L14 assigning access
•Download as PPT, PDF•
0 likes•157 views
This document discusses security settings and access controls for an application. It describes how user access rights are determined based on their membership and the security classes assigned to data and documents. Administrators can define security classes, assign users and groups to classes to control access, run security and audit reports, and load, extract, and migrate security configurations between systems.
More Related Content
Similar to L14 assigning access
Similar to L14 assigning access (20)
More from Naresh Kumar SAHU
More from Naresh Kumar SAHU (20)
L14 assigning access
- 1. 14 Copyright © 2008, Oracle. All rights reserved. Assigning Access to Data and Documents
- 2. Copyright © 2008, Oracle. All rights reserved. Objectives After completing this lesson, you should be able to: • Describe application settings for security • Explain how users’ data and document access rights are determined • Define security classes • Assign users and groups access to security classes • Run security reports • Configure security auditing • Run auditing reports • Load and extract security files • Migrate security
- 3. Copyright © 2008, Oracle. All rights reserved. Application Settings and Security Application settings Entity dimension East Sales (Member Attribute) SecurityClass = US Account Scenario Custom1 Custom2 Custom3 Custom4ICP UseSecurityForEntities = Y UseSecurityForAccounts = Y UseSecurityForScenario = Y Security classes US Europe Australia
- 4. Copyright © 2008, Oracle. All rights reserved. Data Access Access to a data cell is determined by the user’s most restrictive member access. Member User Access to Member Sales All Costs Read Florida All France None All/None Read/None All/All Read/All
- 5. Copyright © 2008, Oracle. All rights reserved. Document Access Every document has a security class.
- 6. Copyright © 2008, Oracle. All rights reserved. Defining Security Classes You associate the security class dimension with the Security Class properties of the dimensions for which security is enabled. [Default] is a system- generated security class. Dimension association
- 7. Copyright © 2008, Oracle. All rights reserved. Assigning Access to Security Classes Assigns access for the currently selected cells Enables email alerts
- 8. Copyright © 2008, Oracle. All rights reserved. Running Security Reports
- 9. Copyright © 2008, Oracle. All rights reserved. Configuring Security Auditing Configure auditing at – Global level for all applications – Project level for specified projects – Application level for specified applications Specify activities to audit at global, project, and application levels Global Project Application
- 10. Copyright © 2008, Oracle. All rights reserved. Running Auditing Reports
- 11. Copyright © 2008, Oracle. All rights reserved. Loading Security Files !USERS_AND_GROUPS FINAPPSAdminGroup FINAPPSChrisW FINAPPSPatM !ROLE_ACCESS Administrator;FINAPPStrnadmin Load System; FINAPPSAdminGroup Reviewer1; FINAPPSPatM !SECURITY_CLASS_ACCESS System;FINAPPSAdminGroup;All;Y System;FINAPPSChrisW;Read;Y Europe;FINAPPSChrisW;All;Y
- 12. Copyright © 2008, Oracle. All rights reserved. Loading Security
- 13. Copyright © 2008, Oracle. All rights reserved. Extracting Security
- 14. Copyright © 2008, Oracle. All rights reserved. Migrating Security Use the Application Migration Wizard to migrate security artifacts. Define Migration
- 15. Copyright © 2008, Oracle. All rights reserved. Summary In this lesson, you should have learned to: • Describe application settings for security • Explain how users’ data and document access rights are determined • Create security classes • Assign users and groups access to security classes • Run security reports • Configure security auditing • Run auditing reports • Load and extract security files • Migrate security
Editor's Notes
- Data Access Each data cell in an application represents an intersection of dimension members. A user’s access to a data cell is determined by the user’s most restrictive access right to the dimension members for that intersection. You assign access rights to a member indirectly through its security class. For example, the security class for the Sales and Net Profit members could be IncomeAccounts. If you assign John Read access to the IncomeAccounts security class, he receives read access to the Sales and NetProfit members. For the example shown on the slide, at the intersection of TotalCosts and Florida, the user has Read access to the TotalCosts member and All access to the Florida member. Therefore, the user has Read access to the cell. At the intersection of TotalCosts and France, the user has Read access to the TotalCosts member and None access to the France member. Therefore, the user has no access to TotalCosts France.
- Document Access Every document in Hyperion Financial Management has an assigned security class. Users’ access to a document is determined by their access rights to the security class. The following table describes the document access rights. Document AccessDescription NoneThe document does not display in the list of documents. ReadUsers can open the document. For data entry forms and data grids, users can modify data based on their access rights to the members in the rows and columns. For Journals, the journal data is read-only. User cannot modify the document. For example, they cannot add rows or columns to a data grid. AllUsers can open the document and save their modifications to the document.
- Defining Security Classes Security classes define user or group access rights to elements in an application. You use the Define Security Classes task in the Hyperion Financial Management Windows client to define security classes. Security class names can be up to 20 characters in length and can include spaces. Default Security Class A system-generated security class called DEFAULT is created as part of an application. The security class DEFAULT has these properties: The security class DEFAULT cannot be deleted or modified by users. You can assign access rights to the security class DEFAULT. Any member without a security class (where the security class = <blank>) is treated as having the security class DEFAULT. Deleting Security Classes When you no longer need a security class, you can delete it. However, it is not automatically deleted from the metadata with which you associated it. To disassociate the security class from entities, accounts, and scenarios, you must use the Metadata Manager.
- Assigning Access to Security Classes After you define security classes, you assign users and groups access rights to them. To assign access to security classes, you use the Configure Access task in the Windows client. There are four types of access rights: Access RightDescription AllUser or group can modify any application element with the specified security class assigned. PromoteUser or group can view data for elements assigned to the security class and can promote or reject. ReadUser or group can view data for elements assigned to the security class but cannot promote or reject. Metadata User can view metadata. NoneUser or group cannot access any application element with the specified security class assigned. None is the default. There are two views available for assigning roles under Configure Access. The Security Classes by User/Group view lets you select a user or group and lists the available security classes. The Users/Groups by Security Class view lets you select a security class and list all the users and groups in the application. The slide example shows the Security Classes by User/Group view.
- Security Load Files In addition to using the Windows client to add users and groups and assign access, you can load security information from a text file. The slide example shows the format for each section of the file. The USERS_AND_GROUPS section contains a list of users and groups that have access to a Hyperion Financial Management application. The Microsoft Windows domain name for the user or group must be specified first, followed by a backslash and the user or group name. The SECURITY_CLASSES section contains a list of user-defined security classes that you can assign to Hyperion Financial Management dimension members, such as Entities. The ROLE_ACCESS section contains a list of users and groups that are assigned to pre-defined Hyperion Financial Management roles. The SECURITY_CLASS_ACCESS section contains a list of rights, by security class, for users and groups. By default, the rights for users and groups is NONE, unless otherwise specified. Therefore, specifying NONE for a user or group is not necessary, unless you are changing a user’s or group’s current rights from ALL or READ to NONE. The security class must be specified first, followed by the Microsoft Windows domain name for the user or group, a backslash, the user or group name, and the access right.
- Loading Security Security information load files can be in an ASCII format, supporting multibyte character sets (MBCS) or a Unicode format, using Little Endian byte ordering. The default file name extension for security information load files is .SEC. When you load the file, you can select to clear the application’s existing security information before beginning the load. You also can select to validate that users and groups in the load file are valid Microsoft Windows users and groups. Any user or group that cannot be validated is not added to the application, and a warning message is saved in the log file. If you do not select the validate option, all users and groups are added, whether or not they are valid Microsoft Windows users and groups. Hyperion Financial Management attempts to validate users and groups when they try to access an application.
- Extracting Security You can extract security information to a file. You select a delimiter for the file and the security elements that you want to include.