Wednesday, October 1, 2014

Tips & Tricks: Using filter on Locations when creating HSS Groups

Accidental discoveries. That's how I would define it.

Since old times we have had amazing accidental discoveries that have made our life easier & better: penicillin, microwave, velcro, teflon, vulcanized rubber, coca-cola, viagra...

My discovery is not as important as the ones I mentioned (I wish) but it can help you to mitigate some of the drawbacks of new Location Security functionality in FDMEE. Remember that this is just something that may or not be helpful for you. the aim is just to share a funny finding.

Before starting, just to confirm that location security is optional. You will be asked to enable location security when you navigate to Security Settings > Tab Location Security:
A brief introduction about Location Security
I'm sure you were disappointed with the way security was working in FDM Classic. Provisioning users in HSS (Hyperion Shared Services), then going to FDM User Security, add the user, select which locations he had access, bla bla

In FDMEE, Oracle tried to get rid of this long process and re-design the location security so you just have to add users to groups in HSS and forget managing user security in FDMEE as well.
In a nutshell, you define and trigger the creation of HSS groups from FDMEE Security Settings, then provision users to these groups, and that's all. FDMEE will do the rest.

But these groups are particular...why? they have specific naming convention defined from FDMEE:
At run-time, FDMEE will check the groups the user accessing belongs to in order to determine which locations he has access. This is how new location security works.

I have to say that I like the way the new Location Security is managed but I don't like how the security groups are created in HSS. I don't like this functionality not being as flexible as expected. Number of groups created can explode in Shared Services as FDMEE creates groups for all locations.

How it works?
Did you get it? Let me provide some notes about the process.

1. Navigate to Setup Tab > Security Settings > Location Security Tab (only admins or roles having access to Security Settings). Then setup in the templates for the HSS Groups based on your requirements:
A template has:
- Prefix: any but don't use location names as prefix
- Suffix: any
- Roles assigned: check the roles you want to assign to the HSS group. You may need to configure Role Security as well if required.

2. When we click on Maintain User Group, FDMEE will create one group in HSS for each template|location combination. In other words, let's say that we have 3 templates and 200 locations. FDMEE will create 3*200 groups in HSS...
The information message showed to the user is clear enough:
In the example above we have 3 templates for HSS groups and many locations. What is the result? something as follows:
As you can see, you may have many groups that you don't need. Some of the names may sound senseless due to your prefix and suffix definition so you can just leave or remove them. If you remove them, they will be re-created from FDMEE when you click again...
BTW, did I say you need to be HSS admin to create groups from FDMEE?
You have to.

3. We have a user named TyrionLannister who only needs access to location SAPECC_NEWGL_HFM having Data Integration role.
I will add Tyrion to HSS group FDMEE_SAPECC_NEWGL_HFM_Data Integration:
4. Tyrion accesses FDMEE and try to select locations from the POV:
As expected, he has only access to location SAPECC_NEWGL_HFM_Data Integration.

What FDMEE does?
If you have a look to the ERPIntegrator log you will see what FDMEE does to manage location security:
What about having a user assigned to more than one group?
If user belongs to HSS group MyPrefix1_LOCATIONA_MySuffix1 and MyPrefix2_LOCATIONB_MySuffix2, he will have access to LocationA with the roles assigned to template MyPrefix1_<LOCATION>_MySuffix1 and to LocationB with the roles assigned to template MyPrefix2_<LOCATION>_MySuffix2.

Nice to have
In my opinion the approach is much better than FDM's one but, as I already said, the way groups are managed/created could be enhanced. I know Oracle is working on that but here are my recommendations.

  • When the administrator click Maintain User Group, he should be able to select which locations he wants to create the groups for
    • All Locations
    • Filter locations like "Locations starting with", "Locations containing with"...
    • Select location one by one
  • These options should be available for each group template or enable administrator to maintain user groups only for templates selected in the grid.

What do you think?

Accidental discovery
And now let's go to what I wanted to tell. One day I was playing with Quick Search filters in the Location Page and I navigated to Security Settings page without removing the filters.
What happened when I created my group templates and clicked Maintain User Groups? It's better you see it. If we go to HSS and search for the groups having prefix SAPBW and suffix FILTERED:
The group template was only applied to locations filtered in the Locations page!
Unfortunately, there is still one issue: 
As you can see, all groups were created even for the filtered locations. Maybe if Oracle adds a filter to Security Settings group we are done :-)

BTW, there is a technical reason of this happening. The process of creating user groups is using an internal list for the locations and that list is the list of locations shown in the Locations page.

That's all my folks! We will discuss another day about role overlapping between users and groups, and more details about location security.



  1. I actually preferred the old FDM security model. I liked the granular ability to set security profiles right down to the object level when required e.g. disable buttons etc. That said most FDM security setup was fairly standard and didn't take much time to configure so I don't see the any great gains with this approach (or probably more the way its been implemented). Like you I particularly don't like how FDMEE creates multitudes of entries in HSS, this needs to be much designed better IMHO ;-)

  2. IS FDMEE location security is extended to inbox location folders on the server?
    I want to limit the user access to user's own location folder only. Currently while browsing data file in data load rule, users can view/download/upload other location folders/files as well.

    Can it be achieved by location security?


Thanks for feedback!