Setting Up Security and Roles

This chapter provides an overview of security setup, secondary security setup, lists prerequisites and discusses how to:

Assign Planning and Budgeting roles to roles defined in PeopleTools.
Define Planning and Budgeting users.
Integrate with EPM Warehouse security.
Set up Planning and Budgeting security groups and secondary security groups.
Review security and secondary security by user.
Review Planning and Budgeting security reports.

Understanding Security Setup

You are required to set up security for Planning and Budgeting, which in turn defines how you configure and control your system. The ultimate goal is to develop an interface and functionality specific to your particular organization.

To implement Planning and Budgeting security setup, first link the Planning and Budgeting roles to a corresponding PeopleTools security role. You then designate users with these roles for access to the Planning and Budgeting system. The roles are associated with security groups that in turn grant user access to specific nodes on the planning center tree. The security groups are used in the building of model, scenario, and activity combinations.

Understanding Secondary Security Setup

Secondary security setup is optional. You can create a secondary security group to grant users access to dimension members, and you can associate the secondary security group with the activity scenarios. You use a dimension other than your planning center dimension to establish secondary security.

There are two different kinds of secondary security definitions used by Planning and Budgeting, and only one type of secondary security definition can be used at a time by each line item activity in a planning model:

EPM Warehouse security definitions.

Note. The EPM Warehouse security only refreshes the system version. If you copy the system version to another version, then you must manually update that version for any changes made to the system version.

When the EPM Warehouse security definitions are copied to the Planning and Budgeting database the following rules apply:
- If a previously copied permission for a dimension value and Planning and Budgeting user have been modified to read-only, this will not be overwritten by the warehouse security.
- The default user access for definitions copied from the warehouse is read-write.
- The system deletes a definition if it was previously copied from a warehouse security group and it does not currently exist in the warehouse.
- The system adds new definitions for those that do not exist in the Planning and Budgeting definitions.
- For all the copied warehouse security definitions, only the read and read-write permissions in the Planning and Budgeting database can be modified from the Planning and Budgeting application. You can neither add nor delete dimension values.
Planning and Budgeting secondary security group definitions.

Assigning Planning and Budgeting Roles to PeopleTools User Roles

PeopleSoft delivers predefined Planning and Budgeting roles. You may use these roles or optionally replace them with a role name more descriptive of your situation. Use the PeopleTools pages to define a user role.

Understanding Planning and Budgeting Roles and Their Relationship to PeopleSoft Security Roles

This section provides an overview, lists prerequisites, and discusses how to associate Planning and Budgeting roles with PeopleSoft roles. Planning and Budgeting delivers the following predefined roles:

Coordinator	The central budget office coordinator for an organization, this individual determines budget parameters and guidelines, builds the planning model, coordinates the overall budget process for the organization, and performs high-level forecasting and analysis.
Analyst	With budget responsibility for a planning center—typically a unit, department, or division within an organization—this individual may break a budget into smaller units for distribution to lower levels and establish additional guidelines for those smaller units to follow in the budgeting process. Budget analysts also do some forecasting and modeling for their overall budget.
Reviewer	With responsibility for reviewing and approving submitted budget plans for a planning center, in many cases, a budget reviewer and a budget analyst may be the same individual.
Preparer	At the lowest level of budget preparation for a planning center, this individual provides line item, asset, and position budget amounts and justifications to higher-level users and does not usually perform budget allocations. When finished preparing a budget, the budget preparer submits a budget to a higher level planning center for review and approval.
Casual Preparer	An additional user at the lowest level of budget preparation for a planning center, when access is granted this individual performs the same activities as the budget preparer. The system does not, however, let the casual preparers define their own private views for line item budgeting. When finished preparing a budget, the casual preparer submits a budget to a higher level planning center for review and approval.
System Administrator	The system administrator is in charge of system security.

Prerequisites

Complete general PeopleSoft security setup including the following:

Define permission lists—the objects that control what a user can and cannot access.
Assign permission lists to user roles.

A user role is the link between a permission list and a user profile. A user role can use multiple permission lists, and a user profile can be assigned multiple roles. A user's system access is a combination of all of their user roles.
Set up a user profile to define an individual PeopleSoft user, and then link the user profile to one or more roles.

You must set up a user profile in the system before you can give a user access to the Planning and Budgeting system. In setting up a user profile, you create a user ID and associate roles with that user ID. The role assigns permission lists to the user.

Page Used to Assign Planning and Budgeting Roles to User Roles

Page Name	Object Name	Navigation	Usage
Planning & Budgeting Roles	BP_ROLE_DEFN	Planning and Budgeting, System Administration, Administer User Security, Planning and Budgeting Roles	Assign Planning and Budgeting roles to PeopleTools specified roles.

Assigning Planning and Budgeting Roles to User Roles

Access the Planning & Budgeting Roles page.

When you assign a user role to a budgeting role, you are essentially assigning permission lists to the budgeting role. This optional page lets you rename budgeting roles, which may be useful in enterprises where roles are labeled differently from the delivered Planning and Budgeting roles or where multiple languages are used.

PeopleSoft Role

Enter a user role (defined in PeopleTools) for each of the delivered budgeting roles.

Preparer and casual preparer require a PeopleSoft role assigned. Other budgeting roles are optional. Leave these blank if you are not using in Planning and Budgeting

See Enterprise PeopleTools Security, Roles and permission lists, Roles

Defining Planning and Budgeting Users

Before granting access to the Planning and Budgeting system or sending automatic emails to those involved in the budgeting process, define and identify your budgeting system users from the user profiles you set up using PeopleTools.

Page Used to Define Budget Users

Page Name	Object Name	Navigation	Usage
Define Planning and Budgeting Users	BP_USER_SELECT	Planning and Budgeting, System Administration, Administer User Security, User List	Define specific user access to Planning and Budgeting and synchronize user profiles from PeopleSoft EPM Warehouse.

Identifying Planning and Budgeting Users

Access the Define Planning and Budgeting Users page.

The Define Planning and Budgeting Users page displays all users that have a planning and budgeting role assigned in the system. You must designate which of these users may have access to Planning and Budgeting applications with a check.

Update Users	Once you have assigned a planning and budgeting role to a user, click this button to synchronize user profiles in the PeopleSoft EPM Warehouse.
Budget User	Select to enable a user access to the budgeting system.

Integrating with EPM Warehouse Security

The EPM Warehouse security defines:

Users.
Roles.

A user may be a member of one or more roles. A role typically has more than one user.
Dimension access rules.

These access rules define who may access a dimension and members of a dimension. The rules may be defined for a role or for a user. A role or a user may be allowed to access only certain members of a dimension.

Access rights for a user are the combined access provided to them by their membership in roles.

To set up secured access for a dimension in the warehouse, the security administrator defines the access rules and then executes a batch program that processes the rules into flattened security join tables (SJTs). These tables are then queried by EPM applications to determine what data is accessible by a certain user.

Planning and Budgeting has its own set of security tables that contain information about users and their access rights. To leverage the warehouse security in Planning and Budgeting, we deliver a batch program (Request Security Processing) that accesses the SJTs and updates the Planning and Budgeting security tables with the same information. You must execute the Planning and Budgeting batch program after the warehouse security program has modified the SJTs.

To that end, you:

Define a jobstream containing both the warehouse and the Planning and Budgeting security batch processes, using the Jobstream page. (Navigation: EPM Foundation, Job Processing, Setup Engines and Jobstreams, Processes in Jobstreams).
Run the jobstream from the Request Security processing page. (Navigation: EPM Foundation, EPM Security, Advanced, Request Security Processing).

The EPM Warehouse batch process performs the following steps:

Processes all warehouse dimensions or the dimension given as a parameter on the security run control page.
For each warehouse dimension (OWE only), it attempts to find a matching dimension in the Planning and Budgeting application by querying the PS_BP_EW_DIM_MAP table.
If it finds a dimension, it queries the PS_BP_ACTIVITY table to determine if the dimension is secured in the Planning and Budgeting application. Warehouse dimensions can only be used to secure secondary dimensions on an activity. The warehouse dimension security cannot be used for planning center dimensions.
It then accesses the SJT for the corresponding warehouse dimension.
It creates a secondary security group in Planning and Budgeting for this dimension. It tags the secondary security group as a warehouse security group. The name of the secondary security group is specified in the mapping table PS_BP_EW_DIM_MAP.
The secondary security groups are keyed by setID. The setID is determined by the business unit or the setID of the dimension values in the SJT.
It creates the secondary security group with an effective date of 01-01-1900. This effective date is updated every time you run the batch process. Note that if you create a new effective date for the warehouse security groups, the batch program still applies the 01-01-1900 definition.
For each role found in the SJT, the program determines all the users belonging to that role, and then inserts a detail row in the secondary security group for each user. It gives the user read-write access by default.
The update to the secondary security groups is destructive in nature, that is, all the rows from the secondary security group are deleted and inserted again. The only exception to this rule is if the secondary security group has been modified in Planning and Budgeting to change the access rights from read-write to read-only. In that case, the modified access rights are retained so you don’t have to reapply your changes.
If an access privilege exists in the Planning and Budgeting secondary security group, but it has been deleted from the warehouse, then the batch process also deletes the privilege from Planning and Budgeting. This happens even if the Planning and Budgeting privilege has been modified to read-only.

Note. Any security access granted to a user ID applies to all planning centers for that user. Additionally, there is no need to run the security processing program by business unit because security is run at the setID level.

See Securing EPM.

See Streamlining Processing with Jobstreams.

Setting Up Planning and Budgeting Security Groups and Secondary Security Groups

This section provides overviews of security groups, planning center version security, lists prerequisites, and discusses how to:

Define security groups.
Define secondary security groups.
Report secondary security user permissions.

Understanding Security Groups

Use security groups to grant access to user roles at the planning center level. You define the elements of the security group on the Security Group page and they will be displayed on the User Roles pages. Only those planning centers assigned to a user and role here will show up on the User Planning Centers page. A security group can be used on multiple activity scenarios and planning models.

You create a secondary security group to associate users with a particular non-planning center dimension that you specify when you define the activity on the Activity page. You can grant both read and read-write access within the secondary security group.

Note. Planning and Budgeting does not support secondary dimension security for positions or assets.

Understanding Planning Center Version Security

A user who has read-only access to a secondary security group, will have only partial access to the planning center. For that reason the system draws a distinction between full and partial access:

Partial Access: User has access to only some of the line items within a planning center version. A user has partial access to a line item planning center version if and only if:
- The security group authorizes him/her for the planning center, for example, BP01 has access to Department SALES; and
- The secondary security group bars him/her from at least one line item within the planning center version, for example, BP01 has no access to Account SALARY; and
- The line item combination (Department SALES, Account SALARY) does currently exist in the planning center version.
Full Access: User has access to all line items within a line item planning center version.

A planning center version is defined by a unique combination of these elements: business unit, planning model, activity, scenario, planning center, and version.

Users with partial access to a planning center version are not authorized to do the following:

Submit budgets.
See planning targets.
See user views that display a tree on any dimension.
Perform allocations.
See analysis reports.

Note. The system may still allow a user to see or derive secured data via a driver for the RELATE method, or a flexible formula source. Such read access should be restricted to trusted users.

Submit Status of Planning Centers

All line item planning center versions must have at least one full access user, that is, either read-only or read-write access to all line items in that planning center. Planning centers that do not have at least one such user are deemed nonsubmissible.

The system does not prevent you from creating a nonsubmissible planning center. However, during the staging process, the system generates a warning for each nonsubmissible planning center. The User Access to Line Items page shows the status (in the Submit Allowed? column) of each planning center version; this page is available only after staging.

See Staging Scenarios and Activities in a Planning Model.

Resolving Nonsubmissible Status of Planning Centers

The system provides tools so that the coordinator can ensure there is a full access user for every planning center version. Drilling down on a planning center version in the User Access to Line Items page takes you to the User Access to Line Items Detail page, that shows which users have access to each line item within the planning center version.

See Staging Scenarios and Activities in a Planning Model.

See Viewing User Access to Line Items and to Line Item Details.

Prerequisites

To define a security group for your planning center dimension you must first define the following:

Planning center tree based on the dimension you will be using for your activity scenarios in your planning model.
User ID selected as a Planning and Budgeting user.
Security role linked to a delivered Planning and Budgeting role

Note. If you are using the optional secondary security, define the dimension used to secure on the Activity definition page.

Pages used to Define a Security Group

Page Name	Object Name	Navigation	Usage
Security Group	BP_SECURITY_GRP1	Planning and Budgeting, System Administration, Administer User Security, Security Groups	Assign user and role access to nodes on the planning center tree.
Secondary Security Group	BP_DIM_SECURITYGRP	Planning and Budgeting, System Administration, Administer User Security, Secondary Security Groups	Create a secondary security group to associate a user with a particular dimension.
Copy User Permissions	BP_DIM_USRPRM_COPY	Planning and Budgeting, System Administration, Administer User Security, Secondary Security Groups, and click Copy.	Select from a list of target users to whom you want to copy permissions.
Copy Secondary Security Group	BP_DIM_SECGRP_COPY	Planning and Budgeting, System Administration, Administer User Security, Secondary Security Groups, and click Copy Secondary Security Group.	Specify the name and effective date of the secondary security group to which you want to copy.

Defining Security Groups

Access the Security Groups page

Security groups define the relationship between a planning center, a user and a role assigned to that user. This page allows you to add new combinations of the centers, users and roles. Click a node on the tree to get the planning center for the node into the first grid to the right, and then assign one or more user roles. To assign more nodes/planning centers to users and roles, click the next node and assign users and roles. When you click the next node, the system moves the data for the previously selected node from the first grid into the second grid on the right. When you click the save button the data in the first grid (if any) is moved into second grid and the system saves all the data in the second grid.

Copy Security Group	Click this button to create a copy of the group to facilitate development of a new security group.
Tree name	Enter the planning center tree name. This tree must have levels defined and strictly enforced.
Preparer Level	This level is for choosing planning centers for preparer role or casual preparer role. Other roles, reviewer or analyst or administrator, should pick planning center nodes from levels above the preparer level.
Read Only	The planning center security group default access is read-write. You may grant read-only access by selecting the read-only check box for any user role and planning center row in the security group. This in turn grants read-only access to the planning centers on the My Planning Workspace page.

Note. You can directly add and delete user access from the grid on the right — 'User access assigned to selected planning centers' group box. It is not necessary to perform any security refresh process if access changes during the planning process, but if you add a new planning center node you will need to refresh Dimension members and worklists in the Update Data Stage Process.

Defining Secondary Security Groups

Access the Secondary Security Groups page.

Create a secondary security group to associate users with a particular dimension that you specify when you define the line item activity on the Activity page. You can grant both read-only and read-write access permissions to the secondary security group.

Copy Secondary Security Group	Upon clicking, the system transfers you to the Copy Secondary Security Group page where you can specify the name and effective date of the secondary security group to which you want to copy.
Dimension	Select the additional dimension for which you want to create a secondary security group.
Effective Date	Defaults to the current date. Ensure that the tree and dimension security group have the same effective date, so that if the tree changes the dimension security group also changes; or set the effective date to the past so that the dimension security group applies even if the tree changes.
EW Security Definition	Display only check box, and it is checked for an EPM Warehouse secondary security definition. Note. You cannot update dimension values on the Secondary Security Group page if it came from EW security. You may only define read-only access, since by default it is read-write. To modify values and user access you should either refresh from EW security, or copy the secondary security group that would then no longer be tied to the EW definition.
Select Dimension Value	Select By Value or By Tree to specify the dimension value range. The system activates the lower boxes on the page based on your selection. Note. The option that you select applies to all users. Switching from one option to the other will result in existing permissions being deleted for all users. You can copy a secondary security group established from EW security, but by default the definition uses values and not trees. By copying from EW security, it becomes a secondary security group for Planning and Budgeting and you can edit the way you want since it is no longer tied to the EW security definition.
Dimension Value Range	If you selected By Value, then enter the From Value and To Value for the dimension. Click Add to populate the dimension value rows in the box to the right. Note. You must have a valid user selected before you can populate dimension members by value or tree.
Tree Information	If you selected By Tree, then enter the Tree SetID, and Tree Name. Specify the tree Level Name, or select Detail Level to display all the lowest level dimension values (nodes and leaves). The system displays the dimension tree. Click any of the tree nodes to populate the Edit Permissions grid (to the right) and grant access to all the nodes and child nodes, at the specified level, to the selected user in the User Permissions group box. Select the Detail Level check box to populate the Edit Permissions grid (to the right) and grant access to all lowest level dimension values under the selected node to the selected user in the User Permissions group box.
Select User	Enter the User ID to assign permissions. Use the Edit Permissions group box to view the current permission selection and to modify read-only and read-write access for the current permission selection. Use the Existing Permissions group box to view a complete list of user permissions and to modify existing security access for the entire list. Note. Make sure you select a user to assign permissions to the selected dimension values.
Read Only	Select if you are assigning read-only access to the dimension value row. Deselect for the user to have read-write access.
Refresh	Refreshes the page with existing permissions for the selected user, and clears the Edit Permissions grid. You must enter a user before clicking Refresh.
Copy	Transfers you to the Copy User Permissions page where you can select from a list of Target Users to whom you want to copy permissions. You must enter a user before clicking Copy. On the Copy User Permissions page, you can enter search criteria and click Refresh to narrow down the list of target users. You can also click Select All/Clear All to select or deselect all displayed users. If any of the selected users already has existing permissions, the system warns you that these permissions will be overwritten by the permissions from the source user.
Delete	Deletes existing permissions for the selected user. You must select a user before clicking. The system displays a warning message before deleting.

Reviewing Security by User

Review, assign, or delete access to security groups and planning centers based on the User ID. Selecting a User ID reveals the roles assigned to that user with a link to the active security groups. Clicking on that link gives a report of all the active security groups for the specific user and role combination. A link is available to go to the Planning Center page were you can designate planning center nodes for the selected user and role.

Note. The preparer level assigned in the security group MUST be at the same level as the planning center tree used in the activity and scenario definition. The model validator tool will check for this compatibility.

This section lists prerequisites and discusses how to:

Review user roles.
Review user security groups.
Review user planning centers.

Prerequisites

To review Planning and Budgeting security by user you must define the:

Security group.
User ID.
Roles.

Pages Used to Review Security by User

Page Name	Object Name	Navigation	Usage
User Roles	BP_USER	Planning and Budgeting, System Administration, Administer User Security, User Roles	Review security group selections for a user's role. Also can access the planning center pages.
User Security Groups	BP_USER_SEC_GRP	Click the Security Group link on the User Roles page.	View all the security groups for the user role. Contains a link to the Planning Center page for the each security group.
User Planning Centers	BP_USER_APRVLUNITS	Click on the Planning Center link on the User Security Groups page.	View, assign, or delete planning center nodes of the selected security group to the selected user and role.

Reviewing User Roles

Access the User Roles page.

This page reports the Planning and Budgeting roles assigned through PeopleTools Security. There are links to the active security groups definition assigned to this user id by role. Checkboxes also indicate permissions to perform allocations and adjustments.

Security Groups

Click this link to access the security groups assigned to the role.

Allowed to do allocations

Grants the right to make allocation decisions in the budgeting process.

Allowed to do adjustments

Grant the right to perform adjustments to the accounts.

Note. If these options are not selected to allow allocations or adjustments, access to allocate and mass adjust will not be available for all planning centers on My Planning Workspace page.

Reviewing User Security Groups

Access the User Security Groups page.

This is a list of all the active security groups for a user role with a link to the Planning Centers page to review, assign, and delete planning center nodes of the selected security group.

Planning Centers

Click on this link to access the User Planning Center page.

Reviewing User Planning Centers

Access the User Planning Center page.

The planning centers displayed for this user and role combination are those defined in the Security Group. Users may only have access at the level of the Planning Centers tree as defined in the Security Group. Click on the nodes of the tree at proper level for the role to assign them to the selected user and role. If the planning center node is not already assigned to the user and role, it will be added in the grid. Use save button to save the assigned or deleted planning center nodes in the grid to be saved. In this example the user BP01 for the Analyst role only has access to three planning centers.

Reviewing Planning and Budgeting Security Reports

This section discusses how to:

Review security by user and role.
Review security by activity and scenario.
Review security for a planning center associated with an activity scenario.
Review secondary security by user.

Pages Used to Review Planning and Budgeting Security Reports

Page Name	Object Name	Navigation	Usage
Security by User and Role	BP_SEC_BY_USERROLE	Planning and Budgeting, System Administration, Administer User Security, Security by User and Role	Displays a list of Business Unit, Planning Model ID, Activity, Scenario and Planning Centers for a unique combination of User ID, Role, Business Unit, Planning Model ID, Activity and Scenario.
Security by Activity/Scenario	BP_SEC_BY_ACTSCEN1	Planning and Budgeting, System Administration, Administer User Security, Security by Activity/Scenario	Displays a list of planning centers and the total number of users of that center, for a unique combination of Business Unit, Planning Model ID, Activity and Scenario.
Security by Planning Center	BP_SEC_BY_ACTSCEN2	Planning and Budgeting, System Administration, Administer User Security, Security by Activity/Scenario, select the Total Number of Users hyperlink.	Display the user IDs and roles associated with a specific planning center in a business unit, planning model ID, activity, and scenario.
Secondary Security by User	BP_DIM_SEC_BY_USER	Planning and Budgeting, System Administration, Administer User Security, Secondary Security by User.	Report existing permissions for a set of User IDs and dimension values.

Reviewing Security by User and Role

Access the Security by User and Role page.

The system displays a list of planning centers for a unique combination of user ID, role, business unit, planning model ID, activity and scenario.

Reviewing Security by Activity and Scenario

Access the Security by Activity/Scenario page.

Based on a selection of business unit, planning model ID, activity and scenario, the system displays a list of planning centers and the total number of users of that center. This list insures that all planning centers are covered by a role.

Reporting Secondary Security by User

Access the Secondary Security by User page.

Enter a range of user IDs or dimension values and then click Refresh Report to display existing permissions for the given search criteria.