Monday, August 10, 2009

Hyperion Roles

Shared Services Roles

All Shared Services roles are power roles. Typically, these roles are granted to power users who are involved in administering Shared Services and other Hyperion products.

  1. Administrator Provides control over all products that integrate with Shared Services. It enables more control over security than any other Hyperion product roles and should therefore be assigned sparingly. Administrators can perform all administrative tasks in User Management Console and can provision themselves. This role grants broad access to all applications registered with Shared Services. The Administrator role is, by default, assigned to the admin Native Directory user, which is the only user available after you deploy Shared Services.
  2. Directory Manager Creates and manages users and groups within Native Directory.
    Do not assign to Directory Managers the Provisioning Manager role because combining these roles allows Directory Managers to provision themselves. The recommended practice is to grant one user the Directory Manager role and another user the Provisioning Manager role.
  3. LCM Manager Runs the Artifact Life-Cycle Management utility to promote artifacts or data across product environments and operating systems.
  4. Project Manager Creates and manages projects within Shared Services.
  5. Create Integrations Creates Shared Services data integrations (the process of moving data between applications) using a wizard. For Oracle's Enterprise Performance Management Architect, creates and executes data synchronizations.
  6. Run Integrations Views and runs Shared Services data integrations.
    For Performance Management Architect, executes data synchronizations.
  7. Dimension Editor Creates and manages import profiles for dimension creation. Also, creates and manages dimensions manually within the Performance Management Architect user interface or the Classic Application Administration option.
    Required to access Classic Application Administration options for Financial Management and Planning using Web navigation.
  8. Application Creator Creates and deploys Performance Management Architect applications. Users with this role can create applications, but can change only the dimensions to which they have access permissions.
    Required, in addition to the Dimension Editor role, for Financial Management and Planning users to be able to Navigate to their product’s Classic Application Administration options. When a user with Application Creator role deploys an application from Performance Management Architect, that user automatically becomes the application administrator and provisioning manager for that application.

The Application Creator can create all applications.

  1. Analytic Services Application Creator: The Analytic Services Application Creator can create Generic Performance Management Architect applications.
  2. Financial Management Application Creator: The Financial Management Application Creator can create Consolidation applications and Performance Management Architect Generic applications. To create applications, the user must also be a member of the Application Creators group specified in Financial Management Configuration Utility.
  3. Planning Application Creator: The Planning Application Creator can create Planning applications and Performance Management Architect Generic applications.
Essbase Roles

Power Roles

1. Administrator Grants full access to administer the server, applications and databases
2. Application Manager Creates deletes and modifies databases, and application settings within the assigned application. Includes Database Manager permissions for the databases within the assigned application
3. Create/Delete Application Creates and deletes applications and databases within applications. Includes Manager permissions for the applications and databases created by this user
4. Database Manager Manages the databases, database objects, locks and sessions within the assigned application
5. Load/Unload Application Start and stops an application or databases.

Interactive Roles

1. Calc :- Calculates, updates and reads data values based on the assigned scope, using any assigned calculations and filter

2. Write : -Updates and reads data values based on the assigned scope, using any assigned filter

3. Filter :- Accesses specific data and meta data according to the restrictions of a filter

View Roles

· Read :- Read data values
· Server Access :- Accesses any database that has a default access other than none


Planning Roles

Power Roles

  1. Administrator Performs all application tasks except those reserved for the application owner and Mass Allocate role. Creates and manages applications, manages access permissions, initiates the budget process, designates the email server for notifications.
  2. Application Owner Reassigns application ownership.
    Mass Allocate Accesses the Mass Allocate feature to spread data multi-dimensionally down a hierarchy, even to cells not visible in the data form and to which the user does not have access. Any user type can be assigned this role, but it should be assigned sparingly.
  3. Analytic Services Write Access for planners and interactive users: Grants users the same access permissions they have in Planning to Planning data in Essbase. Enables users having write access, to change Planning data directly in Essbase using another product such as Financial Reporting or a third-party tool.

Interactive Roles

  1. Interactive User Creates and maintains data forms, Smart View worksheets, business rules, task lists, Financial Reporting reports, and Oracle's Hyperion® Application Link adapter processes and flow diagrams. Manages the budget process. Can perform all Planner tasks. Interactive users are typically department heads and business unit managers.

Planner Roles

  1. Planner Enters and submits plans for approval, runs business rules and Oracle's Hyperion® Application Link flow diagrams. Uses reports that others have created views and uses task lists, enables e-mail notification for themselves, creates data using Smart View.

View Roles

  1. View User Views and analyzes data through Planning data forms and any data access tools for which they are licensed (for example, Financial Reporting, Web Analysis, Smart View). Typical View users are executives who want to see business plans during and at the end of the budget process.

Wednesday, August 5, 2009

Planning Securtiy Access Levels

Access Permissions in Hyperion Planning
Shared Services roles that set access permissions for managing projects, applications, dimensions, users, and groups.

Planning Elements That Can Be Assigned Access

You can assign access permissions to:
● Scenario members
● Version members
● Account members
● Entity members
● User-defined custom dimension members
● Data forms
● Task lists
● Business rules

For example, users must have these Shared Services roles to perform the specified tasks:

Project Manager: Creates and manages projects in Shared Services.
Provisioning Manager: Provisions users and groups to applications.
Dimension Editor: Required for Performance Management Architect and Classic applications. For Performance Management Architect, allows access to application administration options for Planning. For Classic, allows access to the Classic Application Administration options for Planning (in combination with the Planning Application Creator role).
Planning Application Creator: Required for Performance Management Architect and Classic applications. For Performance Management Architect, allows users to create Planning applications and Performance Management Architect Generic applications.For Classic, allows access to the Classic Application Administration options for Planning (in combination with the Dimension Editor role).
User-defined dimensions. Assign access permissions to members by selecting the dimension property Apply Security. If you omit setting Apply Security, all users can access the dimension's members. By default, the Account, Entity, Scenario, and Version dimensions are enabled for access permissions.
Users and groups, which can vary among applications. Assign access to Planning application elements by using Assign Access.

Note:-After updating access permissions, refresh the application to update Essbase security filters.

Types of Access Permissions

Access permissions for the specified user or group to the dimension member, data form, or task list include:
● Read—Allows view access
● Write—Allows view and modify access
● None—Prohibits access; the default access is None

You can specify access permission for individual users and each group. When you assign a user to a group, that user acquires the group's access permissions. If an individual's access permissions conflict with those of a group the user belongs to, user access permissions take precedence.


➤ To enable access permissions for dimensions:
1 Select Administration > Dimensions.
2 For Dimension, select the dimension to change.
3 Click Edit.
4 In Dimension Properties, select Apply Security to allow access permissions to be set on its members.If you do not select this option, there is no security on the dimension, and users can access its members without restriction.
5 Click Save.
Click Refresh to revert to the previous values.


➤ To assign access to members:
1 Select Administration > Dimensions.
2 For Dimension, select the dimension to assign access to its members.
3 Select the member for which to assign access.
4 Click Assign Access.
5 Add, change, or remove access.


➤ To assign access permissions to members:
1 Select Administration > Dimensions.
2 For Dimension, select the dimension for whose member you want to add access.
3 Click Assign Access.
4 Click Add Access.
5 Optional: To migrate a user or group's changed identity or their position in the user directory from User Management Console to Planning, click Migrate Identities.
6 Optional: To remove deprovisioned or deleted users or groups from the Planning database to conserve space,
click Remove Non-provisioned Users/Groups.
7 For Users and Groups on Add Access, select the users and groups to access the selected member.
8 For the selected member, select the access type.
9 Optional: Select a relationship.
For example, select Children to assign access to the children of the selected member.
10 Click Add.
11 Click Close.


➤ To modify access permissions for members:
1 Select Administration > Dimensions.
2 For Dimension, select the dimension for whose member you want to edit access.
3 Click Assign Access.
4 Optional: To migrate a user or group's changed identity or their position in the user directory from User Management Console to Planning, click Migrate Identities.
5 Optional: To remove deprovisioned or deleted users or groups from the Planning database to conserve space,
click Remove Non-provisioned Users/Groups.
6 Click Edit Access.
7 For the selected member on Edit Access, select the access type for the displayed users or groups.
8 Optional: Select a relationship.
For example, select Children to assign access to children of the selected member.
9 Click Set.
10 Click Close.


➤ To remove access permissions for members:
1 Select Administration > Dimensions.
2 For Dimension, select the dimension for whose member you want to remove access.
3 Click Assign Access.
4 Select the users and groups for whom to remove access to the selected member.
5 Click Remove Access.
6 Click OK.
7 Click Close.


➤ To report on current access permissions for users and groups in Planning:

1 In the User Management Console, select a Planning application under Projects. Select Administration >
Access Control Report.
2 On Select User or Group, select options:
● Available Users
● Available Groups
● Available Users and Groups
3 From the left Available panel, select and move users or groups to report on to the Selected panel:
● To move selections, click .
● To remove selections, click .
● To move all users or groups, click .
● To remove all users and groups, click .
If you enter a user or group name instead of browsing to it, you must enter the full name. For
names with commas, enclose the name in quotation marks (for example, “Hennings, Emily”).
4 Click Next.
Select Objects is displayed.


➤ To select reporting objects:
1 Start the Access Control Report.
2 On Select Objects, select the Planning objects on which to report:
● To move selections to Selected Objects, click .
● To remove selections, click .
● To move all objects, click .
● To remove all objects, click .
3 Click Next.
Report Options is displayed.


➤ To specify options for access reports:
1 Start the Access Control Report.
2 On Report Options, for Show Matching Access of Type, select the access to view: Read, Write, or None.
3 ForGroup the Results By, select how to view the report: Users or Objects.
4 From the Report Type sections, select Assigned Access or Effective Access:
5 Click Finish.
Adobe Acrobat launches, displaying the report online.


Setting Up Access Permissions in Financial Reporting
Financial Reporting supports these access permissions:
● User authentication
❍ Logon access permissions
❍ Access to Financial Reporting and data source
● Application permissions
❍ Access to tasks within Financial Reporting
❍ Permissions to design or view reports
● Data Rights
❍ Access to data source data such as members and values
❍ Access to Financial Reporting objects such as reports and folders Setting

Tuesday, August 4, 2009

Hyperion LOGS

Shared Services Log Files




  1. SharedServices_Security.log Security-related error messages concerning users, groups, roles, and provisioning operations
  2. SharedServices_Admin.log Messages-related to the User Management Console and any messages reported during Shared Services runtime.
  3. SharedServices_Metadata.log Metadata management and registration-related errors and messages.
  4. SharedServices_Taskflow.log Taskflow-related errors and messages from Common Event Services
  5. SharedServices_Taskflow_CMDExecute.log Taskflow scheduling errors and messages from Common Event Services
  6. SharedServices_Taskflow_Optimize.log Taskflow optimization errors and messages from Common Event Services
  7. SharedServices_SyncOpenLDAP.log Messages from the synchronization of Native Directory with Shared Services database
  8. SharedServices_Memory_Profiler.log Messages-related to the memory usage by the Common Administrative Service
  9. SharedServices_Security_Client.log Product-specific messages and errors generated by Hyperion products

SharedServices_Security_Client.log is located in the Temp directory of the product using the external authentication client. The location of the Temp directory varies, based on the application server and platform.
All Shared Services log files are located in \logs\SharedServices9.



Essbase Logs



This topic describes the logs that Essbase Server creates to record information about server, Application, and database activities.



Essbase Server writes activities that occur in Essbase Server and application logs. The Essbase Server log is a text file in the ARBORPATH directory named essbase.log. In a standard installation, for example, the Essbase Server log is:

hyperion\AnalyticServices\essbase.log.

Each application on Essbase Server has its own application log. An application log is a text file in the

ARBORPATH\app\application_name directory named application_name.log.

For the Sample Basic database, for example, the application log is:

hyperion\AnalyticServices\app\sample\sample.log

By default, application_name.log and Essbase.log record this information:




  1. Information messages
  2. Warning messages
  3. Error messages
Use essbase.cfg settings to specify the messages types written to application_name.log
and Essbase.log.

See Detailed Information about Essbase/Planning/BR Logs in the below attached file.