Specifying Row and Column Level Security

Pages Used to Establish Role and User-Based Security

Page Name	Definition Name	Navigation	Usage
Define EPM Security Roles	PF_SY_ROLE_DEFN	EPM Foundation, EPM Security, Security By Role, Define EPM Security Roles	Define security roles.
Access To Metric	PF_SY_ROLE_METR	EPM Foundation, EPM Security, Security By Role, Role Metric Access, Access To Metric	Assign a metric to a security role.
Role Dimension Access	PF_SY_ROLE_ALL_MDW	EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Role Dimension Access	Assign a dimension table to a security role and specify high-level access privileges. The object name of this page changes depending on whether an OWE or MDW dimension is selected.
Individual Selection	PF_SY_ROLE_LIST	EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Individual Selection	Specify row-level access to the dimension based on SetID and dimension key fields.
Constraint-based Selection	PF_SY_ROLE_CONS	EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Constraint-based Selection	Specify row-level access to the dimension based on constraint.
Select Security Column	PF_SY_COLUMN_PG	Automatically accessed when you select a constraint on the Constraint-based Selection page that contains two or more columns and the system cannot distinguish the column you want to include in your security parameters	Select one column to include in your constraint.
Tree-based Selection	PF_SY_ROLE_TREE	EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Tree-based Selection	Specify row-level access to the dimension based on an existing tree hierarchy that is defined for the dimension. You can use the tree to grant a user access to specific nodes, leaves, or details in the tree. Used with OWE dimensions only.
User Role Access	PF_SY_USER_ROLES	EPM Foundation, EPM Security, Security By User, User Role Access	Assign a user to a security role.
Role Security Summary	PF_SY_ROL_SUMMARY	EPM Foundation, EPM Security, Security By Role, Role Security Summary	Review access privileges and other information for a security role.
Review Role Dimension Access	PF_SY_ROLE_DETAIL	Click the `Details` link on the Role Security Summary page.	Review additional details about a dimension that is associated with the selected security role
Access To Metric	PF_SY_ROLE_METR	EPM Foundation, EPM Security, Security By User, User Metric Access, Access To Metric	Assign a metric to a user.
User Dimension Access	PF_SY_ROLE_ALL	EPM Foundation, EPM Security, Security By User, User Dimension Access, User Dimension Access	Assign a dimension table to a user and specify high-level access privileges.
Individual Selection	PF_SY_ROLE_LIST	EPM Foundation, EPM Security, Security By User, User Dimension Access, Individual Selection	Specify row-level access to the dimension based on SetID and dimension key fields.
Constraint-based Selection	PF_SY_ROLE_CONS	EPM Foundation, EPM Security, Security By User, User Dimension Access, Constraint-based Selection	Specify row-level access to the dimension based on constraint.
Select Security Column	PF_SY_COLUMN_PG	Automatically accessed when you select a constraint on the Constraint-based Selection page that contains two or more columns and the system cannot distinguish the column you want to include in your security parameters.	Select one column to include in your constraint.
Tree-based Selection	PF_SY_ROLE_TREE	EPM Foundation, EPM Security, Security By User, User Dimension Access, Tree-based Selection	Specify row-level access to the dimension based on an existing tree hierarchy that is defined for the dimension. You can use the tree to grant a user access to specific nodes, leaves, or details in the tree. Used with OWE dimensions only.
User Security Summary	PF_SY_SUMMARY	EPM Foundation, EPM Security, Security By User, User Security Summary	Review access privileges and other information for a user.
Review User Dimension Access	PF_SY_USER_DETAIL	Click the `Details` link on the User Security Summary page.	Review additional details about a dimension that is associated with the selected user.
Request Security Processing	RUN_PF_SECURITY	EPM Foundation, EPM Security, Advanced, Request Security Processing	Apply security parameters for security roles and users by running the request security processing (PF_SECURITY) process.

Defining Dimension and Metric Security

Because EPM is delivered with no security restrictions, dimensions and metrics (also known as fact-columns) are also delivered unsecured. Before you can grant a user access to a dimension or metric, you must first indicate to the system that a particular dimension or metric requires securing. The pages used to define dimension and metric security are discussed in the security topic of this documentation.

See Defining Dimension and Metric Security.

Note: Dimensions and metrics that are not secured are classified as public, or unsecured. All EPM users can view public objects.

Understanding Role and User Based Security for Dimensions and Metrics

After you designate dimensions and metrics that require securing, you must grant users access to those objects. You can grant security access to an individual user or to a specific security role.

EPM security enables you to create security roles. A security role is a set of data access privileges that are assigned to one or more users. A user who is assigned to a specific role inherits all access privileges that are associated with that role. A user can belong to multiple roles. In this case, the user would inherit the combined privileges that are defined for all roles.

To set up security roles, define the role, assign dimension and metric access privileges to the role, and then assign users to the role.

Image: Process flow - security role setup

The following diagram depicts this process.

If you have established security roles for your PeopleTools security, you can import the roles into the EPM database using the Run Security Processing page.

See Request Security Processing Page.

EPM security also enables you to define access privileges for individual users. To set up user access privileges, assign dimension and metric access privileges to a specific user.

Image: Process flow - user security setup

This example illustrates the Process flow - user security setup. .

Dimension Security and Individual, Constraint, and Tree Based Selections

EPM security provides three methods to specify row-level security for your dimension:

Individual-based definition: Enables you to specify row-level security using the SetID and dimension key fields.
Constraint-based definition: Enables you to specify row-level security by associating a constraint with a dimension table.

The constraint limits access to a dimension by acting as the WHERE clause in a SQL statement—for example, SELECT Account ID FROM Account Dimension WHERE Account ID = Northwest.

Set ID and Constraint ID are used to specify constraint access.
Tree-based definition: Enables you to specify row-level security using existing tree hierarchies that are defined for a dimension.

You can use the tree to grant a user access to specific nodes, leaves, or details in the tree. Tree hierarchy use is limited to OWE tables only.

Processing Role and User Based Security Parameters

After the security rules have been set up, the EPM security application engine (PF_SECURITY) process must be run. This processes the access as defined in the Role Dimension access pages and flattens the data to the individual dimension members and populates the security join tables specified in dimension metadata.

Define EPM Security Roles Page

Use the Define EPM Security Roles page (PF_SY_ROLE_DEFN) to define security roles.

Navigation

EPM Foundation, EPM Security, Security By Role, Define EPM Security Roles

Image: Define EPM Security Roles page

This example illustrates the fields and controls on the Define EPM Security Roles page. You can find definitions for the fields and controls later on this page.

EPM Security Role

Displays the name of the security role that you are defining.

Role Type

Displays the type of role that is being defined.

Possible role types include EPM Role, System Role, User Role, WFA Generated Role.

Users in This EPM Security Role

User ID

Displays the users who are associated with this role.

Access To Metric Page

Use the Access To Metric page (PF_SY_ROLE_METR) to assign a metric to a security role.

Navigation

EPM Foundation, EPM Security, Security By Role, Role Metric Access, Access To Metric

Image: Access To Metric page

This example illustrates the fields and controls on the Access To Metric page. You can find definitions for the fields and controls later on this page.

Metric ID

Displays the metric that you are associating with a particular security role.

Record Name

Displays the record that is associated with the selected metric.

Column Name

Displays the column that is associated with the selected metric.

Role Dimension Access Page

Use the Role Dimension Access page (PF_SY_ROLE_ALL_MDW) to assign a dimension table to a security role and specify high-level access privileges.

Navigation

EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Role Dimension Access

Image: Role Dimension Access page

This example illustrates the fields and controls on the Role Dimension Access page. You can find definitions for the fields and controls later on this page.

Dimension

Displays the dimension that you are associating with a particular security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Type of Access

Grant All

Select this option to grant the role access to the entire dimension.

No Access

Select this option to bar the role from accessing the entire dimension.

Selective Access

Select this option to grant the role access to specific rows in the dimension.

You can specify rows individually based on SetIDs, using a constraint or using a hierarchy tree that is defined for the dimension (tree hierarchies are available only for OWE dimensions) .

Individual Selection Page

Use the Individual Selection page (PF_SY_ROLE_LIST) to specify row-level access to the dimension based on SetID and dimension key fields.

Navigation

EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Individual Selection

Image: Individual Selection page

This example illustrates the fields and controls on the Individual Selection page. You can find definitions for the fields and controls later on this page.

Dimension

Displays the dimension that you are associating with a particular security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Dimension Values

SetID or Business Unit

Enter the SetID or business unit that is associated with the dimension rows that you want to secure.

This field can display either SetID or Business Unit, depending on the dimension you select. In some instances, there is no value displayed for the field .

Dimension Key

Enter the dimension key that is associated with the dimension.

Because this is a dimension key field, the name of this field changes depending on the selected dimension. For example, if the Product (PRODUCT) table were selected, Product IDwould be displayed because it is the dimension key for that table.

Constraint-based Selection Page

Use the Constraint-based Selection page (PF_SY_ROLE_CONS) to specify row-level access to the dimension based on constraint.

Navigation

EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Constraint-based Selection

Image: Constraint-based Selection page

This example illustrates the fields and controls on the Constraint-based Selection page. You can find definitions for the fields and controls later on this page.

Dimension

Displays the dimension that you are associating with a particular security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Constraint-based Selection

SetID

Enter the SetID that is associated with the dimension rows that you want to secure.

Constraint Code

Enter the constraint that you want to associate with the selected dimension rows.

You must have a constraint defined before you can access it here. If you do not have a constraint defined, you can use the Create Constraint link to create a new constraint.

Note: The Select Security Column page displays if the constraint you select contains two or more columns and the system cannot distinguish the column you want to include in your security parameters.

Reload

Click to refresh the constraint definition if you have changed it after it was included in a security role.

Security Column

Displays the field from the constraint that is used as the column to restrict access.

Create Constraint

Click to access the Constraints page and define a constraint.

If you have not created a constraint for the selected dimension rows, you can do so in the Constraints page.

Select Security Column Page

Use the Select Security Column page (PF_SY_COLUMN_PG) to select one column to include in your constraint.

Navigation

Automatically accessed when you select a constraint on the Constraint-based Selection page that contains two or more columns and the system cannot distinguish the column you want to include in your security parameters

When you select a constraint (on the Constraint-based Selection page) that contains two or more columns and the system cannot distinguish the column you want to include in your security parameters, the Select Security Column page is accessed automatically. The page displays the columns available to use in the constraint you selected. You must choose just one of the columns for the constraint. Select the column you want to include by clicking the column name in the Key ID field.

Tree-based Selection Pge

Use the Tree-based Selection page (PF_SY_ROLE_TREE) to specify row-level access to the dimension based on an existing tree hierarchy that is defined for the dimension.

You can use the tree to grant a user access to specific nodes, leaves, or details in the tree. Used with OWE dimensions only.

Navigation

EPM Foundation, EPM Security, Security By Role, Role Dimension Access, Tree-based Selection

Image: Tree-based Selection page

This example illustrates the fields and controls on the Tree-based Selection page. You can find definitions for the fields and controls later on this page.

Dimension

Displays the dimension that you are associating with a particular security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Select Tree Values

SetID

Enter the SetID that is associated with the dimension rows that you want to secure.

Tree ID

Enter the hierarchy tree that you want to use to specify the dimension rows.

Selection

Displays the selected tree node value.

Find Selected Value

Click the Find Selected Value button to display the selected node at the top of the hierarchy tree and make it easier for you to locate the node with which you are working.

Parent Node

Displays the parent node of the selected node.

This field is blank if the selected node is a root node.

Node Type

Displays the node type of the selected node.

Values can be Node or Detail.

Selection Type

Specify the level of detail to include with the selected node.

Different values are available for your selection, depending on whether you have selected a node or a leaf from the hierarchy tree.

If a node is selected, you can specify This Node Only, Immediate Children, Node and Immediate Children, All Descendants, or Node + All Descendants.

If a leaf is selected, you can specify Immediate Child Leaves or All Descendant Leaves.

If the leaf has a range of values, you must select Immediate Child Leaves. Trees with duplicate leaves are not supported.

Add to Node Selection List

Click the Add to Node Selection List button to add the selected node to the selection list.

You must add a node to the selection list before the fields in the Selected Nodes and Leaves group box displays node values.

Display Tree

Click to display the hierarchy tree.

User Role Access Pge

Use the User Role Access page (PF_SY_USER_ROLES) to assign a user to a security role.

Navigation

EPM Foundation, EPM Security, Security By User, User Role Access

Image: User Role Access page

This example illustrates the fields and controls on the User Role Access page. You can find definitions for the fields and controls later on this page.

User ID

Displays the user for whom you are granting role access.

EPM Security Role Name

Enter the security role that you want to associate with the selected user.

Role Security Summary Page

Use the Role Security Summary page (PF_SY_ROL_SUMMARY) to review access privileges and other information for a security role.

Navigation

EPM Foundation, EPM Security, Security By Role, Role Security Summary

Image: Role Security Summary page

This example illustrates the fields and controls on the Role Security Summary page. You can find definitions for the fields and controls later on this page.

EPM Security Role Name

Enter the security role for which you want to see a summary of access privileges.

Display Summary

Click to display the security role details and refresh the view.

Dimension

Dimension Name

Displays the dimensions that are associated with the selected security role.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Edit Access

Click to access the Role Dimension Access page and edit the security role's access to the dimension.

Details

Click to access the Review Role Dimension Access page and examine additional details about the secured dimension, such as the SetID or dimensionID.

Add Dimension Access

Click to access the Role Dimension Access page and grant the selected security role access to another dimension.

Metrics

Click the Edit Metric Access link to access the Role Metric Access page and edit the security role's access to a metric.

Review Role Dimension Access Page

Use the Review Role Dimension Access page (PF_SY_ROLE_DETAIL) to .

Navigation

Click the Details link on the Role Security Summary page.

Image: Review Role Dimension Access page

This example illustrates the fields and controls on the Review Role Dimension Access page. You can find definitions for the fields and controls later on this page.

Use this page to review additional details about your dimension that is associated with a particular security role.

Access to Metric Page

Use the Access To Metric page (PF_SY_ROLE_METR) to assign a metric to a user.

Navigation

EPM Foundation, EPM Security, Security By User, User Metric Access, Access To Metric

The fields on this page are identical to the fields on the Access to Metric page for security roles. The only difference is that the fields on this page represent individual user access privileges and not a security role.

User Dimension Access Page

Use the User Dimension Access page (PF_SY_ROLE_ALL) to assign a dimension table to a user and specify high-level access privileges.

Navigation

EPM Foundation, EPM Security, Security By User, User Dimension Access, User Dimension Access

The fields on this page are identical to the fields on the Role Dimension Access page. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Individual Selection Page

Use the Individual Selection page (PF_SY_ROLE_LIST) to specify row-level access to the dimension based on SetID and dimension key fields.

Navigation

EPM Foundation, EPM Security, Security By User, User Dimension Access, Individual Selection

The fields on this page are identical to the fields on the Individual Selection page for security roles. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Constraint-Based Selection Page

Use the Constraint-based Selection page (PF_SY_ROLE_CONS) to specify row-level access to the dimension based on constraint.

Navigation

EPM Foundation, EPM Security, Security By User, User Dimension Access, Constraint-based Selection

The fields on this page are identical to the fields on the Constraint-based Selection page for security roles. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Tree-Based Selection Page (OWE Dimension Only)

Use the Tree-based Selection page (PF_SY_ROLE_TREE) to specify row-level access to the dimension based on an existing tree hierarchy that is defined for the dimension.

You can use the tree to grant a user access to specific nodes, leaves, or details in the tree. Used with OWE dimensions only.

Navigation

EPM Foundation, EPM Security, Security By User, User Dimension Access, Tree-based Selection

The fields on this page are identical to the fields on the Tree-based Selection page for security roles. The only difference is that the fields on this page represent individual user access privileges and not a security role.

User Security Summary Page

Use the User Security Summary page (PF_SY_SUMMARY) to review access privileges and other information for a user.

Navigation

EPM Foundation, EPM Security, Security By User, User Security Summary

Image: User Security Summary page

This example illustrates the fields and controls on the User Security Summary page. You can find definitions for the fields and controls later on this page.

User ID

Enter the user for which you want to see a summary of access privileges.

Display Summary

Click to display security details for the user and refresh the view.

Dimension

Dimension Name

Displays the dimensions that are associated with the selected user.

Warehouse

Displays the warehouse layer that is associated with the selected dimension.

Edit Access

Click to access the User Dimension Access page and edit the user's access privileges to the dimension.

Details

Click to access the Review User Dimension Access page and examine additional details about the secured dimension, such as the SetID or dimensionID.

Add Dimension Access

Click to access the User Dimension Access page and grant the selected user access to another dimension.

Metrics

Click the Edit Metric Access link to access the User Metric Access page and edit the user's access to a metric.

Roles

EPM Security Role Name

Displays the security roles that are associated with selected user.

Edit Role Assignments

Click to access the User Role Access page and edit the user's privileges that are associated with the role.

Review User Dimension or User Metric Access Summary

Use the Review User Dimension Access page (PF_SY_USER_DETAIL) to review additional details about a dimension that is associated with the selected user.

Navigation

Click the Details link on the User Security Summary page.

The fields on this page are identical to the fields on the Review Role Dimension Access page. The only difference is that the fields on this page represent individual user access privileges and not a security role.

Request Security Processing Page

Use the Request Security Processing page (RUN_PF_SECURITY) to apply security parameters for security roles and users by running the request security processing (PF_SECURITY) process.

Navigation

EPM Foundation, EPM Security, Advanced, Request Security Processing

Image: Request Security Processing page

This example illustrates the fields and controls on the Request Security Processing page. You can find definitions for the fields and controls later on this page.

EPM Role

Enter the EPM security role that you want to process.

If you leave this field blank, all security roles are processed.

Note: You cannot process a security role and a user at the same time.

User ID

Enter the user you want to process.

If you leave this field blank, all users are processed.

Note: You cannot process a security role and a user at the same time.

Dimension

Enter the dimension that you want to process.

If you leave this field blank, all dimensions are processed.

Warehouse

Enter the warehouse structure that is associated with the dimension you select for processing.

Business Unit

Enter the business unit that you want to process.

Business unit is used to determine which record suite is used for the security job.

Jobstream ID

Enter the Jobstream ID for the warehouse security.

Note: This jobstream is not secured, all users can access and run it. However, only an adiministrator should run this jobstream.

Rerun Option

Select this check box to rerun the security parameters process.

Copy System Role to EPM

Rebuild Security Only

Select this option if you want only to rebuild the security join tables.

Copy Roles, Rebuild Security

Select this option if you want to rebuild the security join tables and import PeopleTools security roles into the EPM database.

Copy Roles Only

Select this option if you want only to import PeopleTools security roles into the EPM database.