Understanding Predefined Roles

Most Oracle Enterprise Performance Management Cloud services use a common set of predefined functional roles to control access to environments. Once you have been migrated to EPM Cloud, your legacy roles are mapped to the corresponding predefined role.

Access to environments is granted by assigning users to predefined roles. For example, to permit user John Doe to view reports belonging to a Planning and Budgeting test environment, he should be assigned to the Viewer role of the environment.

All EPM Cloud services other than Oracle Enterprise Data Management Cloud use a common set of four predefined functional roles to control access to service environments:

• Service Administrator
• Power User
• User
• Viewer

The access that a predefined role grants within an environment depends on the service type. For example, the Power User role in Planning enables you to manage business rule security and control the approval process while the same role in Tax Reporting enables you to run tax automation and import data.

Note:

The behavior of all predefined roles other than Service Administrator is affected by the Apply Security option defined at the dimension level in the business process. Disabling the Apply Security option leaves dimensions unsecured allowing all users assigned to predefined roles to access and write data to dimension members. Oracle recommends that you select the Apply Security option at the dimension level to enforce security.

Predefined functional service roles are hierarchical. Access granted through lower-level roles is inherited by higher-level roles. For example, Service Administrators, in addition to the access that only they have, inherit the access granted through Power User, User, and Viewer roles.

Note:

In the identity domain (Classic only), roles belonging to a test environment are distinguished by appending -test to the instance name; for example, Planning1-test User, where Planning1 is the instance name.