Oracle Documentation

Setting Up Sales Planning Cloud Security

Before you begin

This 75-minute tutorial shows you how to manage security in Access Control and set up access permissions in Oracle Sales Planning Cloud. The Background and Security Overview sections in this tutorial describe the layers of Sales Planning security. The sections build on each other and should be completed sequentially.

Background

Planning implements several security layers:

  • Oracle Identity Management
  • Sales Planning Access Control
  • Data and Artifact Access Permissions
  • Valid Intersections

This tutorial includes an overview of each security layer, and shows you how to manage access control and access permissions in Oracle Sales Planning Cloud.

What do you need?

An Oracle Sales Planning Cloud Service instance allows you to deploy and use one application. To deploy another application, you must request another Oracle Sales Planning Cloud instance or remove the current application.

  • Have Service Administrator access to Oracle Sales Planning Cloud. The instance should not have an application created.
  • Import the SalesPln application into your Oracle Sales Planning Cloud instance:
    • If you haven't already, register for a free Oracle Cloud Customer Connect account so you can access the required files.
    • From this Idea page, download and extract the SPC_apps.zip file. The compressed file contains two snapshots.
    • Upload and import the SPC_BaseAdv.zip snapshot into your Oracle Sales Planning Cloud instance.

      • For more information on uploading and importing migration snapshots, refer to the Administering Migration for Oracle Enterprise Performance Management Cloud documentation.

Security overview

Oracle Identity Management

Single-sign on (SSO) and role-based security are managed by Oracle Identity Management, which defines a security domain for each environment. After a successful sign-in, access to the service is determined by the role assigned to the user.

Identity Domain

An identity domain controls the accounts of users who need access to environments. It also controls the features that authorized users can access.

An Identity Domain Administrator creates and manages user accounts within an identity domain. The Account Administrator, while activating the service, identifies a user who is granted the Identity Domain Administrator role.

By default, each customer is allocated two environments of a service: test and production. The Identity Domain Administrator uses the Security Page of My Services to manage the users who need access to these environments, as well as managing users and their roles, configuring single sign-on, and setting up network restricted access. While users are shared across test and production environments, they are provisioned separately for each.

Several Oracle Cloud services may belong to one identity domain.

Users

Each user who needs to access an environment must have an account in the identity domain associated with the environment.

To determine or limit what a user can do within an environment, you assign roles.

Predefined Roles

You can assign roles to a user to allow access to Oracle Cloud services (such as Oracle Sales Planning Cloud) that have predefined roles defined in Oracle Identity Cloud Service.

Users must be assigned to predefined roles that grant them access to business functions and associated data.

Most Oracle Cloud services use a common set of four predefined functional roles to control access to service environments. The access that a predefined role grants within an environment depends on the service type. Here are the Oracle Sales Planning Cloud predefined roles:

  • Service Administrator—Performs all functional activities, including granting roles to users. This role should be granted to functional experts who need to create and administer the Sales Planning application and service components.
  • Power User—Views and interacts with data. This role grants high-level access to several functional areas within an environment and should be granted to department heads and business unit managers, and business users in charge of a region who need to control the approval process.

    A Power User can perform these activities:

    • Creates and maintains forms, Oracle Smart View for Office worksheets, and reports
    • Manages business rules security, but cannot create rules
    • Creates and manages user variables for the application, but cannot delete them
    • Views substitution variables
    • Controls the approvals process, performs actions on approval units to which they have write access, and assigns owners and reviewers for the organization under her charge
    • Creates reports using Reporting Web Studio, accesses the repository to create folders and save artifacts
    • Loads data using forms, Data Integration, and Data Management
  • User
    • Enters data into forms and submits them for approval, analyzes forms using ad hoc features, controls the ability to drill through to the source system
    • Accesses and modifies (rename, delete) the Reports content stored in the Repository for which the user has View, Modify, or Full Control permissions.
  • Viewer—Views and analyzes data through forms and data access tools. Typically, this role should be assigned to executives who need to view business plans during the budgeting process.

Access Control in Sales Planning

While the overall access rights are controlled by the predefined Oracle Cloud Service roles, Service Administrators can grant application-specific roles and data grants to users and to groups created and managed in Sales Planning's Access Control.

In Sales Planning's Access Control, you can assign roles at the application-level to enhance the access rights of users. Privileges granted by a predefined role cannot be curtailed by roles assigned at the application-level.

Access Control enables you to complete these activities in an environment:

  • Managing Groups
  • Assigning Roles to a Group or a User
  • Generating a Role Assignment Report for a User or Group
  • Generating the Role Assignment Report For Your Environment
  • Viewing the User Login Report

Data and Artifact Access Permissions

You can assign permissions to:

  • Dimensions, including user-defined dimensions
  • Launch privileges to rules
  • Rule folders
  • Forms and Form Folders
  • Dashboards and Dashboard Folders
  • Infolets and Infolet Folders
  • Task lists

Types of Access Permissions

Access permissions include Read, Write, and None.

You can also set who can launch which rules: Launch and No Launch.

If a user inherits Launch permission to a rule by belonging to a group, and is also assigned No Launch permissions by belonging to another group, the more restrictive No Launch assignment takes precedence.

You can set permissions for task lists: Assigned, Manage, Manage and Assign, None.

Users and Groups: Precedence

You can specify access permissions for users and groups. When you assign a user to a group, that user acquires the group's access permissions. If an individual's access permissions conflict with those of a group the user belongs to, user access permissions take precedence.

Inheriting Permissions

Inheritance determines the user or group’s access permissions.

Instead of assigning access permissions to individual dimension members, you can use the more efficient inheritance option to assign permissions to multiple members.

Assign access to individual members only on an exception basis. For example, for the North America Sales group, you assign write access to North America and its descendants, and read access to one of its children, the North America Headquarters entity.

The following inheritance options are available:

  • Member—Only to the currently selected member
  • Children—To all children members in the level below the currently selected member
  • Children (inclusive)—To the currently selected member and all children members in the level below it
  • Descendants—To all descendant members below the currently selected member
  • Descendants (inclusive)—To the currently selected member and all descendant members below it

You can specify an attribute that causes the children or descendants of that member to inherit its permissions.

Precedence and Inheritance

Assigned permissions take precedence over inherited permissions. You can include or exclude the member from the permissions setting.

When evaluating permissions, Sales Planning gives precedence in this order:

  1. Role-level security

    Users with the Service Administrator role have permissions to all application elements.

  2. For Power User and Planner user types, permissions that are specifically assigned to users.
  3. Permission assignments that are acquired by belonging to a group.

    If one member belongs to two groups with different permissions assigned to group members, the least restrictive permission takes precedence. For example, if one group assigns the member Read permission and another group assigns the same member Write permission, Write takes precedence. However if one of the groups assigns no permission (None) to its members, None takes precedence over Read and Write.

  4. Parent-level assignments (for example, to parent members or folders).

Valid Intersections

You can define rules, called valid intersection rules, that filter cell intersections for users when they enter data or select runtime prompts. For example, you can restrict product availability based on entities.

You can create valid intersection groups that contain multiple valid intersection rules.

Valid Intersections in Forms

After valid intersections are defined, cells containing invalid data are read-only. This restriction speeds the planning process and optimizes the information available to users.

If the dimensions that are set in the valid intersection are found on the Page, the user will be presented only with valid combinations in the member selector.

If the dimensions that are set with valid intersections are found on the column or row, the form designer can suppress invalid intersections completely. When the suppression option isn't selected, invalid intersections are set to read only.

Managing Security in Access Control

About themes

You can change the theme of your display or add your company logo or a background image to the home page.

This tutorial was developed using the Dark Blue theme. You can select a theme by clicking Navigator (Navigator), then under Tools, click Appearance. For Theme, select a color option.

Appearance page

Opening Access Control

From the home page, click Tools, then Access Control.

Tools cluster and the Access Control card

Access Control is opened with Manage Groups displayed.

Access Control page

Managing Groups

Access Control lists the predefined roles as groups. Service users, who are assigned to predefined roles, are listed in Access Control so that they can be added as group members.

Predefined roles in groups

You use Migration or EPM Automate commands to export and import groups.

Creating Groups

  1. In Manage Groups, click Create.
  2. In the Name textbox, enter a unique group name.

    Group names may contain a maximum of 256 characters.

  3. Optional: Enter a description for the group.
  4. Optional: Add groups to create a nested group.
    • Click Search (Search) to display a list of available groups or filter the list by entering a search string, and then
      clicking Search (Search).
    • From Available Groups, select the members groups to add to the new group.
    • Click Move (Move).

      The selected groups are listed under Assigned Groups.

      Clicking Move, Move All, Remove, Remove All allows you to add or remove assignments.

    Create Group dialog box
  5. Optional: Add service users as members of the group in Users.
    • Click Users.
    • From Available Users, click Search (Search) to display a list of users or filter the list by entering a search string, and then clicking Search (Search).
    • Click Move (Move).

      • Clicking Move, Move All, Remove, Remove All allows you to add or remove users to the Assigned Users list.

  6. Click Save.
  7. In the Create Group message, click OK.
  8. Click Close.

    The group is listed in Manage Groups.

    Manage Groups page listing the new group

Modifying Groups

You cannot modify the names and description of predefined roles in Access Control.

Editing predefined roles

You can modify group properties and assignments for groups that you created.

  1. In Manage Groups, locate the group you created and click Actions (Actions).
  2. Select Edit.
    Actions menu options
  3. Modify the name, description, assigned groups, and users in Edit Group.

    Refer to steps 2 to 5 in the Creating Groups section of this tutorial.

  4. Click Save.
  5. In the Edit Group message, click OK.
  6. Click Close.

Deleting Groups

You cannot delete predefined roles in Access Control.

  1. In Manage Group, locate the group you want to delete and click Actions (Actions).
  2. Select Delete.
  3. In the Delete Group prompt, click Yes.
  4. In the Delete Group message, click OK.

Managing Users

You can manage a user's group assignment in Manage Users.

The users displayed in this tutorial may vary from the users displayed in your Sales Planning application. The users listed will depend on the users you have added and provisioned in Oracle Identity Manager.

In Access Control, click Manage Users.

Manage Users

Manage Users lists all provisioned users in the system.

List of users in Manage Users

You create users, modify user properties, and delete users in Oracle Identity Management.

To modify a user's group assignment:

  1. In Manage Users, select a user and click Actions (Actions).
  2. Select Edit.
  3. Assign or unassign groups to the user.
    • Click Search (Search) to display a list of available groups or filter the list by entering a search string, and then
      clicking Search (Search).
    • From Available Groups, select groups.
    • Click Move (Move).

      The selected groups are listed under Assigned Groups.

      Clicking Move, Move All, Remove, Remove All allows you to add or remove assignments.

    Editing a user
  4. Click Save.
  5. In the Edit User message, click OK.
  6. Click Close.

Assigning Application Roles

Service Administrators can grant application-specific roles and data grants to users and to groups created and managed in Access Control.

In Access Control, click Assign Application Roles.

Assigning application roles to users:

Assign Application Roles to Users

Assigning application roles to groups:

Assign Application Roles to Groups

Application Roles

  • Approvals Administrator—Resolves approval issues by manually taking ownership of the process.
  • Approvals Ownership Assigner—Performs all tasks that users with the Planner role can complete.
  • Approvals Process Designer—Performs all tasks that users with the Planner and Approvals Ownership Assigner role can complete.
  • Approvals Supervisor—Performs tasks for any member of the planning unit hierarchy to which the user has write access even if the user does not own the planning unit.
  • Ad Hoc Grid Creator—Creates, views, modifies, and saves ad hoc grids.
  • Ad Hoc User—Views and modifies ad-hoc grids and performs ad hoc operations.
  • Ad Hoc Read Only User—Performs all ad hoc functions, but cannot write back into ad hoc grids or load data using Data Management.
  • Mass Allocation—Runs mass allocation rules within form grids.
  • Task List Access Manager—Assigns tasks to other users.
  • Create Integration—Uses Data Management and Data Integration to create mappings to integrate data between source and target systems.
  • Run Integration—Executes data rules with runtime parameters and views execution logs in Data Management and Data Integration.
  • Drill Through—Drills through to the source system of the data.

Assigning and Modifying Assigned Roles to a User

Only the users who are assigned to predefined roles can be assigned application-level roles to enhance the access they have to perform tasks within Planning.

  1. From the dropdown list, select Users and click Search (Search).
    Selecting Users

    A list of service users are displayed.

    List of users
  2. Locate a user and click Actions (Actions).
  3. Select Assign Roles.
    Actions menu
  4. From the Available Application Roles, select the roles you want to assign.
  5. Click Move (Move).

    Clicking Move, Move All, Remove, Remove All allows you to add or remove assignments.

  6. Click OK.
    Move
  7. In the Assign Application Roles to User message, click OK.
  8. Click Cancel.

Removing Assigned Roles from Users

You can remove all the roles assigned to a user.

  1. In Assign Application Roles, locate a user and click Actions (Actions).
  2. Select Unassign Roles.
  3. In the Unassign User Roles prompt, click Yes.
  4. In the Unassign Roles User message, click OK.

Assigning and Modifying Assigned Roles to Groups

  1. From the dropdown list, select Groups and click Search (Search).
  2. Locate a group and click Actions (Actions).
  3. Select Assign Roles.
  4. From the Available Application Roles, select the roles you want to assign.
  5. Click Move (Move).

    Clicking Move, Move All, Remove, Remove All allows you to add or remove assignments.

  6. Click OK.
    Assigning Application Roles to a Group
  7. In the Assign Application Roles to Group message, click OK.
  8. Click Cancel.

Removing Assigned Roles from Groups

You can remove all the roles assigned to a group.

  1. In Assign Application Roles, locate a group and click Actions (Actions).
  2. Select Unassign Roles.
  3. In the Unassign Group Roles prompt, click Yes.
  4. In the Unassign Roles Group message, click OK.

Viewing the Role Assignment Report

Service Administrators use the Role Assignment Report to review the access, assigned through predefined roles and application-level roles, assigned to all users.

To generate the Role Assignment Report in Access Control, click Role Assignment Report.

Role Assignment Report

The report lists the predefined roles and Planning application roles assigned to the user.

Generated Role Assignment Report

Click Export to CSV to export the Role Assignment Report as a comma separated value file.

Viewing the User Login Report

The User Login Report contains information on the users who signed into the environment over a specified period of time.

To generate the User Login Report in Access Control, click User Login Report.

User Login Report

Click Export to CSV to export the User Login Report as a comma separated value file.

Viewing the User Group Report

The User Group Report lists the direct or indirect membership of users assigned to groups in Access Control.

To generate the User Group Report in Access Control, click User Group Report.

User Group Report

Click Export to CSV to export the User Group Report as a comma separated value file.

Assigning Access Permissions

Dimensions and Members

You can assign permissions to members by selecting the dimension property Apply Security. See the Managing Dimensions in Planning tutorial for steps in Editing Dimension Properties.

If you omit or clear the Apply Security setting, all users can access the dimension's members. By default, the Account, Entity, Scenario, and Version dimensions are enabled for access permissions. Optionally, you can enable this option for Period, Years, and Custom dimensions.

  1. Return to the home page. Click Home icon (Home).
  2. Click Application, and then Overview.
  3. Click Dimensions.
  4. Filter the dimension view by selecting a cube from the Cube dropdown list.
    Selecting cubes
  5. After selecting a cube, click the name of a dimension you want to view.

    In this example, the Product dimension in the OEP_GSP cube is opened in Edit Member Properties.

    Edit Member Properties: Measures
  6. In the grid, select a member then click Assign Permission (Assign Permission).
    Select a member and click Assign Permission

    Assign Permission is displayed.

    Assign Permission dialog box
  7. Click Permissions.
  8. Perform a task:
    • To add permissions, click Add User/Group, and then select from the list of available users and groups.
      Adding users/groups
    • Click OK, then click Close.
    • To edit the type of permissions, select an option:
      • Click Read to allow the selected users and groups to view the artifact or folder in the listing, but not allow them to create, edit, or delete the artifact or folder information.
      • Click Write to allow the selected users and groups to view the artifact or folder in the listing, and to create, edit, or delete the artifact or folder information.
      • Click None if you don't want the selected users or groups to view the artifact or folder in the listing.
      Assigning permission types
    • Optional: Select a relationship. For example, select Children to assign access to children of the selected member.
    • To remove permissions, for the selected user or group, click Delete (Delete).
  9. When finished adding permissions to users and groups, click Save.
  10. In the Information message, click OK.
  11. Click Cancel to close Assign Permissions.
  12. In Edit Member Properties, click Save.
  13. Click Cancel to close Edit Member Properties.

Dashboards, Forms and Form Folders

  1. Return to the home page. Click Home icon (Home).
  2. From the home page, click Dashboards, Infolets, or Data.

    Each artifact or folder has an Actions menu.

    Dashboards
    Infolets
    Forms or Data

    For forms, expand a folder to display more forms.

  3. Click Actions (Actions) next to the artifact or folder and select Assign Permission.
  4. In Assign Permission, click Permissions.
    Permissions tab in the Assign Permission dialog box
  5. Perform a task:
    • To add permissions, click Add User/Group, and then select from the list of available users and groups.
    • Click OK, then click Close.
    • To edit the type of permissions, select an option:
      • Click Read to allow the selected users and groups to view the artifact or folder in the listing, but not allow them to create, edit, or delete the artifact or folder information.
      • Click Write to allow the selected users and groups to view the artifact or folder in the listing, and to create, edit, or delete the artifact or folder information.
      • Click None if you don't want the selected users or groups to view the artifact or folder in the listing.
    • To remove permissions, for the selected user or group, click Delete (Delete).
  6. When finished adding permissions to users and groups, click Save.
  7. In the Information message, click OK.
  8. Click Save.
  9. Click Cancel to close Assign Permissions.

Rules

  1. Return to the home page. Click Home icon (Home).
  2. From the home page, click Rules.
    Rules

    Business Rules are displayed. you can filter the list by cube and rule type.

    Rules page
  3. For a rule or rule folder, click Permission icon (Permission), and then select Assign Permission.
  4. In Assign Permission, click Permissions.
  5. Perform a task:
    • To add permissions, click Add User/Group, and then select from the list of available users and groups.
      Assigning permission types
    • Click OK, then click Close.
    • To edit the type of permissions, select an option:
      • Click Launch to allow the selected users and groups to launch the selected rules.
      • Click No Launch to prevent the selected users and groups from launching the selected rules.
    • To remove permissions, for the selected user or group, click Delete (Delete).
    Assigning rule permissions
  6. When finished adding permissions to users and groups, click Save.
  7. In the Information message, click OK.
  8. Click Cancel to close Assign Permissions.

Task Lists

To complete the steps in this section, you must create a task list. For steps in creating task lists, see the Managing Task Lists in Planning section of the Designing Forms and Managing Task Lists in Planning tutorial.

  1. Return to the home page. Click Home icon (Home).
  2. From the home page, click Tasks.
    Tasks
  3. Click Actions (Actions) next to the task list or task list folder and select Assign Permission.
  4. Click Permissions.
  5. Perform a task:
    • To add permissions, click Add User/Group, and then select from the list of available users and groups.
    • To edit the type of permissions, select an option:
      • Click Assigned to allow view and use of task lists in the folder.
      • Click Manage to allow modifying task lists in the folder.
      • Click Manage and Assign to allow view, use, and modifying tasks lists in the folder.
      • Click None to prevent access to the task lists in the folder.
    • To remove permissions, for the selected user or group, click Delete (Delete).
  6. When finished adding permissions to users and groups, click Save.
  7. In the Information message, click OK.
  8. Click Cancel to close Assign Permissions.

Want to learn more?


Copyright © 1995, 2020, Oracle and/or its affiliates.