Oracle Enterprise Cloud Planning Tech Tip – SmartPush Security Override Hack

Published March 30 2021
Back to insights

Sometimes it’s necessary for planners to override security while pushing data between plan types. For instance, an intercompany transfer that is pushing source materials and dollars to a target to which the user does not have access. The user would like to push data for all the scenarios on the data form, but the user only has access to a subset of scenarios because they are not an admin. To overcome this security governancethe underlying data map needs to be run as an admin. We’ve discovered a hack for this situation—SmartPush Security Override Hack. 

What is a SmartPush? 

A data form or a Smart View template of a data form can push data from source to target plan types using a Data Map in the Enterprise Performance Management (EPM) cloud planning application. SmartPush allows you to use the underlying Data Map and push a defined scope from the data form. It could simply mean pushing changed intersections, everything, or any overrides that are defined in the SmartPush definition of the form.  

There are SmartPush requirements across industries, or in implementations where the data being pushed from the source to the target is between separate intersections. In this case, the user might not have access to the target to which they wish to push data.  

Use Case  

Let’s use the higher education sector as an example. In higher education implementations, we see a need for a labor cost distribution model where an employee has a domicile department but is distributed to other departments. For this use case, we will label the domicile the home department and the distribution department the GL department. A user in the home department needs to allocate its employee to other GL departments. The department allocation can be carried out using a smart list dropdown on the form. That smart list is using flex dimensions, which is a smart list created from a dimension.   

In the screenshot above, you see a smart list created from the Entity dimension. Users in the home department of 100-30000 only have access to their own department. This can be confirmed by the dropdown of the smart list, which will only show the smart list ID of the member that the user has access to, in this case, 100-30000. A simple right-click business rule can be written to override this kind of smart list assignment. However, the issue arises when the user wants to change other data in the form and hit the save button, which invokes the SmartPush to push data from 100-30000 to a department the user doesn’t have access to the GL department, 080-23000. How do we circumvent this security because the user does not have access to 080-23000? Simply put, the user needs to run this SmartPush or the underlying Data Map as a system administrator, thereby circumventing security governance from the application’s dimension security. I’ll explain the steps to hacking how a planner or a user in the system can run the underlying Data Map as an administrator. 

Hack How-to 

Step 1 

// Capture the employees whose info was edited from the data form - this is done by the user  
Set<String> employees = []  
operation.grid.dataCellIterator.each { DataCell cell -> if(cell.edited) {  
employees << cell.getMemberName("Employee")  
} }  
if(employees.size() == 0) {  
println("No edited cells found!")  
// if no employees are edited exit the rule  
return }  
//Convert the changed employee(s) to double quotes qualified and comma delimited members  
String employeesStr = """\"${employees.join('", "')}\""""  

Collect the intersections where the change is happening, using a groovy script that collects the intersection of the changing employeein the home department form. A simple data cell iterator method shown will give you the changed employees on the data form. If there are no changed employees, the rule will stop executing. If employees are changed, an employee string variable will be populated at the end of this step as shown above. 

Step 2 

// Json passed with run-time prompts for another rule  
HttpResponse<String> jsonResponse = operation.application.getConnection("RunLocalPlanningJobs").post() .header("Content-Type", "application/json")  
//employeeStr is passed as a string run-time prompt to the rule that will be invoked by admin  
.body(json(["jobType" : "RULES", "jobName" : “Business rule run as admin to invoke data map", "parameters":["ChangedEmployees":employeesStr]])).asString()  

As you can see in the script above, using a previously named EPM connection namely RunLocalPlanningJobs, we'll make a REST API invocation of another business rule. It’s business rule calling another business rule. The RunLocalPlanningJobs REST API connection is defined using an admin ID and password in Connections. So, when we call the rule it’s run as an administrator. The rule will be run only for changed employees which are passed on using the employee string variable that we created in Step 1. 

// The admin invoked rule runs a data map for the intersections that are sent by the user!  
if(operation.application.hasDataMap(“Underlying DataMap")) operation.application.getDataMap(“Underlying DataMap").execute(["Employee":rtps.ChangedEmployees.enteredValue], true)  

The result, as you can see above, is that the admin rule that is a groovy rule is run using REST API invocation and this rule accepts the employee string variable, thereby running the underlying data map only for changed employees.  

Try it for Yourself! 

What we accomplished in this hack is the ability for a planner to use REST API invocation to run a planning artifact, in this case, a Data Map, but as an admin.  


For comments, questions, or suggestions for future topics, please reach out to us at  Visit our blog regularly for new posts about Cloud updates and other Oracle Cloud Services such as Planning and Budgeting, Financial Consolidation, Account Reconciliation, and Enterprise Data Management.  Follow Alithya on social media for the latest information about EPM, ERP, and Analytics solutions to meet your business needs.