In This Section:
Financial Management Security Elements
Security Migration Options from Financial Management to Essbase
Financial Management application security elements are synchronized to Essbase through Analytics Link, as described in this appendix.
Financial Management application security elements include classes and properties.
Financial Management security classes are assigned to application elements upon creation. Financial Management users belonging to any of the security classes have individual access levels for each class. Access rights are described in Table 52:
Table 52. Access Rights for Financial Management Security Classes
| Access right | Description |
|---|---|
| None | The user has no access to any application elements assigned to the security class. |
| Metadata | The user can view a specified member in a list, but cannot view or modify data for the member. |
| Read | The user can view data for application elements assigned to the security class, but cannot promote or reject. |
| Promote | The user can view data for application elements assigned to the security class, and can also promote or reject. |
| All | The user can modify data for application elements assigned to the security class, and can also promote or reject. |
Each Financial Management dimension member that belongs to Account, Entities, Scenario, Custom1-4, or ICP can be associated with a security class, so that only users with access right of “Read” and higher (“Promote” and “All”) can see the data for the member. If a dimension member is not associated with a security class, its default security class is “[Default],” and all user access rights to that member are as defined in the “[Default]” security class.
Security properties associated with a Financial Management application further define how security classes are handled for the application. The security properties manage how the security classes should be enforced. A Financial Management application has the following security properties:
Table 53. Description of Financial Management Security Properties
| Security Property | Description |
|---|---|
| Node Security | Define which security classes should be used for parent-dependent values ([Contribution Total], [Contribution Adjs], [Contribution], [Elimination], [Proportion], [Parent Total], [Parent Adjs], [Parent]). If node security is PARENT, the security classes of the entity's parent are taken in consideration; otherwise (if node security is ENTITY), only the security classes of the entity itself are used. |
| Enable Metadata Security Filtering | Specifies whether users of an application see all dimension members, or only the members to which they have access. |
| Use security for Accounts | Specifies that security classes of the Accounts dimension should be taken in consideration. |
| Use security for Entities | Specifies that security classes of the Entities dimension should be taken in consideration. |
| Use security for Scenarios | Specifies that security classes of the Scenarios dimension should be taken in consideration. |
| Use security for Custom1-4 | Specifies that security classes of the Custom1-4 dimensions should be taken in consideration. |
| Use security for ICP | Specifies that security classes of the ICP dimension should be taken in consideration. |
Note: | When changing security properties, keep in mind that a user's access to a Financial Management data cell is dependent on the user having access to each dimension member that forms the intersection of that cell. |
In Analytics LinkAnalytics Link, you have multiple options for migrating Financial Management application security elements to Essbase; or, you can select not to migrate. The migration options, found in the Essbase tab of the Analytics Link Bridge Console, are as follows:
Table 54. Financial Management to Essbase Security Migration Options
| Migration Option | Description |
|---|---|
| Do Not Migrate | Analytics Link does not migrate Financial Management security elements to Essbase. |
| Migrate Users | For all users and groups that have at least Metadata access to existing Financial Management security classes, Analytics Link migrates these users and groups to Essbase with a provision of Read access to the Essbase application (and constituent databases) corresponding to the Financial Management security elements. The migrated users and groups are provisioned as follows:
|
| Migrate Users and Data Security | Analytics Link creates security filters on the Essbase databases within the Essbase applications that correspond to the Financial Management security elements. Additionally, Analytics Link provisions the appropriate Financial Management users with Filter access. For details, see Migrate Users and Data Security. |
If you select the Migrate Users and Data Security option for migrating Financial Management application security elements to Essbase, Analytics Link creates Essbase database security filters and provisions them to Financial Management users. The filters are provisioned as corresponding to each users access level to the Financial Management security classes for the appropriate applications.
The filters are created and provisioned as follows: for each combination of Financial Management security classes (including [Default]) to which a user or group has at least Read access for each security class in the combination, Analytics Link builds two security filters, EAL_P_<counter> and EAL_E_<counter>, where <counter> is a number starting with 0.
This filter sets Read permissions for the following Essbase database members:
All entity-parent-dependent members of Value dimension ([Contribution Total], [Contribution Adjs], [Contribution], [Elimination], [Proportion], [Parent Total], [Parent Adjs] and [Parent])
For dimensions Scenario, Account, Custom1-4, and ICP:
If the Use Security for <Dimension> property is true, all members that belong to the one of the classes in the security-class combination
Otherwise, all dimension members
If the Use Security for Entities property is true,
and if the NodeSecurity property is "ENTITY"—all entities that belongs to one of the classes in the combination
and if the NodeSecurity property is "PARENT"—all entities that have a parent that belongs to one of the classes in the combination. If an entity does not have a parent, then Read permission is set if the entity itself belongs to one of the classes in the combination.
Otherwise, all dimension members
Note: | If “Enable Metadata Security Filtering”=TRUE, then Read permission is set for the entity only if both it and its parent belong to one of the classes in the combination. |
This filter sets Read permissions for the following Essbase database members:
All entity parent-independent members of the Value dimension
For dimensions Scenario, Account, Custom1-4, Entity, and ICP:
If the Use Security for <Dimension> property is true, all members that belong to the one of the classes in the security-class combination
Otherwise, all dimension members
Note: | Analytics Link sets permissions only for members of Scenario, Account, Entitiy, Custom1-4, and ICP dimensions, according to the application settings. |
For each filter created as a result of the processes in Migrate Users and Data Security, a corresponding Shared Services group is created with a name in the format of filter_name_G_bridgeID, and the group is granted the filter.
Note: | The bridgeID is the ID of the Analytics Link bridge that created the specific group in Shared Services. To find the bridgeID, open the bridge in Administration Services Console. The header of the bridge console includes the bridge name and the bridgeID in parantheses. |
The new groups are provisioned as follows:
Read on the Essbase application
Server access on Essbase:<ESS host>:1 project
A description is added to the group to aid the administrator in discerning which classes are associated with a filter and corresponding group.
Each Financial Management user that has at least Read access to relevant Financial Management security classes, is assigned to the group created for the related filter.
Analytics Link users must have Shared Services/Directory Manager provision to create groups in Shared Services.
For Release 11.1.2 and later, Analytics Link users must have LCM administrator (Foundation/Shared Services) provision to create groups in Shared Services.