User Security Essentials for EPM Planning Cloud: 4 Simple Steps

Published September 27 2019 by Vatsal Gaonkar
Back to insights

While working with clients – both current and prospective – we observe that User Security setup in EPM Planning Cloud is either not completely understood due to a lack of cohesive documentation or, more plainly, there are reservations about the security setup that prevent larger enterprises from going to EPM Planning Cloud.

As a leading digital transformation player in the marketplace, Alithya recognizes that the key digital transformation taking place today is adapting user security to the Cloud.  This blog, therefore, outlines a cohesive approach to setting up User Security in EPM Planning Cloud.

Adding User Security in EPM Planning Cloud is essentially a 4-step process that is repeatable and works efficiently. This document lays both the process and technology involved in adding user security to the Sample Oracle EPM Planning Cloud application Vision. This application can be enabled with a subscription to EPM Planning Cloud.EPM Planning Cloud User Security Esstentials Image 1 .jpg

Step 1 

Step 1 is to add a new user to the cloud domain. New users are added either as native users or Active Directory users if the LDAP directory has been configured via SAML 2.0 protocol to integrate with the Cloud Domain.

Step 1 Pic 1In either case, adding users is a required step. Users can be added manually or through a batch upload regardless of the user configuration (e.g. native user or Single Sign On (SSO) enabled user). The batch import of users allows the addition of all users simultaneously using a .CSV file.

Step 1 Pic 2

The image below identifies the content needed in the CSV file to import a user batch successfully.

Step 1 Pic 3

Step 2 

Once users have been imported into Oracle Cloud, it is time to assign them a pre-defined role by environments or instances in the domain.

Step 2 Pic 2.png

A .CSV file that lists all emails for the users is created for a specified role.  An email is needed for all users added.

Step 2 Pic 1

The predefined roles can then be assigned using ‘Batch Assign Role.’ The idea is to take all the users in the .CSV file and assign them a pre-defined role all at once.

Step 2 Pic 3.png

Step 3 

In most cases, the predefined roles are not enough of a grouping to assign access to Planning Cloud application artifacts such as dimensions, data forms, calculation manager rules, etc. ‘Access Control’ allows the creation of native groups that can further be used to group users and/or pre-defined groups to provide a more streamlined group access to existing Planning artifacts. The sample Vision application shows how native groups have been created to group existing users and/ or predefined groups.

Step 3 Pic 1.png

The native group assignment can also be handled in a batch/automated mode by importing a .CSV file. The screenshot below demonstrates how a predefined group has been assigned to a native group – ‘Super User’ – in order to streamline access to Cards in navigation flow for administrators (e.g. certain Cards in the navigation flow will only be visible to Service Administrators which is a predefined role).

Step 3 Pic 2

Step 4 

Once users are added and groups are configured, it’s time to assign access to Planning artifacts. There is an automated/batch mode way of making this assignment at a Planning artifact level, but it involves using EPM Automate (to export security) and Planning REST API (to import security). The ‘exportAppSecurity’ command in the EPM Automate utility can provide a .CSV file with Planning artifact access assignments.

Step 4 Pic 1.png

The exported access assignments file ‘VisionPlanningArtifactsSecurity.csv’ will be found in the Planning Inbox/Outbox folder.

Step 4 Pic 2Step 4 Pic 3

Open the .CSV file to view the artifacts access assignment listing it provides. This file can either be updated or a brand-new file can be created using the template. Every record in the file is read in a ‘merge’ manner to assign access.  

The .CSV file provides a template that can be utilized to update Planning artifacts access. The Oracle documentation link below provides the elements that need to be populated in the .CSV file before importing. This link also documents the REST API call and its parameters needed to import the file.

Below is a screenshot showing the group ‘Interactive User’ security assignment to the ‘Actual’ member in the ‘Scenario’ dimension of the Vision sample application.

Step 4 Pic 4.png

As an exercise, let’s add the same access as the ‘Interactive User’ native group to ‘Super User’ group. The security assignment can be updated in the downloaded template from the Cloud or by creating a new .CSV file that adheres to the template. The mode of this file import is based on the parameters of the REST API command.

*It is important to note that the import of security for Planning artifacts can also be executed using EPM Automate. ARC is being used to highlight the REST API programming possibility. REST API programming provides better logging for any of the EPM Automate command counterparts. EPM Automate is a more user-friendly command interface which, in turn, is wrapping REST API calls in the background to send to EPM Cloud.

In our example, we’ll merge into existing Planning artifacts security in EPM Planning Cloud.

Step 4 Pic 5

This newly created file needs to be uploaded to the Inbox/Outbox folder.

Step 4 Pic 6.png

A REST API client such as Advance REST Client (ARC) can be used to make the REST API call to import security. The POST command with required parameters is used to update security.

Step 4 Pic 7.png

The screenshot below shows that the security assignment was updated, and the ‘Actual’ member has native group ‘Super User’ assigned with ‘Read’ access, just like the ‘Interactive User’ group.

Step 4 Pic 8.png

These are some considerations to keep in mind for the above 4-step process of adding User Security in EPM Planning Cloud:

  • Identity Domain Administrator access needed to add Users in Step 1
  • Service Administrator access can control the remaining Steps 2 – 4
  • A .CSV file needs to be created appropriately and conform to the template; at all points, an export of the file will provide the template
  • EPM Automate and REST API require a high level of understanding
For comments, questions, or suggestions for future topics, please reach out to us at  Visit our blog regularly for new posts about Cloud updates and other Oracle Cloud Services such as Planning and Budgeting, Financial Consolidation, Account Reconciliation, and Enterprise Data Management.  Follow Alithya on social media for the latest information about EPM, ERP, and Analytics solutions to meet your business needs.
Contact us