Budget User |
Select to enable a user access to the budgeting system. |
The EPM Warehouse security defines:
Users.
Roles.
A user may be a member of one or more roles. A role typically has more than one user.
Dimension access rules.
These access rules define who may access a dimension and members of a dimension. The rules may be defined for a role or for a user. A role or a user may be allowed to access only certain members of a dimension.
Access rights for a user are the combined access provided to them by their membership in roles.
To set up secured access for a dimension in the warehouse, the security administrator defines the access rules and then executes a batch program that processes the rules into flattened security join tables (SJTs). These tables are then queried by EPM applications to determine what data is accessible by a certain user.
Planning and Budgeting has its own set of security tables that contain information about users and their access rights. To leverage the warehouse security in Planning and Budgeting, we deliver a batch program (Request Security Processing) that accesses the SJTs and updates the Planning and Budgeting security tables with the same information. You must execute the Planning and Budgeting batch program after the warehouse security program has modified the SJTs.
To that end, you:
Define a jobstream containing both the warehouse and the Planning and Budgeting security batch processes, using the Jobstream page. (Navigation: EPM Foundation, Job Processing, Setup Engines and Jobstreams, Processes in Jobstreams).
Run the jobstream from the Request Security processing page. (Navigation: EPM Foundation, EPM Security, Advanced, Request Security Processing).
The EPM Warehouse batch process performs the following steps:
Processes all warehouse dimensions or the dimension given as a parameter on the security run control page.
For each warehouse dimension (OWE only), it attempts to find a matching dimension in the Planning and Budgeting application by querying the PS_BP_EW_DIM_MAP table.
If it finds a dimension, it queries the PS_BP_ACTIVITY table to determine if the dimension is secured in the Planning and Budgeting application. Warehouse dimensions can only be used to secure secondary dimensions on an activity. The warehouse dimension security cannot be used for planning center dimensions.
It then accesses the SJT for the corresponding warehouse dimension.
It creates a secondary security group in Planning and Budgeting for this dimension. It tags the secondary security group as a warehouse security group. The name of the secondary security group is specified in the mapping table PS_BP_EW_DIM_MAP.
The secondary security groups are keyed by setID. The setID is determined by the business unit or the setID of the dimension values in the SJT.
It creates the secondary security group with an effective date of 01-01-1900. This effective date is updated every time you run the batch process. Note that if you create a new effective date for the warehouse security groups, the batch program still applies the 01-01-1900 definition.
For each role found in the SJT, the program determines all the users belonging to that role, and then inserts a detail row in the secondary security group for each user. It gives the user read-write access by default.
The update to the secondary security groups is destructive in nature, that is, all the rows from the secondary security group are deleted and inserted again. The only exception to this rule is if the secondary security group has been modified in Planning and Budgeting to change the access rights from read-write to read-only. In that case, the modified access rights are retained so you don’t have to reapply your changes.
If an access privilege exists in the Planning and Budgeting secondary security group, but it has been deleted from the warehouse, then the batch process also deletes the privilege from Planning and Budgeting. This happens even if the Planning and Budgeting privilege has been modified to read-only.
Note. Any security access granted to a user ID applies to all planning centers for that user. Additionally, there is no need to run the security processing program by business unit because security is run at the setID level.
See Securing EPM.
See Streamlining Processing with Jobstreams.
This section provides overviews of security groups, planning center version security, lists prerequisites, and discusses how to:
Define security groups.
Define secondary security groups.
Report secondary security user permissions.
Use security groups to grant access to user roles at the planning center level. You define the elements of the security group on the Security Group page and they will be displayed on the User Roles pages. Only those planning centers assigned to a user and role here will show up on the User Planning Centers page. A security group can be used on multiple activity scenarios and planning models.
You create a secondary security group to associate users with a particular non-planning center dimension that you specify when you define the activity on the Activity page. You can grant both read and read-write access within the secondary security group.
Note. Planning and Budgeting does not support secondary dimension security for positions or assets.
A user who has read-only access to a secondary security group, will have only partial access to the planning center. For that reason the system draws a distinction between full and partial access:
Partial Access: User has access to only some of the line items within a planning center version. A user has partial access to a line item planning center version if and only if:
The security group authorizes him/her for the planning center, for example, BP01 has access to Department SALES; and
The secondary security group bars him/her from at least one line item within the planning center version, for example, BP01 has no access to Account SALARY; and
The line item combination (Department SALES, Account SALARY) does currently exist in the planning center version.
Full Access: User has access to all line items within a line item planning center version.
A planning center version is defined by a unique combination of these elements: business unit, planning model, activity, scenario, planning center, and version.
Users with partial access to a planning center version are not authorized to do the following:
Submit budgets.
See planning targets.
See user views that display a tree on any dimension.
Perform allocations.
See analysis reports.
Note. The system may still allow a user to see or derive secured data via a driver for the RELATE method, or a flexible formula source. Such read access should be restricted to trusted users.
Submit Status of Planning Centers
All line item planning center versions must have at least one full access user, that is, either read-only or read-write access to all line items in that planning center. Planning centers that do not have at least one such user are deemed nonsubmissible.
The system does not prevent you from creating a nonsubmissible planning center. However, during the staging process, the system generates a warning for each nonsubmissible planning center. The User Access to Line Items page shows the status (in the Submit Allowed? column) of each planning center version; this page is available only after staging.
See Staging Scenarios and Activities in a Planning Model.
Resolving Nonsubmissible Status of Planning Centers
The system provides tools so that the coordinator can ensure there is a full access user for every planning center version. Drilling down on a planning center version in the User Access to Line Items page takes you to the User Access to Line Items Detail page, that shows which users have access to each line item within the planning center version.
See Staging Scenarios and Activities in a Planning Model.
See Viewing User Access to Line Items and to Line Item Details.
To define a security group for your planning center dimension you must first define the following:
Planning center tree based on the dimension you will be using for your activity scenarios in your planning model.
User ID selected as a Planning and Budgeting user.
Security role linked to a delivered Planning and Budgeting role
Note. If you are using the optional secondary security, define the dimension used to secure on the Activity definition page.
Page Name |
Object Name |
Navigation |
Usage |
BP_SECURITY_GRP1 |
Planning and Budgeting, System Administration, Administer User Security, Security Groups |
Assign user and role access to nodes on the planning center tree. |
|
BP_DIM_SECURITYGRP |
Planning and Budgeting, System Administration, Administer User Security, Secondary Security Groups |
Create a secondary security group to associate a user with a particular dimension. |
|
BP_DIM_USRPRM_COPY |
Planning and Budgeting, System Administration, Administer User Security, Secondary Security Groups, and click Copy. |
Select from a list of target users to whom you want to copy permissions. |
|
BP_DIM_SECGRP_COPY |
Planning and Budgeting, System Administration, Administer User Security, Secondary Security Groups, and click Copy Secondary Security Group. |
Specify the name and effective date of the secondary security group to which you want to copy. |
Access the Security Groups page
Security groups define the relationship between a planning center, a user and a role assigned to that user. This page allows you to add new combinations of the centers, users and roles. Click a node on the tree to get the planning center for the node into the first grid to the right, and then assign one or more user roles. To assign more nodes/planning centers to users and roles, click the next node and assign users and roles. When you click the next node, the system moves the data for the previously selected node from the first grid into the second grid on the right. When you click the save button the data in the first grid (if any) is moved into second grid and the system saves all the data in the second grid.
Copy Security Group |
Click this button to create a copy of the group to facilitate development of a new security group. |
Tree name |
Enter the planning center tree name. This tree must have levels defined and strictly enforced. |
Preparer Level |
This level is for choosing planning centers for preparer role or casual preparer role. Other roles, reviewer or analyst or administrator, should pick planning center nodes from levels above the preparer level. |
Read Only |
The planning center security group default access is read-write. You may grant read-only access by selecting the read-only check box for any user role and planning center row in the security group. This in turn grants read-only access to the planning centers on the My Planning Workspace page. |
Note. You can directly add and delete user access from the grid on the right — 'User access assigned to selected planning centers' group box. It is not necessary to perform any security refresh process if access changes during the planning process, but if you add a new planning center node you will need to refresh Dimension members and worklists in the Update Data Stage Process.
Access the Secondary Security Groups page.
Create a secondary security group to associate users with a particular dimension that you specify when you define the line item activity on the Activity page. You can grant both read-only and read-write access permissions to the secondary security group.
Copy Secondary Security Group |
Upon clicking, the system transfers you to the Copy Secondary Security Group page where you can specify the name and effective date of the secondary security group to which you want to copy. |
Dimension |
Select the additional dimension for which you want to create a secondary security group. |
Effective Date |
Defaults to the current date. Ensure that the tree and dimension security group have the same effective date, so that if the tree changes the dimension security group also changes; or set the effective date to the past so that the dimension security group applies even if the tree changes. |
EW Security Definition |
Display only check box, and it is checked for an EPM Warehouse secondary security definition. Note. You cannot update dimension values on the Secondary Security Group page if it came from EW security. You may only define read-only access, since by default it is read-write. To modify values and user access you should either refresh from EW security, or copy the secondary security group that would then no longer be tied to the EW definition. |
Select Dimension Value |
Select By Value or By Tree to specify the dimension value range. The system activates the lower boxes on the page based on your selection. Note. The option that you select applies to all users. Switching from one option to the other will result in existing permissions
being deleted for all users. |
Dimension Value Range |
If you selected By Value, then enter the From Value and To Value for the dimension. Click Add to populate the dimension value rows in the box to the right. Note. You must have a valid user selected before you can populate dimension members by value or tree. |
Tree Information |
If you selected By Tree, then enter the Tree SetID, and Tree Name. Specify the tree Level Name, or select Detail Level to display all the lowest level dimension values (nodes and leaves). The system displays the dimension tree. Click any of the tree nodes to populate the Edit Permissions grid (to the right) and grant access to all the nodes and child nodes, at the specified level, to the selected user in the User Permissions group box. Select the Detail Level check box to populate the Edit Permissions grid (to the right) and grant access to all lowest level dimension values under the selected node to the selected user in the User Permissions group box. |
Select User |
Enter the User ID to assign permissions. Use the Edit Permissions group box to view the current permission selection and to modify read-only and read-write access for the current permission selection. Use the Existing Permissions group box to view a complete list of user permissions and to modify existing security access for the entire list. Note. Make sure you select a user to assign permissions to the selected dimension values. |
Read Only |
Select if you are assigning read-only access to the dimension value row. Deselect for the user to have read-write access. |
Refresh |
Refreshes the page with existing permissions for the selected user, and clears the Edit Permissions grid. You must enter a user before clicking Refresh. |
Copy |
Transfers you to the Copy User Permissions page where you can select from a list of Target Users to whom you want to copy permissions. You must enter a user before clicking Copy. On the Copy User Permissions page, you can enter search criteria and click Refresh to narrow down the list of target users. You can also click Select All/Clear All to select or deselect all displayed users. If any of the selected users already has existing permissions, the system warns you that these permissions will be overwritten by the permissions from the source user. |
Delete |
Deletes existing permissions for the selected user. You must select a user before clicking. The system displays a warning message before deleting. |
Review, assign, or delete access to security groups and planning centers based on the User ID. Selecting a User ID reveals the roles assigned to that user with a link to the active security groups. Clicking on that link gives a report of all the active security groups for the specific user and role combination. A link is available to go to the Planning Center page were you can designate planning center nodes for the selected user and role.
Note. The preparer level assigned in the security group MUST be at the same level as the planning center tree used in the activity and scenario definition. The model validator tool will check for this compatibility.
This section lists prerequisites and discusses how to:
Review user roles.
Review user security groups.
Review user planning centers.
To review Planning and Budgeting security by user you must define the:
Security group.
User ID.
Roles.
Page Name |
Object Name |
Navigation |
Usage |
BP_USER |
Planning and Budgeting, System Administration, Administer User Security, User Roles |
Review security group selections for a user's role. Also can access the planning center pages. |
|
BP_USER_SEC_GRP |
Click the Security Group link on the User Roles page. |
View all the security groups for the user role. Contains a link to the Planning Center page for the each security group. |
|
BP_USER_APRVLUNITS |
Click on the Planning Center link on the User Security Groups page. |
View, assign, or delete planning center nodes of the selected security group to the selected user and role. |
Access the User Roles page.
This page reports the Planning and Budgeting roles assigned through PeopleTools Security. There are links to the active security groups definition assigned to this user id by role. Checkboxes also indicate permissions to perform allocations and adjustments.
Security Groups |
Click this link to access the security groups assigned to the role. |
Allowed to do allocations |
Grants the right to make allocation decisions in the budgeting process. |
Allowed to do adjustments |
Grant the right to perform adjustments to the accounts. Note. If these options are not selected to allow allocations or adjustments, access to allocate and mass adjust will not be available for all planning centers on My Planning Workspace page. |
Access the User Security Groups page.
This is a list of all the active security groups for a user role with a link to the Planning Centers page to review, assign, and delete planning center nodes of the selected security group.
Planning Centers |
Click on this link to access the User Planning Center page. |
Access the User Planning Center page.
The planning centers displayed for this user and role combination are those defined in the Security Group. Users may only have access at the level of the Planning Centers tree as defined in the Security Group. Click on the nodes of the tree at proper level for the role to assign them to the selected user and role. If the planning center node is not already assigned to the user and role, it will be added in the grid. Use save button to save the assigned or deleted planning center nodes in the grid to be saved. In this example the user BP01 for the Analyst role only has access to three planning centers.
This section discusses how to:
Review security by user and role.
Review security by activity and scenario.
Review security for a planning center associated with an activity scenario.
Review secondary security by user.
Page Name |
Object Name |
Navigation |
Usage |
BP_SEC_BY_USERROLE |
Planning and Budgeting, System Administration, Administer User Security, Security by User and Role |
Displays a list of Business Unit, Planning Model ID, Activity, Scenario and Planning Centers for a unique combination of User ID, Role, Business Unit, Planning Model ID, Activity and Scenario. |
|
BP_SEC_BY_ACTSCEN1 |
Planning and Budgeting, System Administration, Administer User Security, Security by Activity/Scenario |
Displays a list of planning centers and the total number of users of that center, for a unique combination of Business Unit, Planning Model ID, Activity and Scenario. |
|
BP_SEC_BY_ACTSCEN2 |
Planning and Budgeting, System Administration, Administer User Security, Security by Activity/Scenario, select the Total Number of Users hyperlink. |
Display the user IDs and roles associated with a specific planning center in a business unit, planning model ID, activity, and scenario. |
|
BP_DIM_SEC_BY_USER |
Planning and Budgeting, System Administration, Administer User Security, Secondary Security by User. |
Report existing permissions for a set of User IDs and dimension values. |
Access the Security by User and Role page.
The system displays a list of planning centers for a unique combination of user ID, role, business unit, planning model ID, activity and scenario.
Access the Security by Activity/Scenario page.
Based on a selection of business unit, planning model ID, activity and scenario, the system displays a list of planning centers and the total number of users of that center. This list insures that all planning centers are covered by a role.
Access the Secondary Security by User page.
Enter a range of user IDs or dimension values and then click Refresh Report to display existing permissions for the given search criteria.