User Security Essentials for EPM Planning Cloud: 4 Simple Steps
While working with clients – both current and prospective – we observe that User Security setup in EPM Planning Cloud is either not completely understood due to a lack of cohesive documentation or, more plainly, there are reservations about the security setup that prevent larger enterprises from going to EPM Planning Cloud.
As a leading digital transformation player in the marketplace, Alithya recognizes that the key digital transformation taking place today is adapting user security to the Cloud. This blog, therefore, outlines a cohesive approach to setting up User Security in EPM Planning Cloud.
Adding User Security in EPM Planning Cloud is essentially a 4-step process that is repeatable and works efficiently. This document lays both the process and technology involved in adding user security to the Sample Oracle EPM Planning Cloud application Vision. This application can be enabled with a subscription to EPM Planning Cloud.
Step 1 is to add a new user to the cloud domain. New users are added either as native users or Active Directory users if the LDAP directory has been configured via SAML 2.0 protocol to integrate with the Cloud Domain.
In either case, adding users is a required step. Users can be added manually or through a batch upload regardless of the user configuration (e.g. native user or Single Sign On (SSO) enabled user). The batch import of users allows the addition of all users simultaneously using a .CSV file.
The image below identifies the content needed in the CSV file to import a user batch successfully.
Once users have been imported into Oracle Cloud, it is time to assign them a pre-defined role by environments or instances in the domain.
A .CSV file that lists all emails for the users is created for a specified role. An email is needed for all users added.
The predefined roles can then be assigned using ‘Batch Assign Role.’ The idea is to take all the users in the .CSV file and assign them a pre-defined role all at once.
In most cases, the predefined roles are not enough of a grouping to assign access to Planning Cloud application artifacts such as dimensions, data forms, calculation manager rules, etc. ‘Access Control’ allows the creation of native groups that can further be used to group users and/or pre-defined groups to provide a more streamlined group access to existing Planning artifacts. The sample Vision application shows how native groups have been created to group existing users and/ or predefined groups.
The native group assignment can also be handled in a batch/automated mode by importing a .CSV file. The screenshot below demonstrates how a predefined group has been assigned to a native group – ‘Super User’ – in order to streamline access to Cards in navigation flow for administrators (e.g. certain Cards in the navigation flow will only be visible to Service Administrators which is a predefined role).
Once users are added and groups are configured, it’s time to assign access to Planning artifacts. There is an automated/batch mode way of making this assignment at a Planning artifact level, but it involves using EPM Automate (to export security) and Planning REST API (to import security). The ‘exportAppSecurity’ command in the EPM Automate utility can provide a .CSV file with Planning artifact access assignments.
The exported access assignments file ‘VisionPlanningArtifactsSecurity.csv’ will be found in the Planning Inbox/Outbox folder.
Open the .CSV file to view the artifacts access assignment listing it provides. This file can either be updated or a brand-new file can be created using the template. Every record in the file is read in a ‘merge’ manner to assign access.
The .CSV file provides a template that can be utilized to update Planning artifacts access. The Oracle documentation link below provides the elements that need to be populated in the .CSV file before importing. This link also documents the REST API call and its parameters needed to import the file.
Below is a screenshot showing the group ‘Interactive User’ security assignment to the ‘Actual’ member in the ‘Scenario’ dimension of the Vision sample application.
As an exercise, let’s add the same access as the ‘Interactive User’ native group to ‘Super User’ group. The security assignment can be updated in the downloaded template from the Cloud or by creating a new .CSV file that adheres to the template. The mode of this file import is based on the parameters of the REST API command.
*It is important to note that the import of security for Planning artifacts can also be executed using EPM Automate. ARC is being used to highlight the REST API programming possibility. REST API programming provides better logging for any of the EPM Automate command counterparts. EPM Automate is a more user-friendly command interface which, in turn, is wrapping REST API calls in the background to send to EPM Cloud.
In our example, we’ll merge into existing Planning artifacts security in EPM Planning Cloud.
This newly created file needs to be uploaded to the Inbox/Outbox folder.
A REST API client such as Advance REST Client (ARC) can be used to make the REST API call to import security. The POST command with required parameters is used to update security.
The screenshot below shows that the security assignment was updated, and the ‘Actual’ member has native group ‘Super User’ assigned with ‘Read’ access, just like the ‘Interactive User’ group.
These are some considerations to keep in mind for the above 4-step process of adding User Security in EPM Planning Cloud:
- Identity Domain Administrator access needed to add Users in Step 1
- Service Administrator access can control the remaining Steps 2 – 4
- A .CSV file needs to be created appropriately and conform to the template; at all points, an export of the file will provide the template
- EPM Automate and REST API require a high level of understanding