Setting Up EPM Security

This chapter provides an overview of EPM security and setup, and discusses how to:

Click to jump to parent topicUnderstanding EPM Security and Setups

This section discusses:

Click to jump to top of pageClick to jump to parent topicPeopleSoft Application Security

PeopleSoft applications use multilevel security to enable you to successfully manage shared data environments. You set up data access at different entry points within your system and define the most efficient path to data across business groups, tables, departments, pages, and so forth. You have full control over security definitions, selecting options to create a matrix that enables or restricts user access to data through a series of authorizations.

Security access covers three areas: networks, databases, and applications. Network security controls the overall point of entry into your system hardware and software resources. Database security narrows the scope of a user's information access. At the application level, security extends to the field level. This diagram illustrates PeopleSoft application security levels:

Application Security Terms

This table describes the various types of PeopleSoft application security:

Security Type

Location

Function

Network

Network software

Controls entry into the network and authorizes rights to use shared resources.

Relational Database Management System (RDBMS)

Operating system

Controls access to the database.

User

PeopleTools

Controls access to application pages, functions, and business components.

Object

PeopleTools

Controls access to objects or object groups that are used in application development.

Query

PeopleTools

Defines table row sets that are accessed for performing system queries.

Row-level

PeopleTools and PeopleSoft applications

Controls access to the subset of data rows within tables that the user is authorized to review or update.

Field-level

PeopleCode

Controls access to individual fields on pages.

Click to jump to top of pageClick to jump to parent topicEPM Security

EPM security controls access to specific data within the EPM database and enables you to grant users access to specific rows, columns, or fields in an EPM database table. Data-access privileges within the warehouse can be defined for both Operational Warehouse - Enriched (OWE) and Multidimensional Warehouse (MDW) tables, and for dimension and fact tables.

You can specify EPM security access using any of the following methods:

EPM security provides a single point of entry for defining and maintaining data access rules across all the EPM Warehouses and Analytical Applications.

Click to jump to top of pageClick to jump to parent topicSetting Up EPM Security

EPM security is extremely flexible and enables you to restrict user access to EPM database tables in a variety of ways, including field level, row level, and column level restrictions. PeopleSoft-delivered ETL jobs move security data from your source transaction system to EPM target warehouse tables. You must set up PeopleTools and IBM WebSphere DataStage security, but you need only use the security pages documented in this chapter to redefine or modify your existing security data.

You have the option of implementing only one type of EPM security restriction or all four types:

The following security setup process flow demonstrates the different security setup options:

EPM Security Setup Process Flow

As demonstrated in the diagram, you can implement any combination of field level, ledger, row level, and column level security restrictions.

Note. Refer to your EPM Warehouse and Analytical Application PeopleBooks for any special security setups required for those products.

PeopleTools security

PeopleTools security provides user authentication and application-level security. Users are authorized to access the EPM database using Peopletools login security. Users may be granted or denied access to each application and components therein. EPM security works together with PeopleTools security, so you must properly define PeopleTools security prior to setting up EPM security.

See PeopleSoft PeopleTools PeopleBook: Security Administration

IBM WebSphere DataStage Security

PeopleSoft EPM delivers the IBM WebSphere extract, transform, and load (ETL) tool to load your source data into the Operational Warehouse - Staging (OWS) and migrate the data to the OWE and the MDW. The tool builds three layers of security into the repository and its objects. Access is granted through groups and users.

The three layers of security are:

  1. A user role that is created by the EPM Production Manager.

    The Production Manager assigns Windows user groups to one of four DataStage user categories. For example, if you belong to the Windows Administrators user group, you might be assigned to the DataStage Production Manager category and have full access to all areas of a DataStage project. This is the default for DataStage users.

  2. Project privileges that range from browse-only to full Production Manager privileges.

  3. Object-level safeguards that prevent users from jointly accessing or overwriting the same object.

    For example, if a user is working on a job, that object is locked so that no other user can access it. Locks are automatically created to avoid repository contamination.

The following DataStage user categories are defined in PeopleSoft EPM: the EPM Production Manager, Developer, Operator, and None. The Production Manager has full access to all areas of a DataStage project, including repository objects, and can create and manipulate protected projects. The Production Manager grants access to all other groups and users. Developers have full access to all areas of a DataStage project and can create and modify ETL jobs. This is the default setting. Operators have permission to run and manage DataStage jobs. Users who are assigned to None do not have permission to sign in to DataStage.

See IBM Information Server: Administration Guide

Field Level Security

Field level security enables you to restrict users to specific fields on your EPM database tables based on business units and setIDs (because the tables are keyed by setID or business unit).

To set up field level security you must:

  1. Enable field level security and specify related options.

  2. Associate security views with specific users, permission lists, business units, or setIDs.

  3. Apply the aforementioned field level security parameters.

  4. Associate specific users or permission lists with the business unit and/or setID restrictions (data group restrictions) you defined in the previous steps.

See Specifying Field-Level Security Options.

Ledger Security

Ledger security enables you to restrict users to specific EPM ledger tables. You can restrict access to the tables by user or permission list.

See Establishing Ledger Security.

Dimension (Row Level) and Metric (Column Level) Security

Row level security enables you to secure individual rows of an EPM dimension table. Column level security enables you to secure individual columns of an EPM database table. Usually, these are measures on fact tables, but may also be attributes on a dimension table that contain sensitive data, such as Employees' Salary or the Social Security Number columns. With row level and metric level support, you can restrict access by individual user or security roles.

To set up row level security you must:

  1. Define dimension security.

  2. Associate the dimension with a security join table.

    Security join tables are EPM database tables that store the security profiles for users along with the corresponding dimension values for which they have access.

  3. Define users and security roles.

  4. Assign dimension rows to the user or security role.

To set up column level security you must:

  1. Define metric security.

  2. Define users and security roles.

  3. Assign metric to the user or security role.

See Defining Dimension and Metric Security.

See Understanding Role and User Based Security for Dimensions and Metrics.

Click to jump to top of pageClick to jump to parent topicEPM Security Views

Security views are SQL SELECT statements that filter out data rows whose key values are not needed as valid access parameters. The result is that users who are authorized to access setIDs or business units see only a subset of values from these edit table values. PeopleSoft EPM delivers prepackaged security views for most securable objects in EPM and the views tell the system which table views to reference. To use these security views in PeopleTools, use the views as a search view.

Object

Delivered EPM Security View

Personal Data

PERSONAL_SRCH

Job Data

JOB_SRCH

Job Code

JOBCODE_SRCH

Location

LOCATION_SRCH

Scenario

SCENARIO_SRCH

You can alter these prepackaged views or build your own.

Click to jump to parent topicSpecifying Field-Level Security Options

You can set up field-level security for business units and setIDs because EPM warehouse tables are keyed by either setID or business unit. The Security Options page enables you to enable this type of security. The page updates one row in the INSTALLATION_FS table. Only one row is ever in this table (only one type of security can be active at a time). For example, if you select operator security, only selected fields (business unit, setID, or both) have security applied.

After specifying field-level security options you must associate security views with specific users, permission lists, business units, or setIDs and run the apply security application engine process (which reads the INSTALLATION_FS table, determines the security type, such as none, permission list or operator, and applies your selected field-level security parameters).

After running the apply security process, you must associate specific users or permission lists with the business unit and/or setID restrictions (data group restrictions) you defined in the previous steps.

This section discusses how to:

Click to jump to top of pageClick to jump to parent topicPages Used to Specify Field-Level Security Options

Page Name

Definition Name

Navigation

Usage

Security Options

SECURITY_OPTIONS

EPM Foundation, EPM Security, Advanced, Security Options

Set up field-level security for business units and setIDs.

Security View Names

SECURITY_VIEWS

EPM Foundation, EPM Security, Advanced, Security View Names

Set up security view names.

Request Security Processing

RUN_FIN9001

EPM Foundation, EPM Security, Advanced, Apply Security Setups, Request Security Processing

Run the Apply Security process to apply the security setup throughout the system.

TableSet Security by Permission List

SEC_SETID_CLS

EPM Foundation, EPM Security, Advanced, TableSet Security by Perm (Permission) List

Establish setID security by permission list. Valid values for permission list are taken from your PeopleTools security setup.

TableSet Security by User ID

SEC_SETID_OPR

EPM Foundation, EPM Security, Advanced, TableSet Security by User ID

Establish setID security by user ID. Valid values for user are taken from your PeopleTools security setup.

Unit Security by Permission List

SEC_BU_CLS

EPM Foundation, EPM Security, Advanced, Unit Security by Perm (Permission) List

Establish business unit security by permission list.

Unit Security by User ID

SEC_BU_OPR

EPM Foundation, EPM Security, Advanced, Unit Security by User ID

Establish business unit security by user ID.

Click to jump to top of pageClick to jump to parent topicSetting Up Field-Level Security Options

Access the Security Options page (EPM Foundation, EPM Security, Advanced, Security Options).

You can implement security using any of the following fields:

For either field, you can set the security in the following ways:

No Security

Disables PeopleSoft application security. All users who are authorized to access a page may select any valid setID or business unit.

Operator Level Security

Enables PeopleSoft application security. Users are limited to the setIDs and business units that are specified by their user IDs.

Permission List Level Security

Enables PeopleSoft application security. Users are limited to the key fields that are specified by the permission list that is assigned to their user IDs. All users in a permission list have the same level of security.

Click to jump to top of pageClick to jump to parent topicSpecifying Security View Names Access Privileges

Access the Security View Names page (EPM Foundation, EPM Security, Advanced, Security View Names).

After you have set up your security views, you can specify which users or permission lists can access the pages that contain secured field values using the Security View Names page. Within each page, you also can hide specific fields from particular permission lists. The Security View Names page also indicates the type of field (business unit or setID) secured by each view.

The system stores the list in the SEC_VIEW_NAMES table, where you can review or update this information. You can add any security views that you configure for your system.

View names use one of three file extensions to reflect the type of security that you selected when you specified your security options:

Use the Search Text field to search for a security view table. This field lists the view name prefixes that are supplied by each of your applications. When you run the Apply Security Setup process, the process uses these prefixes to search the system for view names that begin with these prefixes. If a view name begins with a prefix from this list, the process changes the view name extension to match the security type that you selected when you specified security options. The type of field (business unit or setID) that is secured by each view is embedded in the view name.

After you have selected your security options and defined your security views, you must run the Apply Security FIN9001 SQR process for the options to take effect.

See Also

EPM Security Views

Click to jump to top of pageClick to jump to parent topicRunning the Apply Security Process

Access the Request Security Processing page (EPM Foundation, EPM Security, Advanced, Apply Security Setups, Request Security Processing).

Run the Apply Security process to apply the security parameters you set up on the Security Options and Security View Names pages. The Apply Security process reads the INSTALLATION_FS table to determine the security type (none, permission list, operator) and then switches the prompt table views to the new view names, based on SEC_VIEW_NAMES. The process searches for the values in the Search Text field on the Security View Names page and replaces the table names as specified.

Note. This process should not be confused with the request security processing process (PF_SECURITY) which is discussed later in this chapter. The PF_SECURITY process applies security parameters specified for security roles and users.

Click to jump to top of pageClick to jump to parent topicEstablishing SetID Security by Permission List or User ID

Access the TableSet Security by Permission List page (EPM Foundation, EPM Security, Advanced, TableSet Security by Perm (Permission) List) or the TableSet Security by User ID page (EPM Foundation, EPM Security, Advanced, TableSet Security by User ID ).

For each user ID or primary permission list, select the setID or setIDs that the users or permission list can access.

Click to jump to top of pageClick to jump to parent topicEstablishing Business Unit Security by Permission List or User ID

Access the Unit Security by Permission List page (EPM Foundation, EPM Security, Advanced, Unit Security by Perm (Permission) List) or the Unit Security by User ID page.

For each user ID or primary permission list, select the warehouse business unit or units that the user or permission list can access.

Click to jump to parent topicEstablishing Ledger Security

You can determine which users have access to ledger data by securing access to specific ledgers. For a specified ledger you can grant access to users by permission list or user ID.

Click to jump to top of pageClick to jump to parent topicPages Used to Define Ledger Security

Page Name

Definition Name

Navigation

Usage

Ledger/Perm List

SEC_LEDGER_CLS

EPM Foundation, EPM Security, Advanced, Ledger Security by Permission List, Ledger/Perm List

Select a ledger to associate with a security permission list.

Ledger by User ID

SEC_LEDGER_OPR

EPM Foundation, EPM Security, Advanced, Ledger Security by User ID, Ledger by User ID

Select a ledger to associate with a user ID.

Click to jump to top of pageClick to jump to parent topicDefining Ledger Security by Permission List or User ID

Access the Ledger/Perm List (EPM Foundation, EPM Security, Advanced, Ledger Security by Permission List, Ledger/Perm List) or Ledger by User ID page (EPM Foundation, EPM Security, Advanced, Ledger Security by User ID, Ledger by User ID).

Use these pages to select a ledger to associate with a security permission list or user ID.

Click to jump to parent topicSpecifying Row and Column Level Security

This section provides an overview of role and user-based security and discusses how to:

Click to jump to top of pageClick to jump to parent topicDefining Dimension and Metric Security

Because EPM is delivered with no security restrictions, dimensions and metrics (also known as fact-columns) are also delivered unsecured. Before you can grant a user access to a dimension or metric, you must first indicate to the system that a particular dimension or metric requires securing. The pages used to define dimension and metric security are discussed in the security chapter of this PeopleBook.

See Defining Dimension and Metric Security.

Note. Dimensions and metrics that are not secured are classified as public, or unsecured. All EPM users can view public objects.

Click to jump to top of pageClick to jump to parent topicUnderstanding Role and User Based Security for Dimensions and Metrics

After you designate dimensions and metrics that require securing, you must grant users access to those objects. You can grant security access to an individual user or to a specific security role.

EPM security enables you to create security roles. A security role is a set of data access privileges that are assigned to one or more users. A user who is assigned to a specific role inherits all access privileges that are associated with that role. A user can belong to multiple roles. In this case, the user would inherit the combined privileges that are defined for all roles.

To set up security roles, define the role, assign dimension and metric access privileges to the role, and then assign users to the role. The following diagram depicts this process.

Process flow - security role setup

If you have established security roles for your PeopleTools security, you can import the roles into the EPM database using the Run Security Processing page.

See Processing Your Security Parameters.

EPM security also enables you to define access privileges for individual users. To set up user access privileges, assign dimension and metric access privileges to a specific user.

Dimension Security and Individual, Constraint, and Tree Based Selections

EPM security provides three methods to specify row-level security for your dimension:

Processing Role and User Based Security Parameters

After the security rules have been set up, the EPM security application engine (PF_SECURITY) process must be run. This processes the access as defined in the Role Dimension access pages and flattens the data to the individual dimension members and populates the security join tables specified in dimension metadata.

Click to jump to top of pageClick to jump to parent topicPages Used to Establish Role and User-Based Security

Page Name

Definition Name

Navigation

Usage

Define EPM Security Roles

PF_SY_ROLE_DEFN

EPM Foundation, EPM Security, Security By Role, Define EPM Security Roles

Define security roles.

Access To Metric

PF_SY_ROLE_METR

EPM Foundation, EPM Security, Security By Role, Role Metric Access, Access To Metric

Assign a metric to a security role.

Role Dimension Access

PF_SY_ROLE_ALL_MDW

EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Role Dimension Access

Assign a dimension table to a security role and specify high-level access privileges.

Note. The object name of this page changes depending on whether an OWE or MDW dimension is selected.

Individual Selection

PF_SY_ROLE_LIST

EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Individual Selection

Specify row-level access to the dimension based on setID and dimension key fields.

Constraint-based Selection

PF_SY_ROLE_CONS

EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Constraint-based Selection

Specify row-level access to the dimension based on constraint.

Select Security Column

PF_SY_COLUMN_PG

Automatically accessed when you select a constraint on the Constraint-based Selection page that contains two or more columns and the system cannot distinguish the column you want to include in your security parameters

Select one column to include in your constraint.

Tree-based Selection

PF_SY_ROLE_TREE

EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Tree-based Selection

Specify row-level access to the dimension based on an existing tree hierarchy that is defined for the dimension. You can use the tree to grant a user access to specific nodes, leaves, or details in the tree. Used with OWE dimensions only.

User Role Access

PF_SY_USER_ROLES

EPM Foundation, EPM Security, Security By User, User Role Access

Assign a user to a security role.

Role Security Summary

PF_SY_ROL_SUMMARY

EPM Foundation, EPM Security, Security By Role, Role Security Summary

Review access privileges and other information for a security role.

Review Role Dimension Access

PF_SY_ROLE_DETAIL

Click the Details link on the Role Security Summary page.

Review additional details about a dimension that is associated with the selected security role

Access To Metric

PF_SY_ROLE_METR

EPM Foundation, EPM Security, Security By User, User Metric Access, Access To Metric

Assign a metric to a user.

User Dimension Access

PF_SY_ROLE_ALL

EPM Foundation, EPM Security, Security By User, User Dimension Access, User Dimension Access

Assign a dimension table to a user and specify high-level access privileges.

Individual Selection

PF_SY_ROLE_LIST

EPM Foundation, EPM Security, Security By User, User Dimension Access, Individual Selection

Specify row-level access to the dimension based on setID and dimension key fields.

Constraint-based Selection

PF_SY_ROLE_CONS

EPM Foundation, EPM Security, Security By User, User Dimension Access, Constraint-based Selection

Specify row-level access to the dimension based on constraint.

Select Security Column

PF_SY_COLUMN_PG

Automatically accessed when you select a constraint on the Constraint-based Selection page that contains two or more columns and the system cannot distinguish the column you want to include in your security parameters.

Select one column to include in your constraint.

Tree-based Selection

PF_SY_ROLE_TREE

EPM Foundation, EPM Security, Security By User, User Dimension Access, Tree-based Selection

Specify row-level access to the dimension based on an existing tree hierarchy that is defined for the dimension. You can use the tree to grant a user access to specific nodes, leaves, or details in the tree. Used with OWE dimensions only.

User Security Summary

PF_SY_SUMMARY

EPM Foundation, EPM Security, Security By User, User Security Summary

Review access privileges and other information for a user.

Review User Dimension Access

PF_SY_USER_DETAIL

Click the Details link on the User Security Summary page.

Review additional details about a dimension that is associated with the selected user.

Request Security Processing

RUN_PF_SECURITY

EPM Foundation, EPM Security, Advanced, Request Security Processing

Apply security parameters for security roles and users by running the request security processing (PF_SECURITY) process.

Click to jump to top of pageClick to jump to parent topicDefining Security Roles

Access the Define EPM Security Roles page (EPM Foundation, EPM Security, Security By Role, Define EPM Security Roles).

EPM Security Role

Displays the name of the security role that you are defining.

Role Type

Displays the type of role that is being defined.

Possible role types include EPM Role, System Role, User Role, WFA Generated Role.

Users in This EPM Security Role

User ID

Displays the users who are associated with this role.

Click to jump to top of pageClick to jump to parent topicGranting Metric Access to a Security Role

Access the Access To Metric page (EPM Foundation, EPM Security, Security By Role, Role Metric Access, Access To Metric).

Metric ID

Displays the metric that you are associating with a particular security role.

Record Name

Displays the record that is associated with the selected metric.

Column Name

Displays the column that is associated with the selected metric.

Click to jump to top of pageClick to jump to parent topicGranting Dimension Access to a Security Role

Access the Role Dimension Access page (EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Role Dimension Access).

Dimension

Displays the dimension that you are associating with a particular security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Type of Access

Grant All

Select this option to grant the role access to the entire dimension.

No Access

Select this option to bar the role from accessing the entire dimension.

Selective Access

Select this option to grant the role access to specific rows in the dimension.

You can specify rows individually based on setIDs, using a constraint or using a hierarchy tree that is defined for the dimension (tree hierarchies are available only for OWE dimensions) .

Click to jump to top of pageClick to jump to parent topicGranting Individual Row-Level Access to a Role

Access the Individual Selection page (EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Individual Selection).

Dimension

Displays the dimension that you are associating with a particular security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Dimension Values

SetID or Business Unit

Enter the setID or business unit that is associated with the dimension rows that you want to secure.

This field can display either SetID or Business Unit, depending on the dimension you select. In some instances, there is no value displayed for the field .

Dimension Key

Enter the dimension key that is associated with the dimension.

Because this is a dimension key field, the name of this field changes depending on the selected dimension. For example, if the Product (PRODUCT) table were selected, Product IDwould be displayed because it is the dimension key for that table.

Click to jump to top of pageClick to jump to parent topicGranting Constraint-Based Row-Level Access to a Role

Access the Constraint-based Selection page (EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Constraint-based Selection).

Dimension

Displays the dimension that you are associating with a particular security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Constraint-based Selection

SetID

Enter the setID that is associated with the dimension rows that you want to secure.

Constraint Code

Enter the constraint that you want to associate with the selected dimension rows.

You must have a constraint defined before you can access it here. If you do not have a constraint defined, you can use the Create Constraint link to create a new constraint.

Note. The Select Security Column page displays if the constraint you select contains two or more columns and the system cannot distinguish the column you want to include in your security parameters.

Reload

Click to refresh the constraint definition if you have changed it after it was included in a security role.

Security Column

Displays the field from the constraint that is used as the column to restrict access.

Create Constraint

Click to access the Constraints page and define a constraint.

If you have not created a constraint for the selected dimension rows, you can do so in the Constraints page.

Click to jump to top of pageClick to jump to parent topicSpecifying Constraint Columns for Constraint-Based Row-Level Access

Access the Select Security Column page (Automatically accessed when you select a constraint on the Constraint-based Selection page that contains two or more columns and the system cannot distinguish the column you want to include in your security parameters).

When you select a constraint (on the Constraint-based Selection page) that contains two or more columns and the system cannot distinguish the column you want to include in your security parameters, the Select Security Column page is accessed automatically. The page displays the columns available to use in the constraint you selected. You must choose just one of the columns for the constraint. Select the column you want to include by clicking the column name in the Key ID field.

Click to jump to top of pageClick to jump to parent topicGranting Tree-Based Row-Level Access to a Role (OWE Dimension Only)

Access the Tree-based Selection page (EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Tree-based Selection ).

Dimension

Displays the dimension that you are associating with a particular security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Select Tree Values

SetID

Enter the setID that is associated with the dimension rows that you want to secure.

Tree ID

Enter the hierarchy tree that you want to use to specify the dimension rows.

Selection

Displays the selected tree node value.

Find Selected Value

Click the Find Selected Value button to display the selected node at the top of the hierarchy tree and make it easier for you to locate the node with which you are working.

Parent Node

Displays the parent node of the selected node.

This field is blank if the selected node is a root node.

Node Type

Displays the node type of the selected node.

Values can be Node or Detail.

Selection Type

Specify the level of detail to include with the selected node.

Different values are available for your selection, depending on whether you have selected a node or a leaf from the hierarchy tree.

If a node is selected, you can specify This Node Only, Immediate Children, Node and Immediate Children, All Descendants, or Node + All Descendants.

If a leaf is selected, you can specify Immediate Child Leaves or All Descendant Leaves.

If the leaf has a range of values, you must select Immediate Child Leaves. Trees with duplicate leaves are not supported.

Add to Node Selection List

Click the Add to Node Selection List button to add the selected node to the selection list.

You must add a node to the selection list before the fields in the Selected Nodes and Leaves group box displays node values.

Display Tree

Click to display the hierarchy tree.

Click to jump to top of pageClick to jump to parent topicAssigning Users to a Security Role

Access the User Role Access page (EPM Foundation, EPM Security, Security By User, User Role Access).

User ID

Displays the user for whom you are granting role access.

EPM Security Role Name

Enter the security role that you want to associate with the selected user.

Click to jump to top of pageClick to jump to parent topicViewing Security Summary for a Security Role

Access the Role Security Summary page (EPM Foundation, EPM Security, Security By Role, Role Security Summary).

EPM Security Role Name

Enter the security role for which you want to see a summary of access privileges.

 

Display Summary

Click to display the security role details and refresh the view.

Dimension

Dimension Name

Displays the dimensions that are associated with the selected security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Edit Access

Click to access the Role Dimension Access page and edit the security role's access to the dimension.

Details

Click to access the Review Role Dimension Access page and examine additional details about the secured dimension, such as the setID or dimensionID.

Add Dimension Access

Click to access the Role Dimension Access page and grant the selected security role access to another dimension.

Metrics

Click the Edit Metric Access link to access the Role Metric Access page and edit the security role's access to a metric.

Click to jump to top of pageClick to jump to parent topicReview Role Dimension Access Summary

Access the Review Role Dimension Access page (Click the Details link on the Role Security Summary page.).

Use this page to review additional details about your dimension that is associated with a particular security role.

Click to jump to top of pageClick to jump to parent topicGranting Metric Access to a User

Access the Access to Metric page (EPM Foundation, EPM Security, Security By User, User Metric Access, Access To Metric).

The fields on this page are identical to the fields on the Access to Metric page for security roles. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Click to jump to top of pageClick to jump to parent topicGranting Dimension Access to a User

Access the User Dimension Access page (EPM Foundation, EPM Security, Security By User, User Dimension Access, User Dimension Access).

The fields on this page are identical to the fields on the Role Dimension Access page. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Click to jump to top of pageClick to jump to parent topicGranting Individual Row-Level Access to a User

Access the Individual Selection page (EPM Foundation, EPM Security, Security By User, User Dimension Access, Individual Selection).

The fields on this page are identical to the fields on the Individual Selection page for security roles. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Click to jump to top of pageClick to jump to parent topicGranting Constraint-Based Row-Level Access to a User

Access the Constraint-based Selection page (EPM Foundation, EPM Security, Security By User, User Dimension Access, Constraint-based Selection).

The fields on this page are identical to the fields on the Constraint-based Selection page for security roles. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Click to jump to top of pageClick to jump to parent topicGranting Tree-Based Row-Level Access to a User (OWE Dimension Only)

Access the Tree-based Selection page (EPM Foundation, EPM Security, Security By User, User Dimension Access, Tree-based Selection).

The fields on this page are identical to the fields on the Tree-based Selection page for security roles. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Click to jump to top of pageClick to jump to parent topicViewing Security Summary for a User

Access the User Security Summary page (EPM Foundation, EPM Security, Security By User, User Security Summary).

User ID

Enter the user for which you want to see a summary of access privileges.

Display Summary

Click to display security details for the user and refresh the view.

Dimension

Dimension Name

Displays the dimensions that are associated with the selected user.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Edit Access

Click to access the User Dimension Access page and edit the user's access privileges to the dimension.

Details

Click to access the Review User Dimension Access page and examine additional details about the secured dimension, such as the setID or dimensionID.

Add Dimension Access

Click to access the User Dimension Access page and grant the selected user access to another dimension.

Metrics

Click the Edit Metric Access link to access the User Metric Access page and edit the user's access to a metric.

Roles

EPM Security Role Name

Displays the security roles that are associated with selected user.

Edit Role Assignments

Click to access the User Role Access page and edit the user's privileges that are associated with the role.

Click to jump to top of pageClick to jump to parent topicReview User Dimension or User Metric Access Summary

Access the Review User Dimension Access page (Click the Details link on the User Security Summary page).

The fields on this page are identical to the fields on the Review Role Dimension Access page. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Click to jump to top of pageClick to jump to parent topicProcessing Your Security Parameters

Access the Request Security Processing page (EPM Foundation, EPM Security, Advanced, Request Security Processing).

EPM Role

Enter the EPM security role that you want to process.

If you leave this field blank, all security roles are processed.

Note. You cannot process a security role and a user at the same time.

User ID

Enter the user you want to process.

If you leave this field blank, all users are processed.

Note. You cannot process a security role and a user at the same time.

Dimension

Enter the dimension that you want to process.

If you leave this field blank, all dimensions are processed.

Warehouse

Enter the warehouse structure that is associated with the dimension you select for processing.

Business Unit

Enter the business unit that you want to process.

Business unit is used to determine which record suite is used for the security job.

Jobstream ID

Enter the Jobstream ID for the warehouse security.

Note. This jobstream is not secured, all users can access and run it. However, only an adiministrator should run this jobstream.

Rerun Option

Select this check box to rerun the security parameters process.

Copy System Role to EPM

Rebuild Security Only

Select this option if you want only to rebuild the security join tables.

Copy Roles, Rebuild Security

Select this option if you want to rebuild the security join tables and import PeopleTools security roles into the EPM database.

Copy Roles Only

Select this option if you want only to import PeopleTools security roles into the EPM database.

Click to jump to parent topicEstablishing Security Bridges for Your Business Intelligence Tool

This section provides and overview of security bridges and discusses PeopleSoft delivered Application Programming Interfaces (APIs).

Click to jump to top of pageClick to jump to parent topicUnderstanding Security Bridges

Security bridges provide a means to transfer EPM security profiles to your Business Intelligence (BI) database. This enables you to define your security parameters once in EPM without having to redefine them in your BI reporting tool.

Security bridges use Application Programming Interfaces (APIs) to transfer security profiles. APIs use programming commands to interface and communicate with your BI database and transfer EPM security profiles. A set of APIs is required to read data from EPM tables and another set is required to write data to your BI tables.

Security bridge and APIs

PeopleSoft prepackages APIs that are designed to read data from your EPM tables. However, you must create the code that writes data to your BI tables. PeopleSoft APIs are coded in Java and can function with any BI reporting tool.

PeopleSoft delivers the following APIs.

Click to jump to top of pageClick to jump to parent topicRole Collection

This class is a collection class of individual Role classes. The collection will inherit the normal Java methods to traverse the collection, for example, next(), first() and so forth. Also methods such as add(), remove() can be used and implemented as an ArrayList.

Public Methods

Name

RoleCollection(JDBCConnection dbCon)

Returns

Nothing

Parameters

JDBCConnection dbCon. A valid JDBC Connection.

Description

This is the constructor used to instantiate the Role collection.

 

Name

LoadAllRoles()

Returns

Nothing

Parameters

None

Description

This method clears out the current elements in the collection and load it with all the currently defined Roles in EPM.

Click to jump to top of pageClick to jump to parent topicRole

This class defines a single Role defined in the EPM row-level security framework.

Public Methods

Name

Role(JDBCConnection dbCon, String Name);

Returns

Nothing

Parameters

JDBCConnection dbCon. A valid JDBC Connection.

Description

The constructor for the Role class. Takes JDBC Connection and RoleName as parameters. Given a rolename, the constructor will fill up the other properties such as Type and Description.

Note. There is no public constructor of the format Role(), you cannot instantiate this class without a name.

 

Name

getUsers();

Returns

List of UserNames

Parameters

None

Description

The method will return a List of User Names that belong to this Role. A standard Java List object can be used to implement this.

 

Name

getAccessibleDimensions();

Returns

List of Dimension Names

Parameters

None

Description

The method will return a List Dimension names that this Role can access.

 

Name

hasAccess (String DimName);

Returns

integer 0 or 1

Parameters

Dimension Name

Description

The method returns a Boolean specifying whether the Dimension referenced by DimensionName parameter is available to the Role or not.

 

Name

hasAccess(String DimName, int DimValue);

Returns

integer 0 or 1

Parameters

Dimension Name, A surrogate key value

Description

The method returns 0 or 1 specifying whether this Role has access to a particular value in a dimension.

 

Name

hasAllAccess(String DimName);

Returns

integer 0 or 1

Parameters

Dimension Name

Description

The method returns a Boolean specifying whether this Role has ALL access to the Dimension referenced by DimensionName parameter.

 

Name

getDimensionValues(String DimName);

Returns

List of Values

Parameters

Dimension Name

Description

The method returns a List of values in the Dimension referenced by DimName that are available to the Role. The method will first check to ensure that the Dimension Name is a valid Secured dimension in the system, and it is accessible to the Role. The method will retun a List of values from the appropriate security join table. If the Role has ALL access to this dimension, the List will contain only one value with the pre-determined surrogate key value for ALL. Will return an empty List if the dimension is not available to the Role.

 

Name

getName();

Returns

String Name

Parameters

None

Description

Get method for Name

 

Name

getType();

Returns

String Name

Parameters

None

Description

Get method for Type

 

Name

getDescription();

Returns

Stirng Descr

Parameters

None

Description

Get method for Description

 

Name

getLongDescription();

Returns

String Description

Parameters

None

Description

Getter method for Long Description

Click to jump to top of pageClick to jump to parent topicUser Collection

This class contains the same information as the Role Collection class. The only difference is that the values for this class represent user collection and not role collection.

Click to jump to top of pageClick to jump to parent topicUser

This class contains information about a single User defined in EPM Security.

Public Methods

Name

User(JDBCConnection dbCon, String Name);

Returns

Nothing

Parameters

JDBC Connection, String UserName

Description

The constructor for the User class. Takes Name as the one and only parameter.

 

Name

getRoles();

Returns

List of RoleNames

Parameters

None

Description

The method will instantiate a List of Role Names that contain this User.

 

Name

getAccessibleDimensions();

Returns

List of Dimension Names

Parameters

None

Description

The method will return a List of Dimension names that this User can access. This will be a combined list of all dimensions that the user can access via all his roles.

 

Name

hasAccess (String DimName);

getAccessibleMetrics()

Returns

integer 0 or 1

Parameters

Dimension Name

Description

The method returns a Boolean specifying whether the Dimension referenced by DimensionName parameter is available to the User or not. This method queries all the Roles for this user to determine if the user has access to the dimension.

 

Name

hasAccess(String DimName, int DimValue);

Returns

integer 0 or 1

Parameters

Dimension Name, A surrogate key value

Description

The method returns 0 or 1 specifying whether this User has access to a particular value in a dimension. This method queries all the Roles for this user to determine if the user has access to the dimension and value.

 

Name

hasAllAccess(String DimName);

Returns

integer 0 or 1

Parameters

Dimension Name

Description

The method returns a Boolean specifying whether this User has ALL access to the Dimension referenced by DimensionName parameter. If any of the user's Roles has ALL access, the user is deemed to have ALL access.

 

Name

getDimensionValues(String DimName);

Returns

List of Values

Parameters

Dimension Name

Description

The method returns a List of values in the Dimension referenced by DimName that are available to the User. The method first checks to ensure that the Dimension Name is a valid Secured dimension in the system, and it is accessible to the User. This is a combined list of values from all the user's Roles. The method returns a List of values from the appropriate SJT. If the User has "all" access to this dimension, the List will contain only one value with the pre-determined surrogate key value for "all". Will return an empty List if the dimension is not available to the User.

 

Name

getName();

Returns

String Name

Parameters

None

Description

Get method for Name

Click to jump to top of pageClick to jump to parent topicDimension Collection

This class contains information about the list of dimensions defined as secured dimensions in EPM Security. Each element of the collection is a Dimension class that represents one secured Dimension in the EPM system. The collection will inherit the normal Java methods to traverse the collection, for example, next(), first() and so forth. Also methods such as add(), remove() can be used.

Public Methods

Name

DimensionCollection(JDBCConenction dbCon)

Returns

Nothing

Parameters

JDBC Connection

Description

This is the constructor used to instantiate the Dimension collection. This class is derived from one of the Java Collection classes, possibly ArrayList, or LinkedList. Most of the methods needed are inherited from the Collection class, Next(), Previous(), HasNext(), size() and so forth. The constructor will instantiate an empty collection.

 

Name

LoadAllDimensions()

Returns

Nothing

Parameters

None

Description

This method will clear out the current elements in the collection and load it with all the currently secured dimensions in EPM.

Click to jump to top of pageClick to jump to parent topicDimension

This class contains information about a single Dimension defined in the EPM database.

Public Methods

Name

Dimension (JDBC Connection, String Name)

Returns

String Name

Parameters

JDBC Connection

Description

This is the constructor for this class. Takes a Dimension Name as parameter. The constructor will validate that the dimension specified by Name is a valid secured dimension in EPM. If it is an invalid name, or the dimension is not secured, the constructor will fail.

 

Name

getRoles()

Returns

List of Role Names

Parameters

Nothing

Description

This method will return a list of all Role names that have access to this dimension.

 

Name

getUsers()

Returns

List of User Names

Parameters

Nothing

Description

This method will return a list of all User names that have access to this dimension.

 

Name

getDimName()

Returns

Stirng Name

Parameters

None

Description

Get method for Name.

 

Name

getDimTableName()

Returns

String TableName

Parameters

None

Description

Get method for Table Name.

 

Name

getDimKeyName()

Returns

String KeyName

Parameters

None

Description

Get method for Key Name.

 

Name

isSecured()

Returns

Boolean

Parameters

None

Description

Get method for isSecured.

Click to jump to top of pageClick to jump to parent topicMetricCollection

This class contains information about metric collection.

Public Methods

Name

MetricCollection(JDBCConnection dbCon)

Returns

Nothing

Parameters

A valid JDBCConnection

Description

This is the constructor used to instantiate the Metric collection. The constructor will instantiate an empty collection.

 

Name

LoadAllMetrics()

Returns

Nothing

Parameters

None

Description

This method will clear out the current elements in the collection and load it with all the currently secured metrics in EPM.

Click to jump to top of pageClick to jump to parent topicMetric

This class contains information about the metrics (columns) setup in EPM Security. This is for the Column-level security.

Public Methods

Name

Metric(JDBCConnection dbCon , String Name)

Returns

Nothing

Parameters

JDBCConnection dbCon , String Name

Description

This is the constructor for this class. Takes a Dimension Name as parameter. There is no other public constructor. You need at least a Dimension Name to instantiate this class. The constructor will validate that the dimension specified by Name is a valid secured dimension in EPM. If it is an invalid name, or the dimension is not secured, the constructor will fail.

 

Name

getColName()

Returns

String Column Name

Parameters

None.

Description

This method will return the column name that the metric defines.

 

Name

getRecName()

Returns

String Record Name

Parameters

None

Description

This method will return the Record name that the metric defines.

Click to jump to top of pageClick to jump to parent topicJDBCConnection

This class is used to connect to a database using a JDBC driver.

Public Methods

Name

makeConnection()

Returns

Nothing

Parameters

None

Description

This method will connect to a JDBC database. The parameters needed to connect will be read from jdbcconnection.property file.

 

Name

makeConnection(String theDriverName, String theDbURL)

Returns

Nothing

Parameters

Driver Name, DB URL string

Description

This method will connect to a JDBC database. The parameters needed to connect are passed into the method.

 

Name

makeConnection(String theDriverName, String theDbURL, String theUserName, String thePassword)

Returns

Nothing

Parameters

JDBC Driver Name to be used to attempt the connection, URL for database to connect, User Name, Password

Description

This method will connect to a JDBC database. The parameters needed to connect are passed into the method.

 

Name

closeConnection()

Returns

Nothing

Parameters

None

Description

This method will close the connection.

 

Name

getDbResultSet(String pTheQuery)

Returns

ResultSet

Parameters

Query sent to the database.

Description

This method will execute the query and return a ResultSet object.