Unleashing Hyperion Planning Security Using ODI
Ricardo Giampaoli – TeraCorp
Rodrigo Radtke de Souza - Dell
About the Speakers
Giampaoli, Ricardo
● Master in Business
Administration and IT
management
● Founder of TeraCorp
Consulting
● 18 year working with IT and
the last 8 years as an EPM
solution architect
● EPM training instructor
● Essbase/OBIEE/ODI
Certified Specialist
● Blogger @ devepm.com
Radtke, Rodrigo
● Graduated in Computer
Engineering
● Software Developer Advisor at
Dell
● Ten years working with IT and
the last five as ETL architect
● ODI, Oracle and Java Certified
● Blogger @ devepm.com
About
TeraCorp is a company specialized in products
and services focused on EPM
TeraCorp mission is to create innovate
solutions that helps people, businesses and
partners to exceed their goals reaching their full
potential.
Learn more @ www.teracorp.com.br/en
About TeraCorp
About
Knowledge on:
● ODI
● Hyperion Planning
● SQL
Pre-Requisites
Pre-Requisites
Agenda
Business Needs
Hyperion Planning Security
Hyperion Planning Repository
Building Solutions
Dell’s Environment
QA
Agenda
Business Needs
The Study Case
One Cube with an Entity dimension containing all 22000+ cost center in the world
Security must be granted in such way that an user from a region can only see data from their cost centers
The parents aggregation should display only the sum of data that the user has access
Cost center from different regions under the same parent
Cost center region defined by an attribute dimension
Hyperion Planning Security
Is Security Robust and Flexible?
● Cannot use attribute dimension to define security
Access control at Leaf level?
● How to provide and maintain security at leaf level in
dimensions with 22000 + cost centers?
● How to handle cost centers that change its region?
Use Microsoft Excel to generate all necessary
security combinations?
● What’s the cost to maintain such a file in a fast
changing business structure?
Planning Security
A Region dimension to split the data by the world regions and provide the right aggregation in parent levels.
Cost Center Region defined by an attribute dimension.● The EMEA users needs to have
access only to Cost Centers with support geography that belongs to SUPP_EMEA and only to the EMEA Region.
Aggregation Solution
Solution Choice
Read the Planning application repository to
dynamically build the Entity dimension security
based in the geography attributes and the
groups associated in the Entity Upper level
members
Security must be granted “bottom-up”
Security Solution
Solution Choice
The security must be granted for all users or groups in the
high level members (e.g. Entity gen1 or/and gen2 members).
The relation must be set as “Member”).
The Entity members attributes and the Support Geography
hierarchy
The users or groups names should have a relationship
between it and the attribute member.
Pre Requisites
Planning Security
Groups
All information exists in the Planning repository.
Seven tables were used to build this solution.
● Three security tables
● Three Attribute tables
● One object table
Planning Repository Overview
Planning Repository
Security is define using three tables:
● HSP_USERS
● Only used if an user is assigned directly to an object in
planning
● HSP_GROUP
● Only used if a group is assigned directly to an object in
planning
● HSP_ACCESS_CONTROL
● Is used to associate an user or group to an object and also
inform what access it will have to it and if this access will be
spread to its children or only on it
Security Tables
Planning Repository
Security Tables
Column Name Description
GROUP_ID
The group id that is created after an user that belongs to a
group login or a group is assigned to any object in Hyperion
planning.
SID The native or external directory ID
Column Name Description
USER_IDThe user id that is created after an user login or is assigned to
any object in Hyperion planning.
SID The native or external directory ID
HSP_USERS
HSP_GROUP
Planning Repository
Column Name Description
USER_IDThe user or the group id that is created after a group or an user is
assigned to any object in Hyperion planning.
OBJECT_ID The ID of the object that has been granted the security
ACCESS_MODE
The type of access that an user or a group can have on an object:
1 = Read 3 = ReadWrite -1 = Deny
FLAGS
Essbase access flag, determines if an user or a group has access
only to that object or to the hierarchy below it:
0
Member
5
@Children
6
@IChildren
8
@Descendants
9
@IDescendants
Security Tables
HSP_ACCESS_CONTROL
Planning Repository
Attributes is define using three tables:
● HSP_ATTRIBUTE_DIM
● Stores all attribute dimensions
● HSP_ATTRIBUTE_MEMBER
● Holds all attribute members stored in planning
● HSP_MEMBER_TO_ATTRIBUTE
● Joins the attributes with the members of a Dimension
Attribute Tables
Planning Repository
Attribute Tables
Column Name Description
ATTR_ID ID of the Attribute dimension.
DIM_ID The ID of the dimension that the attribute is associated
HSP_ATTRIBUTE_DIM
Planning Repository
Column Name Description
ATTR_MEM_ID ID of the Attribute member.
ATTR_ID ID of the Attribute dimension.
HSP_ATTRIBUTE_MEMBER
Attribute Tables
Planning Repository
Column Name Description
MEMBER_ID ID of the member that has been assigned an attribute.
ATTR_ID ID of the Attribute dimension.
ATTR_MEM_ID ID of the Attribute member.
HSP_MEMBER_TO_ATTRIBUTE
Planning objects is define using one table:
● HSP_OBJECT
● Contains the Metadata from all Planning objects as well the
parent member relationship used to create all metadata
structure.
Object Table
Planning Repository
Column Name Description
OBJECT_ID Object ID for all objects in planning.
OBJECT_NAME Stores all metadata description in Planning (e.g. Alias, Members)
OBJECT_TYPE Type of the Object (e.g. Entity, Account, Attribute…)
PARENT_IDParent ID of the object. Used for build the parent/child relationship
with OBJECT_ID
GENERATION Inform which generation that object belongs.
HAS_CHILDREN Inform if the object has or not a child
Object Tables
HSP_OBJECT
Planning Repository
Entity Hierarchy
Building Solution
Extract the Entity Dimension
members and their attributes
from Planning Repository
● Use connect by nocycle prior to
rebuild the hierarchy from bottom
up
Building Solution
Support Geography Hierarchy
Extract the Support Geography Attribute
Dimension Hierarchy from Planning Repository
● Use connect by prior to rebuild the hierarchy
Building Solution
Join 1: Entity + Support Geography
Join both queries by ATTR_MEM_ID
Building Solution
Users/Groups Security
Extract the generation 1 and 2 members and their
security groups from Planning Repository
● Generation 1 is Channel and contains all groups that has
access to everything
● Generation 2 are the Business segments and contains all
groups that has access only to that segment
Join the queries by LIKE of REGION_NAME
Building Solution
Join 2: Adding Security Groups
Building Solution
Generation 1 and 2 Members
Identify the Generation 1 and 2 parents for all Entity
members under it.
Join Parent_ID from Generation 1 or 2 and Entity_ID
Join 3: Putting Everything Together
Building Solution
Why ODI?
Building Solution
Full flexible development platform
● Tweak KMs and procedures to create
dynamic processes
● Virtually accepts any existing technology
Complete execution platform
● Built in security (Only key users can use it)
● Easy to be used by Users
● Automatize, schedule and control jobs
● Complete log information
Two ways to do it:
● Solution 1: Generate a Secfile and run a command
line in the end of the ODI process to load it into
Planning (using ImportSecurity utility)
● Solution 2: Insert the security directly into
HSP_ACCESS_CONTROL table
Solution Design Choices
Building Solution
ImportSecurity Insert into Repository
No clear control (clear all or nothing) Clear any type of security based in
any rule (delete clause + repository)
No service restart Service restart
No repository manipulation Repository manipulation
ImportSecurity utility loads access permissions for
users or groups from a text file into Planning
ImportSecurity
Parameter Description
[-f:passwordFile] Optional: If an encrypted password file is set up, use as the first parameter in the
command line to read the password from the full file path and name specified in
passwordFile.
appname Name of the Planning application to which you are importing access permissions.
username Planning administrator user name.
delimiter Optional: SL_TAB, SL_COMMA, SL_PIPE, SL_SPACE, SL_COLON, SL_SEMI-COLON. If
no delimiter is specified, comma is the default.
RUN_SILENT Optional: Execute the utility silently (the default) or with progress messages. Specify 0 for
messages, or 1 for no messages.
[SL_CLEARALL] Optional: Clear existing access permissions when importing new access permissions. Must
be in uppercase.
ImportSecurity.cmd [-f:passwordFile] “appname,username,[delimiter],[RUN_SILENT],[SL_CLEARALL]”
Solution 1
Item Description
username or group name The name of a user or group defined in Shared Services Console.
artifact name The named artifact for the imported access permissions (for example the member,
data form, task list, folder, or Calculation Manager business rule).
access permissions Read, ReadWrite, or None. If there are duplicate lines for a user/member
combination, the line with ReadWrite access takes precedence.
Essbase access flags @CHILDREN, @ICHILDREN, @DESCENDANTS, @IDESCENDANTS and
MEMBER.
artifact type For artifacts other than members, distinguish which artifact you are importing
security for with artifact type identifier.
The SecFile.txt contain the access permissions
for users or groups and should have the
following format:
SecFile.txt
Solution 1
Importing access permissions overwrites
existing access assignments and the
SL_CLEARALL parameter clears all existing
access permissions giving us two options:
● (1.1) Load only the new security and manually delete
the old undesired access (Sent by email through the
interface)
● (1.2) Clear all Security with SL_CLEARALL and then
load all access from all dimensions back to Planning
(Entity + All other existing security)
Design Decision
Solution 1
Solution 1.1
Load only new security to SecFile.txt
● Using two datasets to generate a Minus between the
new and the existing security
Generating SecFile.txt
Solution 1.1
Load all old security to OldSecurity.txt
● Using two datasets to generate a Minus between the
existing security and the new generated access
Generating Old Security File
Solution 1.2
Load ALL security to SecFile.txt
● Using two datasets to generate an Union between
the new and the existing security
Generating Full SecFile.txt
Use a ODI Procedure to run a CMD command
on Planning Server and import security
Import Security
Solution 1
Solution 2
Insert/Delete Security on
HSP_ACCESS_CONTROL
Hyperion Planning Repository
Restart Planning
● SC \\PLANNING_SERVER STOP HYS9Planning
● Wait
● SC \\PLANNING_SERVER START HYS9Planning
● Wait
Solution 2
Restart Hyperion Planning Service
ODI Package
Simple ODI Solution
Building Solution
DRM (Metadata
Source)
Oracle
Inbound tables
schema
Hyperion
Planning
Source
System
External
System
External
System
External
System
Source
System
Source
System
IKM SQL to Hyperion
Planning (Metadata)
EssbaseIKM SQL to Hyperion
Essbase (DATA)
LKM Hyperion
Essbase DATA to SQL
Security and admin tasks
Oracle
Outbound
tables schema
Traditional ETL
Production Planning Architecture
Dell Environment
QUESTIONS?
Questions
Ricardo Giampaoli – TeraCorpRodrigo Radtke de Souza - Dell
Thank you!
Thank You
Top Related