EPM Performance Suite Profitability Administration & Security Guide

(1)

BusinessObjects™ XI R2 11.20

(2)

and sold by Business Objects: 5,555,403, 6,247,008 B1, 6,578,027 B2, 6,490,593 and 6,289,352.

Trademarks Business Objects, the Business Objects logo, Crystal Reports, and Crystal Enterprise are trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and other countries. All other names mentioned herein may be trademarks of their respective owners.

Third-party Contributors

Business Objects products in this release may contain redistributions of software licensed from third-party contributors. Some of these individual components may also be available under alternative licenses. A partial listing of third-party contributors that have requested or permitted acknowledgments, as well as required notices, can be found at:

(3)

1 |

Administration in EPM Introduction

1.1 Introduction

EPM is a powerful financial modeling tool that uses the latest technology to make budgeting, forecasting and forward planning both responsive and simple to control. It is one of the main components in the Business Objects Enterprise Performance Management suite that has been assembled to provide for all aspects of strategic planning.

EPM has been designed to operate in a web environment with an international user community. These users require a diverse range of security privileges to the various financial models used by any

company. Administrators are responsible for creating and maintaining this user security, for managing the financial models and for supporting the international language requirements within an organization. Security in EPM is broadly managed on two levels, one being application security for individual users which is applied across all models in the database, and the other being model security, in which case settings are specific for each model.

Other administrative functions within EPM include the management and maintenance of models, and setting options for viewing dimension items in alternate languages or codes through the use of aliases. Additionally, an administration utility is available on the EPM server for monitoring and controlling users connected to the EPM suite.

The functionality available to an Administrator is described in the following topics:

• Application Security

• Model Security

• Managing Models

• Language Capabilities

• EPM Monitor

(7)

(8)

2 |

Application Security User Security Features

2.1 User Security Features

Security in EPM is assigned to users through User Groups. User Groups can be thought of as holding a collection of users with identical functions and security access levels. This section describes how to set up users within appropriate User Groups, together with their password and login requirements. The user security settings apply to all models across the system.

Tip: When setting up security in EPM it is useful to start from a User category point of view and create relevant User Groups rather than trying to tailor Groups around a specific user’s requirements. This will provide greater flexibility in the long term.

The following sections describe the procedures for setting up User Groups and Users, together with user access to applications and models via security settings, passwords and login options.

• Users & Groups

• User Model Access

• Password Security

• System Login Options

2.2 Users & Groups

User access to each model is controlled by User Group model specific security settings. Therefore when setting up security in EPM, it is useful to start by defining the access requirements at the User Group level.

There are five system defined user groups, and any number of additional groups may be created as required (see section 2.2.5). EPM is supplied with a default system administrator who is a member of every system defined group and has access to all models and settings.

Users and Groups are discussed in the areas detailed below.

• System Administrator

• System Defined User Groups

• User Group Security Licenses

• User Group Security Access Levels

• Creating a new Group

• Creating and Maintaining Users

• User & Group Maintenance Information and Management

2.2.1 System Administrator

EPM is supplied with a default Administrator user when first installed. This Administrator user is a super user that always has full access rights to all system facilities and models. For greater security, this system-defined user should be renamed and the default password changed.

(9)

Application Security

Users & Groups

|

2

2.2.2 System Defined User Groups

Five system-defined User Groups exist in EPM. These are system generated on installation and are used to define basic user types and thereby automatically allow or restrict access to different forms of the EPM application. These system-defined User Groups are distinguishable from user defined groups by their uppercase lettering with accompanying icons.

Tip: It is useful to think of these system-defined User Groups in terms of attaching basic user functionality and to create additional User Groups (see 2.2.5) to allocate more specific User security access levels (see 2.2.4).

Every new user automatically belongs to the Everyone group, and will need to be made a member of another group to gain access to an EPM application.

Each of the system-defined groups is discussed below:

• Everyone • Administrators • Modelbuilders • Bookbuilders • Endusers

2.2.2.1 Everyone

All users must belong to this group. The Everyone group defines a basic level of access to different functions, values and general dimension attributes in EPM. Access levels are cumulative for any other groups to which a user belongs, so the Everyone access levels should be left at a basic level while additional groups should be used for defining higher access levels.

2.2.2.2 Administrators

An administrator can:

• Create and manage models

• Create and manage users and groups

• Create security descriptors and allocate security options

• Create and unlock Books

• Create Item Properties

• Create Aliases

• View Model Security and Security Alerts

• Perform all other actions and edit all items within EPM dependent on which license type is inherited through additional group membership. This restricts access according to principles outlined in each user group below for each user. Membership of the Modelbuilders,

Bookbuilders or Enduser group gives access to the corresponding Model Building application, Book Building application or Enduser interface respectively.

See the corresponding section for more information on each of these role types.

• Modelbuilders

• Bookbuilders

(10)

2 |

Application Security Users & Groups

2.2.2.3 Modelbuilders

Model Builders primarily have access to the Model Builder application. A member of Modelbuilders inherits a Model builder license and Enduser functionality. This allows potential access to almost all components of EPM. A Model Builder, given the correct access can potentially:

• Manage Models

• Import and Export data

• Edit Dimensions items

• Perform Dimension assignments

• Build and save Grid layouts

• Create and edit Books

• Perform Driver Analysis

• Access Books over the web

Note: “Model Builders“ cannot access the Book Builder application as their license is not suitable for this form of EPM (see 2.2.3.1 for more information).

2.2.2.4 Bookbuilders

Membership of the Book Builder group gives users access to the Book Builder application. A member of Bookbuilders inherits a Book Builder license and an Enduser license. This allows potential access to a more targeted set of functions which are useful to users who build books.

A Book Builder can potentially:

• Build and export layouts in the View Builder

• Create and edit Books

• Access Books over the web

Note: “Book Builders “cannot access the Model Builder application as their license is not suitable for this form of EPM (see 2.2.3.2 for more information).

2.2.2.5 Endusers

Membership of the Enduser group gives users access to published Books over the web or through the Book Viewer application. The books which are available to Endusers are specified by either an Administrator or Modelbuilder. Access can also be determined by membership of additional user defined User Groups. This ensures that Endusers can only see these Books, and the grids they contain which are relevant to them.

An Enduser can:

• View information within Books in the form of grids, reports and charts.

• View and edit data

• Select which Data Alias to use for viewing information

• Select which currency monetary values are displayed in

• View Model alerts

Note: Endusers have no access rights to the EPM Win32 client (Book Builder or Model Builder applications). See 2.2.3.3 for more information on End User licenses.

2.2.3 User Group Security Licenses

(11)

Users & Groups

|

2

access the relevant part of EPM. Access to these applications is determined using the system predefined User Groups.

System predefined User Groups have an additional purpose other than to physically restrict access to specific Security Descriptors. These User Groups are also linked to license types which are utilized in defining user roles at the base level. Such user roles are defined to a certain extent in terms of which particular form of EPM application you may access.

Licenses are inherited according to User Group membership with some User Groups inheriting more than one type of user license. These are detailed in each section below.

• Model Builder Access

• Book Builder Access

• End User Access

• Administrator Access

2.2.3.1 Model Builder Access

A member of Model Builders automatically inherits a license to access the Model Builder application including Books in addition to the web interface. See 2.2.2.3 for more information on Model Builders. (A Model Builder may be involved in creating Books as well as model structures and may therefore wish to preview Books over the web).

Note: A Model Builder cannot access the Book Builder application but is given access to all Book building functionality through the Model Builder application.

2.2.3.2 Book Builder Access

A member of Book Builders automatically inherits a license to access the Book Builder application in addition to a license to access the web interface. See 2.2.2.4 for more information on Book Builders. (A Book Builder may want to preview newly created Books over the web interface to ensure that they appear to an acceptable standard).

Note: A Book Builder cannot access the Model Builder application but instead is given access to the Book Builder application which contains all Book Building functions including the View Builder in addition to general EPM functions.

2.2.3.3 End User Access

A member of End Users only inherits a license permitting them to access the EPM web interface or Book Viewer application. See 2.2.2.5 for more information on End Users.

Note: An End User cannot access either the Model Builder or Book Builder EPM application due to their license restrictions. An End User can only login and access EPM through a web enabled Book.

2.2.3.4 Administrator Access

(12)

2 |

2.2.4 User Group Security Access Levels

Security access for each user group is controlled by Security Descriptors and these are described in more detail in section 3.3 as part of Model Security. However, before defining your users and groups, it is important to understand how access levels for groups can be applied to suit your requirements. Individual users inherit the security levels assigned to each of the groups to which they belong for a specific model. Where a user belongs to more than one User Group they inherit a combination of the widest security permitted within all of the User Groups. For example, if the “Administrators” group has No Access to Maintaining Users and a “User Maintenance” group has Full Access, a user who is a member of both groups will attain Full Access to Maintaining users.

For licensing purposes, some tasks require users to be a member of one of either of the Administrators, ModelBuilders or BookBuilders groups, in order to perform the operation. However, every user does not need to be permitted the access levels that are assigned to these predefined groups by default, if this is not required.

For example, the default access level to Create Model Security is Full Access for Model Builders. To allow users to open the Model Builder application but prevent them from creating new models, change Create Model Security access to No Access for Model Builders. Now you can have users that belong solely the ModelBuilders group, who can open the Model Builder application without being able to create new models. Next, create another new User Group and assign it Full Access to Create Model Security. Thus, you can have other users belonging to both the ModelBuilders group and the newly created group, who can open the Model Builder application and also create new models.

2.2.5 Creating a new Group

Groups are used to assign security access permissions. They allow you to define types of users with common access permissions to data and actions in EPM thus saving time when adding users with common requirements. Any number of groups can be defined.

To create a new Group, select Tools | Security | Users and Groups. Once in the User and Group Maintenance screen, hover the cursor in the Groups area and right click to bring up the Context Menu. Select Add New Group from the menu.

A default group name is inserted in an editable box, into which you should enter the name required for the new group.

There is no minimum limit on the number of characters in a Group name. A group name may contain spaces, mixed case letters, alphanumeric and non-alphanumeric characters.

Once you have entered a group name it will appear in the Groups list. You may then want to create new Users (see 2.2.6 for details) and assign them to existing User Groups (see 2.2.6.2 for details).

2.2.6 Creating and Maintaining Users

(13)

Users & Groups

|

2

administration tasks for users such as assigning them to groups, enabling or disabling user accounts and resetting passwords. User Properties are maintained which hold individual user details and options for password protection. The Default Model Group option provides additional security as it allows a user group to be associated with an individual model builder that will subsequently control access for all users to models created by that individual.

• Creating a New User

• Assign User Groups

• User’s Default Model Group

• Password Reset

• Password Properties

• Account Enable / Disable

Tip: Password protection can be further configured to ensure the use of strong passwords and to cause passwords to expire at set intervals, by applying settings in System Properties (see section 2.4 for further information).

2.2.6.1 Creating a New User

Only members of the administrator group can access the security screens and create new users. To create a new User, select Tools | Security | Users and Groups. Once in the User and Group Maintenance screen, hover the cursor in the Users area and right click to bring up the context menu. Select Add from the menu. A default user name is inserted in an editable box.

Enter the required User name in this field. User names can contain spaces, mixed case letters, alphanumeric and non-alphanumeric characters. A user name must be at least 1 character and is not case sensitive.

Once a user is created the username will appear in the Users list. When a user is highlighted their user group assignments are displayed in the screen. By default a new user belongs to the group Everyone. Once a new user has been created a warning is displayed indicating that a random password is generated for that user.

(14)

2 |

Tip: Several user passwords can be reset simultaneously if the reset passwords are identical. To do this select the Users to be reset and right-click to bring up the Context Menu then reset the user passwords in the normal fashion.

If you have just created a new user they now need to be assigned to the desired User Groups (see

2.2.6.2), and the user’s Default Model Group may also be set as required (see 2.2.6.3). For details on

creating a new User Group see 2.2.5.

2.2.6.2 Assign User Groups

Users must be assigned to Groups to inherit security settings and allow access to EPM. A user can be assigned to more than one Group in which case they will inherit the widest level of security access assigned to each of the security descriptors (i.e. least restricted).

To assign a user to a group, select Tools | Security | Users and Groups. In the User and Group Maintenance screen, users are assigned to groups by selecting the required users(s) and selecting the check box adjacent to the relevant group. Similarly User Groups are unassigned by clicking on a checked box so that it is cleared.

2.2.6.3 User’s Default Model Group

Default Model Group allows a user group to be associated with an individual model builder. This is located by selecting Default Model Group from the right click context menu on the Users window of the User and Group Maintenance screen (see 2.2.7).

The default setting for Default Model Group is Modelbuilders, which would give all members of the Modelbuilders group access to all new models. However, an individual user may be assigned to an alternative Default Model Group if required, and new models subsequently created by that user may only be accessed by users that are members of this group.

(15)

Users & Groups

|

2

Access to models is therefore controlled by membership of the Default Model Group, rather than on the basis of being a Model Builder. This allows more than one Model Builder to work within a system without having access to all the models present. (Administrators can see all models by default.) The model security access will remain associated with a model, regardless of whether it is copied, and this may only be amended by an administrator.

Note that the act of allocating a default model group to a user does not automatically make this user a member of the group and they will need to be assigned to it manually (see section 2.2.6.2). The group access for a model can be seen on the Model Administration Security tab (see 2.3) and this screen can be used to change the access if required.

2.2.6.4 Password Reset

An administrator can reset user passwords at any point. Reset Password is located on the right click context menu on the Users window of the User and Group Maintenance screen (see 2.2.7). Multiple users can be reset at the same time, providing the password is to be the same across all users. Note: The default Administrator password cannot be reset using this screen. This user password can only be reset by the ‘Administrator’ using the change password function in Tools | Change Password. When a user’s password needs to be reset, this state is denoted by a symbol next to the user name. The most likely circumstances that would require a user’s password to be reset are:

• When users are first created (as a random password is set for new users)

• When users are imported into a database with a model, as user passwords cannot be exported from the original model.

• Alternatively a user may forget their password and need it to be reset without having been locked out of EPM. An administrator can in this case reset a user password using the procedure outlined above.

Passwords can contain spaces, mixed case letters, alphanumeric and non-alphanumeric characters and are case sensitive. The default minimum password length is 5 characters. Password properties such as minimum password length and keyboard combinations (strong passwords) are defined on the System Properties Security tab (see section 2.4).

After resetting the user’s password, the administrator can set the User Properties to force the user to change their password when they next login (see section 2.2.6.5).

2.2.6.5 Password Properties

The options on the User Properties General tab allow the administrator to set individual user password options. This tab is located by selecting Properties from the right click context menu on the Users window of the User and Group Maintenance screen (see 2.2.7).

The Security Identifier (SID) may be stored against a user in the EPO system as an alternative means of User access, instead of the Username and Password. The use of SIDs increases the security of SSO integration, as a SID is not easily identifiable with a specific user.

When a SID is used to log in, the Windows Client user interface and Web user interface will display the Username, rather than the SID.

(16)

2 |

The user properties window enables a number of password settings to be configured.

• User must change password at next login forces the user to reset their password when first logging on to the system. It is required if the user is to be forced to change their password once it has been either set at creation time or reset at any other time.

• User cannot change password should only be set if the Administrator intends to manage all user password changes or in conjunction with the Password never expires option.

• Password never expires is the default setting when a new user is created. This should be left enabled if the password expiry security is not required.

• Account is disabled provides the same functionality as the disable account function on the User context menu (see 2.2.6.6).

2.2.6.6 Account Enable / Disable

To enable an account simply select the user in the User panel of the User and Groups Maintenance screen (see 2.2.7). A disabled account is denoted by a red cross next to the user name. Right click to bring up the context menu. Select Enable Account(s) and the account will no longer appear to be locked out.

This function is useful when a user has disabled their account through too many unsuccessful login attempts. The number of unsuccessful logins allowed is held in System Properties (see 2.4.3). This value is normally set to 3 and a user account is automatically disabled after the fourth unsuccessful login attempt. Once this occurs the user must contact an Administrator to enable their account again in the Users and Groups screen.

Similarly a user’s account will become disabled if the user fails to change their password before the number of days set in the Password Expiry Interval (see 2.4.2).

Alternatively, a user account may be set to disabled if you want to deny them access (perhaps they no longer need to use the system). To do this, select the user name and bring up the context menu as above. Then select Disable Account(s) and the selected account will be disabled and appear with a red cross next to the user name.

(17)

Users & Groups

|

2

2.2.7 User & Group Maintenance Information and Management

Users and Groups are created and maintained via the User and Group Maintenance screen. This is accessed by selecting Tools | Security | Users and Groups. By default the left-hand area contains the user names, the middle area contains User Groups and the right-hand area displays user

information. The Users and Groups sections can be swapped using the context menu to allow an alternative focus displaying members according to Group membership. Information about a user is displayed when a user is selected in the Users area.

There are two main areas of additional features on the User & Group Maintenance screen. These are the information panel down the right-hand side and additional features on the Context Menu.

• User & Group Maintenance Information Panel

• User Context Menu

• Group Context Menu

• Users & Groups Sorting

2.2.7.1 User & Group Maintenance Information Panel

(18)

2 |

If multiple users are selected in the user screen their user information is displayed in order in the user information area.

This panel can be minimized by selecting the area between the two arrows in the cross bar dividing the areas. Similarly select the same area at the right hand side of the window to display the User

information panel when it is minimized.

2.2.7.2 User Context Menu

The User Context Menu contains the main functions required to manage Users.

• Add New User inserts a new User with an initial default name (see section 2.2.6.1 for more information).

• Delete User(s) allows you to delete one or more selected Users in the panel.

• Reset Password(s) allows you to reset one or more selected User passwords (see 2.2.6.4 for further details).

• Rename allows you to rename a selected user.

• Enable Account(s) allows you to enable a user account which has been locked out after too many unsuccessful login attempts (an account is locked on the fourth unsuccessful login attempt – see 2.2.6.6 for further details).

• Disable Account(s) allows you to disable a user account which will prevent that user being able to login to EPM (see 2.2.6.6 for further details).

• Properties - the options on the General tab allow the administrator to set individual user password options and enter Full Name, Description and E-mail data (see section 2.2.6.5 for details on security options). The Member Of tab shows Group Membership for that user.

• Default Model Group allows you to specify a user group to which all new models created by that user will be assigned (see 2.2.6.3 for further details).

(19)

User Model Access

|

2

2.2.7.3 Group Context Menu

• Add New Group allows you to add additional groups which initially have a default group name to be to be edited (see 2.2.5 for more information).

• Delete Group(s) allows you to delete one or more selected groups.

• Rename allows you to edit an existing group name.

• Filter on Membership allows you to filter the groups viewed. If this is checked only the groups to which a selected user is assigned will be displayed in the Groups panel.

• Swap User / Group Focus swaps the position of Users and Groups on the screen for personal preference.

2.2.7.4 Users & Groups Sorting

User names and Group names can be sorted in alphabetical order in their respective panels by selecting their column headers. The order in which they are sorted is denoted by the arrow in the column header.

Note: The Groups panel is sorted slightly differently to the Users panel as the predefined User Groups are grouped together followed by user defined Groups.

2.3 User Model Access

The Security tab on the Model Administration screen is only available to administrators (see 4.2). Model Security restricts access to models according to the User Group that a model is assigned to. To be able to view a model in the Select Models screens in the Windows client or the Web, a user must be a member of a User Group assigned to that model. Without being assigned to an appropriate group, the user is effectively denied access to the model.

Security access is assigned to each Model created within EPM according to User Group membership. By default a model is created with Administrators and Modelbuilders access only. This will not be the case if the user that created a model has been assigned an alternative Default Model Group (see section

(20)

2 |

Application Security User Model Access

In order for members of any other groups to access the model an Administrator must assign each Group security access within the Model Security tab in Model Administration. A user who is a member of several User Groups will have access to see each model that Group is assigned to. Further security restrictions can then be assigned within each model as outlined in section 3.4.

All columns within the Model Security screen are sort-able and the Group / Model focus can be switched, in a similar manner to the Users and Groups screen, to allow security assignments to be viewed in a variety of manners. Sorting is denoted by an arrow in the column header.

It is also possible to view Models according to the Users assigned to them using the View Models by User button within the Model Security screen.

(21)

Password Security

|

2

2.4 Password Security

The System Properties window is accessed via Tools | Security | System Properties. The Security tab provides system level options for password control that may be set by an administrator:

The default minimum password length may be specified as required. Other options for password properties are:

• Strong Passwords

• Password Expiry

• Configuring Login Failure Count

2.4.1 Strong Passwords

Strong password protection ensures that users are forced to use a combination of letters and numbers or keyboard symbols when creating a login password. This is configured in the System Properties window accessed from the Tools | Security| System Properties window.

2.4.2 Password Expiry

Password expiry can improve security by forcing users to change their password at set intervals. The Password Expiry settings are held on the System Properties window accessed from the Tools | Security| System Properties window.

The Password Expiry Interval is set to 90 days by default whilst the minimum value that can be set is 30 days. The Password Expiry Warning is the number of days before a password is due to expire that will cause the user will be prompted to change their password. With the correct privileges a user can reset their password at any time and the expiry period will be reset. If the user fails to change their password before the expiry date the account will become disabled and will need to be reset by an administrator (see section 2.2.6.6).

(22)

2 |

Application Security System Login Options

2.5 System Login Options

EPM can be configured to use either EPM standard security or can be integrated with Windows NT LAN Manager (NTLM), Windows Active Directory or LDAP compliant systems to allow Single Sign on (SSO). In addition it is possible to integrate logins over the web with Web Security directory services.

• EPM Standard Security

• Single Sign On

• Web Security

2.5.1 EPM Standard Security

This is the default. Only those users created by the EPM administrator and stored in the EPM database can log into EPM suite applications, dependent on their assigned roles.

2.5.2 Single Sign On

A user login that matches the user’s Windows login must have been created in EPM. If the windows and EPM logins match and the roles assigned to that user permit access then EPM applications will open without requiring the user to enter a login and password.

User logins created in EPM do not require a password as the user has already been authenticated. However configuring passwords will permit a user to bypass SSO and access applications using EPM standard security. This maybe useful, in the first instance, in order to logon as administrator and create EPM logins that match a user’s Windows login or where a user wishes to gain access using a different login or when the machine is not networked. Bypassing SSO is done by holding down the Shift key whilst clicking the ‘Login’ icon, which will cause the default Login screen to appear.

It is possible to install EPM with the following login options.

• Windows NT Security - A user’s access is determined by authentication against a windows domain via NTLM.

• Microsoft Active Directory Security - EPM access is determined by user authentication against the Active Directory service for the domain.

• LDAP Security - EPM access is determined by user authentication against an LDAP compliant directory service.

Tip: If logging onto the Web through SSO fails for any reason, then provided that ‘Enable Secondary Logon’ has been set during EPO Configure, the usual login form will be displayed. If the configuration option has not been set, then an error message will be displayed.

To use the override procedure, cancel the login dialog or any error message then, while holding down the Shift key, click on the Refresh icon or the GO button. You will then be able to enter the required username and password.

2.5.3 Web Security

EPM login can be integrated with Web security to allow SSO access to books viewed over the web. The following is guidance for the System Administrator in order to allow EPM security to be integrated with Web security.

The following steps assume you have set up a Form based Authentication scheme which is used in the Policy Domain protecting the IIS EPM web resources:

1. In the COREid Access Manager locate the Policy Domain that was created to protect the Resource for the IIS EPM Directory.

(23)

System Login Options

|

2

4. In the Redirect To box for the Authentication Success enter the hostname and path to book.asp, found in the EPM IIS files folder. e.g. /epo/book.asp

5. Click Save.

6. In the Authorization Rules Tab, Select the Actions Tab. 7. Select Add.

8. In the Authorization Success Return Section, add a Return Attribute with the following properties:

• Type: HeaderVar

• Name: [header var name] (the default value used in the EPM Configuration Wizard i.e. EPMSSO). If a SID (Security Identifier) has been provided for the user, this will be used in place of the Username value. For details of SIDs, see 2.2.6.5 Password Properties.

• Return Attribute: [Attribute name] e.g. cn

Where [Attribute name] is the identifier that will be used to match the user names defined in EPM security, or an attribute that equates to the SID.

9. Click Save.

10. Ensure the Policy is enabled.

(24)

(25)

(26)

3 |

Model Security

Model Security Features

3.1 Model Security Features

EPM allows a great deal of flexibility in the levels of security access that can be applied to different parts of the application. Security can be used to allow different levels of access to individual Dimension items, Grid Values, Books and actions in the Performance Optimization / Activity Analysis / IT Services Costing applications.

Security access is allocated using Security Descriptors that are referenced by User Groups. Security Descriptors are labels that are attached to actions, data fields and specific

components within a model. Security access levels are then assigned to these Security Descriptors to determine what users can do according to the User Groups they belong to. Different levels of security access are possible for different security actions, fields and dimension descriptors ranging from Full Access to No Access dependent on the particular Security Descriptor. Security Access Levels may be set for User groups in the

Group/Descriptor Assignment screen which is described in 3.4.

Users and groups are common to all models but Security Descriptors and Group assignment levels are on a per model basis (excluding the Model Administration actions). Therefore, if you have more than one model on the same database then users and user groups will be visible across all models; however security levels will not automatically be inherited across models. The exception to this is the administrator group, who automatically has full access to all security descriptors.

Note: Only a member of the ADMINISTRATORS group can assign security within EPM.

• Group/Dimension Security

• Security Descriptors

• Group / Descriptor Assignments

• Books Security

It is possible to export some model security settings to an XML file using the standard export procedure. For further information see:

• Security Export

3.2 Group/Dimension Security

Group/Dimension security is intended primarily as a way of restricting access to certain parts of a dimension hierarchy. It is possible to set the default hierarchy level at which a member will be able to view a dimension. Setting a level will allow a user to see all elements at that level and below but nothing at a higher level.

Note: Users and groups are common to all models but Group/Dimension access levels are set on a per model basis.

(27)

Model Security

Security Descriptors

|

3

From the drop down menu the user selects the Dimension for which security is to be

configured. All the existing groups are listed in the main section. To set a default access level the user highlights a group and then clicks the adjacent area under the Root Item column. This displays the hierarchy, including the attribute groups, for the selected Dimension. Apart from the Administrators and Everyone groups the default setting for all other groups is NONE. Whilst the setting for the Everyone group is set to be the top level item of the dimension then all parts of that dimension are visible to all users. In order to implement Group/Dimension security the setting for the Everyone group should be set to the lowest acceptable level of access for all users or set to none.

Highlighting an element sets a default dimension for the group and the selection set by clicking outside the selection area. Changes are not finalized until the screen is closed.

All the assigned levels for the selected group are summarized in a separate window on the right of the screen.

3.3 Security Descriptors

Security Descriptors in EPM are used to assign security access levels to Groups. Security Descriptors are labels which can be assigned to actions, data fields or dimension elements and books within a model. Security access levels are then assigned to these Security Descriptors on a group by group basis to allow or restrict User Group access to various actions or elements within a model.

(28)

3 |

Model Security Security Descriptors

The descriptors in the Action Access and Field Access Security Groups are all pre-defined and may not be edited. The Dimension Access and Report Task Access Security Groups each contain a pre-defined descriptor which may be edited, and the groups may also have additional descriptors defined by an administrator for each particular model.

Further information on the security descriptors groups is provided in the following sections:

• Action Access Security Group

• Field Access Security Group

• Dimension Access Security Group

• Report Task Access Security Group

3.3.1 Action Access Security Group

Action Access Security Descriptors are predefined actions in EPM over which you may limit a user’s access. For example security levels may be assigned according to the role of a user, especially where different levels of access are required within each role (e.g. View Builder, Book Builder, Model Builder). Action Access Security is only relevant for Win32 client users. Action Access Security is mainly divided into Import / Export, Books, Model Management, Driver Analysis, Assignment functionality, Password Access and Data Alias Access.

Action Access Security Descriptors and their functions are listed in Appendix B Action Access

Security Group Definitions and Security Levels.

3.3.2 Field Access Security Group

Field Access Security Descriptors refer to Value fields as defined on Grid layouts. Different levels of user may need different levels of access to specific values. Field Access Security Descriptors can be used to restrict access to values displayed in both the Win32 client and End User.

Field Access Security Descriptors and their functions are listed in Appendix B Field Access

Security Group Definitions.

Tip: Field Access security works in conjunction with Dimension Descriptor security. A user must have sufficient levels of access in BOTH of these groups to edit or view Values.

3.3.3 Dimension Access Security Group

Dimension Access Security Descriptors are definable security labels which can be applied to almost any Dimension line item (only excluding Currencies, Capacity Rules and User defined Rules). Default Dimension Security is the only descriptor initially available under which all Dimension items are automatically assigned when they are first created. However,

personalized security descriptors may also be added to this group.

Dimension Access Security Descriptors are assigned to Dimension items using the Security section of the Dimension screen item details bar. They can also be assigned to Books using the Book Security setting within the Formatting tab of specific books. To restrict access to specific Dimension items within your model, personalized descriptors must be assigned. Personalized Dimension Security Descriptors can be created by selecting either the group or another descriptor within the group, then right-click to display the context menu and select Add. A text box will pop up prompting you to enter a new Security Descriptor name and description. This facility allows you to personalize security across Dimensions. Once you have defined a Dimension Security Descriptor it will appear under this group in the Security

(29)

Model Security

Group / Descriptor Assignments

|

3

The name and/or description associated with any Dimension Access Security Descriptor can be amended to provide more detailed information appropriate for each action. Select the required Descriptor then click Edit Name or Edit Description to amend as required.

Dimension Access Security Descriptors can be removed by highlighting the item required in the Security Descriptor area then clicking the Delete button. A message box will ask you to confirm the remove action. Selecting OK will remove the Security Descriptor. Selecting Cancel will cancel the operation and the Security Descriptor will remain.

Note: Dimension Access Security Descriptors can be used in Books to restrict User Group access to specific Books. See 3.5.3 for more information.

3.3.4 Report Task Access Security Group

This group contains a single descriptor, Default Report Task Security Descriptor, which controls access to the Report Manager application.

3.4 Group / Descriptor Assignments

Security is assigned to groups using the Group / Descriptor Assignments screen. In this screen all predefined and user-defined Security Descriptors are displayed with an associated Security Access Level for each group.

Note: Users and groups are common to all models but Security Descriptors and Group assignment levels are on a per model basis.

To view the Security Access level of a group you need to select a group in the User Groups area. Assigned security levels are then displayed next to each Security Descriptor. Security Descriptor groups can be expanded and collapsed to group level or leaf level by clicking on the group node icon.

Security access levels may only be amended by members of the Administrator group. Security levels for a User Group are assigned in the following way:

(30)

3 |

Model Security

Group / Descriptor Assignments

Select the required level of Security Access in the list. The box will close automatically and the selected access level will be assigned to the Group.

Multiple Security Descriptors and Groups can be assigned to the same Security Level at the same time:

Select the required Groups using the Ctrl key or SHIFT key then select the Security Descriptors to be assigned.

Once these are highlighted select one of the Security Levels to display the drop down box and select an access level. Only the access levels that are common to all the selected descriptors will be available for selection.

All the highlighted Security Descriptors will be assigned to this level.

Repeat this process for all the Security Descriptors required for the group. Security assignments take effect almost immediately.

The effects of Security Access Levels when assigned to security Descriptors are discussed in the following topics:

• Security Access Levels

• Security Access Interactions

3.4.1 Security Access Levels

Security Descriptors can be assigned differing levels of Security Access. The number of access levels available will vary depending on the actual Security Descriptor selected.

See Appendix B Security Descriptor Definitions for a detailed explanation of the effects of different security levels on the Action Access Security Group Descriptors.

The basic levels of security are detailed below:

No Access denies a user any access to an action, value or Dimension item. The user cannot see the item in their view.

View Only will allow a user to view an item assigned with that security but they cannot edit the item or data of that item. Values which would normally appear editable will not be editable when this Security level is assigned.

Edit Data allows a user to view an item and to edit values of that item but not the structure. Dimension items cannot be edited or inserted with this level of access.

Edit Structure allows a user to view and edit a Dimension item in name and hierarchy structure. With this level of Dimension Access security you can insert new items, move existing items and edit item names. Books may be created but not edited.

Full Access gives a user full access to an item similar to the level of an Administrator. By Default the Administrators group has Full Access to all Security Descriptors except for the following:

(31)

Model Security

Books Security

|

3

Responsibility Center / Activity Assignment Activity Reassignment

Cost Object Assignment

3.4.2 Security Access Interactions

Field Access Security and Dimension Access Security levels can be used to restrict the Values and Dimension items users can view or edit. These two Security Descriptor types interact in Grid Layouts within both Books and View Builders. If a user has restricted access to either a Dimension item or Grid Value then they will be restricted in viewing or editing all items directly relevant to these elements.

Security of this type is useful to restrict access across Responsibility Centers and their associated Line Items, for example, or the Values a user can see at different levels within a Company (e.g. data entry, cost center manager)

3.5 Books Security

Books have several different levels of security. Access can be restricted to all Books within the EPM Win32 client and individual Books either in the client application or over the web or book viewer. The Book which is defined as the default book for each user group i.e. the default book selection available to a user over the web or book viewer can also be used to restrict access. Finally a custom descriptor can be assigned to a book and access controlled through this.

• Books Action Access

• Home Pages/Default Books

• Book Security Assignment

3.5.1 Books Action Access

Access to the Books function in the EPM application can be restricted by an Administrator using the Group / Descriptor Assignment screen (see 3.4). Limited security access to Books Security will restrict a user’s ability to create or edit all Books within the client application. Restricted access is displayed with a red cross over Book names in the Books pane.

3.5.2 Home Pages/Default Books

A Home Page (or Default Book) is required for all Groups of users who access the Web. This page may be an individual Book if only one Book is to be accessed or it can be created as a home page purely to provide access to other Books over the Web using a series of Hyperlinks which direct users to appropriate Books.

Different Home Pages/Default Books can be set up for each different Group of users. This way you can create different Books that contain different series of Hyperlinks so Users will only see the Hyperlinks to Books which are relevant to the particular Groups they belong to.

(32)

3 |

Model Security Security Export

Select the required group.

Click in the Default Book column or on the existing Default Book that you wish to change for that group. This will display a drop down box, from which you can select the required book.

These settings can then be exported and imported with each corresponding model.

3.5.3 Book Security Assignment

Book security works in the same manner as security for Dimensions screens.

The Default Dimension Security descriptor is assigned by default to all newly created books. A user needs Full Access to this descriptor in order to both create and edit books.

Personalized dimension security can be defined by the introduction of additional descriptors within the Dimension Access Security group (see 3.3.3). This allows a specific Dimension Access Security descriptor to be applied to an individual Book using the Book Security field from the Book Properties formatting Tab. Potentially, any Dimension Access Security

Descriptor could be assigned to a Book whether it has previously applied to Dimension items or is just relevant to the Book.

Once a Dimension Access Security Descriptor has been applied, if an end user with restricted access to the Dimension Descriptor then tries to follow a link to the Book an appropriate error message appears and prevents display of the Book. Access is assigned in the usual manner by groups in the Group / Descriptor Assignments screen (see 3.4).

3.6 Security Export

Some security settings within a model can be exported into an XML file using the standard export procedure. This facility is only available to Administrators and Modelbuilders with sufficient security access privileges to Import and Export data.

This facility can be exported with a normal model and will be included with the model data or can be exported separately with no other model data.

The following parameters can be exported into an XML file: Security Descriptors (both name and type)

Model Security Descriptors (Dimension Security Descriptors assigned to dimension items) Security Descriptor Groups (Group / Descriptor access assignments)

Users and Groups information and assignments Default Book security assignments

(33)

(34)

4 |

Managing Models Model Administration

4.1 Model Administration

Model Administration can only be performed within the Modelbuilder application by an Administrator or a Model Builder who has been given access rights to Manage Models via security. Administrator users automatically inherit these access rights and can assign them to other users (see 2.2). General model administration tasks such as creating and deleting models are performed through the Model Administration Screen.

Note: It is strongly advised that you keep the number of models on a database to an absolute minimum as each model present on a system (whether enabled or disabled) increases the number of records held in the database by significant amounts. Therefore with each separate model present on a database, response times for significant tasks such as calculation and export / import may be detrimentally affected.

Similarly regular database maintenance should be carried out on your EPM Database Server to maintain the size and to optimize performance of database and log files.

Having opened the Model Administration screen, you will have access to Model Management and Model Properties functions. You will also be able to set the Model Access for User Groups using the Security tab, and set up Model Partitioning using the Partitioning tab.

• Access to Model Administration

• Model Management functions

• Modify Model Properties

• User Model Access

• Partitioning

4.2 Access to Model Administration

Only an Administrator has access to the full range of functions provided for Model

Administration including Administration, Security and Partitioning. Model Builders may have access to a basic set of model management functions, but this is at the discretion of the Administrator.

Model Administration can be accessed only if you are logged in to the Model Builder application with no Model open. With the appropriate security privilege (see 3.3.1) you can achieve this in three different ways:

Close the model you are in and click on the Manage Models toolbar icon

(35)

Managing Models

Access to Model Administration

|

4

After entering your user name and password to login, the Model Selection screen is

displayed, where you can click on the Model Admin button. (The first time EPM is entered the Available Models pane will appear blank; otherwise it will show all accessible models.)

Any of the above three methods will give you access to Model Administration.

The Model Administration screen has three tabs: Administration, Security and Partitioning. A set of Model Management functions is provided under the Administration tab through buttons displayed along the foot of the screen. These include: create a New model, Open, Copy, Rename and Delete a model. Model Maintenance functionality is also provided via the Modify button which allows you to change a model’s properties such as its description, the model server and whether or not it is enabled or audited.

The screen layout is shown below with the first few buttons visible. A list is displayed of the models you have access to. Each of these has a description, an operational status and a specific Application Server that the model has been assigned to. On creation of a model, the Creation Date is generated automatically.

(36)

4 |

Managing Models

Model Management functions

4.3 Model Management functions

The following Model Management functions are available on the Administration tab of the Model Administration screen:

• New Model • Open Model • Copy Model • Rename Model • Delete Model

4.3.1 New Model

In the Model Administration screen a new Model can be created by selecting the Create New Model button. Note that without the required security privilege (see 3.3.1) this option is not displayed and that Administrators have this privilege by default. The Model Name provided must be unique.

It is possible at this point to add a description for the model and to select a specific Model Server, where more than one Model Server exists. Provided Database Auditing has been enabled during EPM Configure, you will also have the option of recording audit information for this model (please refer to your Database User Guide for further information on Database Auditing).

The model’s creation date is stored automatically when a new model is created. This is displayed in the Model Administration screen (see 4.2). Models that were created prior to Release 2.5 will appear with a default creation date of ‘01/01/1900’.

Note: You should be aware that certain characters are disallowed in Model names as they cause problems in the Web aspects of EPM Applications.

4.3.2 Open Model

A model may be opened by either double clicking a specific Model name or using the Open Model button which can also be accessed using the appropriate accelerator key.

4.3.3 Copy Model

This function is only available to users with the appropriate security privilege. It is located in the Model Administration screen described. Selecting the Copy Model option will duplicate the selected Model. Without the required security privilege this option is not enabled. The name given to the new model must be unique. All the items, values and Books created in the existing Model are reproduced in the duplicate.

4.3.4 Rename Model

This function is only available to users with the appropriate security privilege. It is located in the Model Administration screen. Selecting the Rename Model option allows the user to change the Name and Description for the Model. The new name chosen must be unique and should avoid certain characters as these can cause problems in Web use and Data Bridge import.

4.3.5 Delete Model

(37)

Managing Models

Modify Model Properties

|

4

not displayed, and that the Administrator and Model Builders have this privilege by default. Great care should be taken when deleting a Model, as this operation cannot be undone. Before a model is deleted you will be required to confirm the operation. You will also be offered the options to delete the Audit records or Layouts associated with this model. Should you prefer to delete individual Layouts at a later date, rather than all at once, it will still be possible to delete them from your file store, using the Delete option in View Builder | Load Layout, or to delete layouts from the database. Similarly, it will still be possible to delete Audit records from the database at a later date, if preferred. More information on selective deletion of Audit records can be found in the EPM Oracle Database User Guide.

Note: You cannot delete a Model which another user currently has open. A message box will inform you of this when Delete is selected.

4.4 Modify Model Properties

Selecting the Modify option from the Model Administration screen (see 4.2) will invoke the Model Properties screen. Note that without the required security privilege within the Model Definition Security descriptor this option is not displayed and that the Administrator has this privilege by default.

Functions available on the Model Properties screen are:

• Amend Model Description

• Change Model Server

• Enable/Disable Model

• Audit Model

4.4.1 Amend Model Description

(38)

4 |

Managing Models Partitioning

4.4.2 Change Model Server

This function is only available to users with the appropriate security privilege. It is located by selecting Modify from the Model Administration screen (see 4.2). The Model Properties screen then displays a drop down of the available Model Servers on which a model can run. This can be used to organize load spreading by allocating specific models to particular model servers. As each model must operate through a single model server, this is only of use when you have several models in use and wish to separate their model server loadings.

This feature also provides a convenient means for dealing with model servers that break down or require maintenance, as it allows processing to be switched to another model server. However you should not exercise this option on existing models that are in use. You can see which users are using which models through the EPM Monitor application.

4.4.3 Enable/Disable Model

The Model Administration screen (see 4.2) indicates whether the operational Status of a model is enabled or not. A User can only open a model if it is enabled. The model Status can be amended by selecting Modify from the Model Administration screen and the Model Properties screen is then displayed. If the Model Enabled box is cleared, the Model is disabled and is invisible to users until it is enabled again. This function is only available to users with the appropriate security privilege.

4.4.4 Audit Model

The Model Administration screen (see 4.2) indicates whether auditing is enabled or disabled for a model. The function to turn auditing on or off is located by highlighting the model and

selecting Modify from the Model Administration screen and the Model Properties screen is then displayed. Provided Database Auditing has been enabled during EPM Configure, you will have the option of recording audit information for this model (please refer to your Database

User Guide for further information on Database Auditing). This function is only available to

administrators.

4.5 Partitioning

Model Partitioning is available within EPM to spread the load of model calculation over several processors or machines. This is an extension to the multi threading capabilities introduced in Version 1.5.4. This is available through the Partitioning tab within the Model Administration screen.

(39)

(40)

5 |

Language Capabilities Localization Issues

5.1 Localization Issues

Several additional functions have been provided to support a customized user interface. As EPM has to operate in a multi-national framework, it has been designed to operate in several international languages. When you select your preferred language, all of the EPM screen and dialog text should appear in that language providing the EPM Language Editor has been implemented. As your model is constructed new items can be given names with several selectable alternatives (Aliases) to further support individual language choice.

It is possible to rename Dimension Line Items in EPM to a preferred alternative for different users using the Data Aliases function. The original name will be retained but a user may choose to view an item under an alternative alias. An example where this might be useful is for different languages or where certain users may prefer to use codes rather than names.

The renaming of Dimension items is managed using the Data Alias functionality detailed below.

• Managing Data Aliases

5.2 Managing Data Aliases

Alternative terms are grouped according to a Data Alias which must first be created by an administrator.

To create a Data Alias, select Tools | Manage Data Aliases to bring up a window in which you can carry out several basic Data Alias functions. The predefined default Aliases are present.

To create a new Data Alias, select Add then type an Alias Name in the text box that appears, and press <Enter>.

The new Data Alias will be displayed in the Available Data Aliases area and is now available for users to select as their Primary Alias.

Data Aliases can be renamed using Manage Data Aliases. To rename an Alias, highlight the Data Alias to be renamed in the Available Data Aliases area, select Rename and then enter a name in the Alias Name text box. The selected Data Alias will now be renamed.

To delete a Data Alias you highlight the required name in the Available Data Aliases area and select Delete.

(41)

Language Capabilities

Managing Data Aliases

|

5

(42)

(43)

(44)

6 |

EPM Monitor

Monitoring Current Usage

6.1 Monitoring Current Usage

EPM has an additional feature available on the EPM Server, which can monitor users currently connected to the EPM suite. The EPM Monitor is an administration utility with limited but essential housekeeping functionality. It displays the Users currently logged into the EPM suite accompanied by useful information regarding User Types, the client machine that Users are connecting from and the time they logged on. It also allows you to forcibly log off connected users. The logout function also allows users who have been logged out as the result of a fault to reuse their login; however this does not constitute a forced logout.

• User Details

• Logging off a User

• License Details

The EPM System Information utility can also be used in this role (for more information, see the

EPM System Information guide).

6.2 User Details

Logged in Users will appear in the User Details tab. This displays:

the User Name defined in the User and Group Maintenance screen (see 2.2.6.1) the User Type which is the application User Group the user is assigned to (i.e. Model

Builder, Book Builder, End User. See 2.2.6.2)

the Client Machine which is the workstation the User is connected to as defined within your network

the EPM Server which is the Server connected to (this could differ if the Web Server is set up on a different machine)

the Logon Date which details the date and time the user logged onto EPM the Model Name

EPM Performance Suite Profitability Administration & Security Guide

BusinessObjects™ XI R2 11.20

Contents

1

|

1.1 Introduction

2

|

2.1 User Security Features

2.2 Users & Groups

2.2.1 System Administrator

|

2

2.2.2 System Defined User Groups

2.2.2.1 Everyone

2.2.2.2 Administrators

2

|

2.2.2.3 Modelbuilders

2.2.2.4 Bookbuilders

2.2.2.5 Endusers

2.2.3 User Group Security Licenses

|

2

2.2.3.1 Model Builder Access

2.2.3.2 Book Builder Access

2.2.3.3 End User Access

2.2.3.4 Administrator Access

2

|

2.2.4 User Group Security Access Levels

2.2.5 Creating a new Group

2.2.6 Creating and Maintaining Users

|

2

2.2.6.1 Creating a New User

2

|

2.2.6.2 Assign User Groups

2.2.6.3 User’s Default Model Group

|

2

2.2.6.4 Password Reset

2.2.6.5 Password Properties

2

|

2.2.6.6 Account Enable / Disable

|

2

2.2.7 User & Group Maintenance Information and Management

2.2.7.1 User & Group Maintenance Information Panel

2

|

2.2.7.2 User Context Menu

|

2

2.2.7.3 Group Context Menu

2.2.7.4 Users & Groups Sorting

2.3 User Model Access

2

|

|

2

2.4 Password Security

2.4.1 Strong Passwords

2.4.2 Password Expiry

2

|

2.5 System Login Options

2.5.1 EPM Standard Security

2.5.2 Single Sign On

2.5.3 Web Security

|

2

3

|

3.1 Model Security Features

3.2 Group/Dimension Security

|

3