Setting Up Planning and Budgeting Security Groups and Secondary Security Groups

This section provides overviews of security groups, planning center version security, lists prerequisites, and discusses how to:

Define security groups.
Define secondary security groups.
Report secondary security user permissions.

Pages used to Define a Security Group

Page Name	Definition Name	Navigation	Usage
Security Group	BP_SECURITY_GRP1	select Planning and Budgeting, then select System Administration, then select Administer User Security, then select Security Groups	Assign user and role access to nodes on the planning center tree.
Secondary Security Group	BP_DIM_SECURITYGRP	select Planning and Budgeting, then select System Administration, then select Administer User Security, then select Secondary Security Groups	Create a secondary security group to associate a user with a particular dimension.
Copy User Permissions	BP_DIM_USRPRM_COPY	Planning and Budgeting, System Administration, Administer User Security, Secondary Security Groups, and click Copy.	Select from a list of target users to whom you want to copy permissions.
Copy Secondary Security Group	BP_DIM_SECGRP_COPY	Planning and Budgeting, System Administration, Administer User Security, Secondary Security Groups, and click Copy Secondary Security Group.	Specify the name and effective date of the secondary security group to which you want to copy.

Understanding Security Groups

Use security groups to grant access to user roles at the planning center level. You define the elements of the security group on the Security Group page and they will be displayed on the User Roles pages. Only those planning centers assigned to a user and role here will show up on the User Planning Centers page. A security group can be used on multiple activity scenarios and planning models.

You create a secondary security group to associate users with a particular non-planning center dimension that you specify when you define the activity on the Activity page. You can grant both read and read-write access within the secondary security group.

Note: Planning and Budgeting does not support secondary dimension security for positions or assets.

Understanding Planning Center Version Security

A user who has read-only access to a secondary security group, will have only partial access to the planning center. For that reason the system draws a distinction between full and partial access:

Partial Access: User has access to only some of the line items within a planning center version. A user has partial access to a line item planning center version if and only if:
- The security group authorizes him/her for the planning center, for example, BP01 has access to Department SALES; and
- The secondary security group bars him/her from at least one line item within the planning center version, for example, BP01 has no access to Account SALARY; and
- The line item combination (Department SALES, Account SALARY) does currently exist in the planning center version.
Full Access: User has access to all line items within a line item planning center version.

A planning center version is defined by a unique combination of these elements: business unit, planning model, activity, scenario, planning center, and version.

Users with partial access to a planning center version are not authorized to do the following:

Submit budgets.
See planning targets.
See user views that display a tree on any dimension.
Perform allocations.
See analysis reports.

Note: The system may still allow a user to see or derive secured data via a driver for the RELATE method, or a flexible formula source. Such read access should be restricted to trusted users.

Submit Status of Planning Centers

All line item planning center versions must have at least one full access user, that is, either read-only or read-write access to all line items in that planning center. Planning centers that do not have at least one such user are deemed nonsubmissible.

The system does not prevent you from creating a nonsubmissible planning center. However, during the staging process, the system generates a warning for each nonsubmissible planning center. The User Access to Line Items page shows the status (in the Submit Allowed? column) of each planning center version; this page is available only after staging.

See Staging Scenarios and Activities in a Planning Model.

Resolving Nonsubmissible Status of Planning Centers

The system provides tools so that the coordinator can ensure there is a full access user for every planning center version. Drilling down on a planning center version in the User Access to Line Items page takes you to the User Access to Line Items Detail page, that shows which users have access to each line item within the planning center version.

See Staging Scenarios and Activities in a Planning Model.

See User Access to Line Items Page.

Prerequisites

To define a security group for your planning center dimension you must first define the following:

Planning center tree based on the dimension you will be using for your activity scenarios in your planning model.
User ID selected as a Planning and Budgeting user.
Security role linked to a delivered Planning and Budgeting role

Note: If you are using the optional secondary security, define the dimension used to secure on the Activity page.

Security Group Page

Use the Security Group page (BP_SECURITY_GRP1) to assign user and role access to nodes on the planning center tree.

Navigation

select Planning and Budgeting, then select System Administration, then select Administer User Security, then select Security Groups

Image: Security Groups page

This example illustrates the fields and controls on the Security Groups page. You can find definitions for the fields and controls later on this page.

Security groups define the relationship between a planning center, a user and a role assigned to that user. This page allows you to add new combinations of the centers, users and roles. Click a node on the tree to get the planning center for the node into the first grid to the right, and then assign one or more user roles. To assign more nodes/planning centers to users and roles, click the next node and assign users and roles. When you click the next node, the system moves the data for the previously selected node from the first grid into the second grid on the right. When you click the save button the data in the first grid (if any) is moved into second grid and the system saves all the data in the second grid.

Copy Security Group

Click this button to create a copy of the group to facilitate development of a new security group.

Tree name

Enter the planning center tree name. This tree must have levels defined and strictly enforced.

Preparer Level

This level is for choosing planning centers for preparer role or casual preparer role. Other roles, reviewer or analyst or administrator, should pick planning center nodes from levels above the preparer level.

Read Only

The planning center security group default access is read-write. You may grant read-only access by selecting the read-only check box for any user role and planning center row in the security group. This in turn grants read-only access to the planning centers on the My Planning Workspace page.

Note: You can directly add and delete user access from the grid on the right — 'User access assigned to selected planning centers' group box. It is not necessary to perform any security refresh process if access changes during the planning process, but if you add a new planning center node you will need to refresh Dimension members and worklists in the Update Data Stage Process.

Warning! You will receive the following error message if you attempt to modify or copy a security group that has a user flagged as inactivated:

Inactivated users exist in this security group. Some of the users removed from the Planning and Budgeting user list still exist in this security group. This error can be resolved either by including inactivated users in Planning and Budgeting user list or by deleting inactivated users from the security group.

Secondary Security Group Page

Use the Secondary Security Group page (BP_DIM_SECURITYGRP) to create a secondary security group to associate a user with a particular dimension.

Navigation

select Planning and Budgeting, then select System Administration, then select Administer User Security, then select Secondary Security Groups

Image: Secondary Security Groups page — Select Dimension Value by Value

This example illustrates the fields and controls on the Secondary Security Groups page — Select Dimension Value by Value. You can find definitions for the fields and controls later on this page.

Image: Secondary Security Groups page — Select Dimension Value by Tree

This example illustrates the fields and controls on the Secondary Security Groups page — Select Dimension Value by Tree. You can find definitions for the fields and controls later on this page.

Create a secondary security group to associate users with a particular dimension that you specify when you define the line item activity on the Activity page. You can grant both read-only and read-write access permissions to the secondary security group.

Copy Secondary Security Group

Upon clicking, the system transfers you to the Copy Secondary Security Group page where you can specify the name and effective date of the secondary security group to which you want to copy.

Dimension

Select the additional dimension for which you want to create a secondary security group.

Effective Date

Defaults to the current date. Ensure that the tree and dimension security group have the same effective date, so that if the tree changes the dimension security group also changes; or set the effective date to the past so that the dimension security group applies even if the tree changes.

EW Security Definition (Enterprise Warehouse Security Definition)

Display-only check box, and it is checked for an Enterprise Warehouse (EW) secondary security definition.

Note: You cannot update dimension values on the Secondary Security Group page if it came from EW security. You may only define read-only access, since by default it is read-write. To modify values and user access you should either refresh from EW security, or copy the secondary security group that would then no longer be tied to the EW definition.

Select Dimension Value

Select By Value or By Tree to specify the dimension value range. The system activates the lower boxes on the page based on your selection.

Note: The option that you select applies to all users. Switching from one option to the other will result in existing permissions being deleted for all users.

You can copy a secondary security group established from EW security, but by default the definition uses values and not trees. By copying from EW security, it becomes a secondary security group for Planning and Budgeting and you can edit the way you want since it is no longer tied to the EW security definition.

Dimension Value Range

If you selected By Value, then enter the From Value and To Value for the dimension. Click Add to populate the dimension value rows in the box to the right.

Note: You must have a valid user selected before you can populate dimension members by value or tree.

Tree Information

If you selected By Tree, then enter the Tree SetID, and Tree Name. Specify the tree Level Name, or select Detail Level to display all the lowest level dimension values (nodes and leaves). The system displays the dimension tree.

Click any of the tree nodes to populate the Edit Permissions grid (to the right) and grant access to all the nodes and child nodes, at the specified level, to the selected user in the User Permissions group box.

Select the Detail Level check box to populate the Edit Permissions grid (to the right) and grant access to all lowest level dimension values under the selected node to the selected user in the User Permissions group box.

Select User

Enter the User ID to assign permissions. Use the Edit Permissions group box to view the current permission selection and to modify read-only and read-write access for the current permission selection. Use the Existing Permissions group box to view a complete list of user permissions and to modify existing security access for the entire list.

Note: Make sure you select a user to assign permissions to the selected dimension values.

Read Only

Select if you are assigning read-only access to the dimension value row.

Deselect for the user to have read-write access.

Refresh

Refreshes the page with existing permissions for the selected user, and clears the Edit Permissions grid. You must enter a user before clicking Refresh.

Copy

Transfers you to the Copy User Permissions page where you can select from a list of Target Users to whom you want to copy permissions. You must enter a user before clicking Copy.

On the Copy User Permissions page, you can enter search criteria and click Refresh to narrow down the list of target users. You can also click Select All/Clear All to select or deselect all displayed users. If any of the selected users already has existing permissions, the system warns you that these permissions will be overwritten by the permissions from the source user.

Delete

Deletes existing permissions for the selected user. You must select a user before clicking. The system displays a warning message before deleting.