Using Oracle E-Business Suite (EBS) to Manage EPM Functional Security For EPM Releases 11.1.1.3 and 11.1.2 Use Case • The customer manages the privileges and responsibilities in EBS • The customer would like to manage EPM’s functional security (roles) in EBS as part of a custom application with its privileges Assumptions • EBS users belong to a corporate directory such as OID or MSAD • If EBS is configured to use native users and not OID, then the email address in EBS should match the email address of the corporate directory Integration Approach • The integration is done via two capabilities in EPM: • Hyperion Shared Service’s ability to assign roles to native groups • LCM’s ability to load native groups into the system Configuration Steps for the Integration Task Overview • In EPM: • Configure EPM’s security to use the corporate directory where the EBS users reside • Use SQLPlus or other means to export responsibilities and users assigned to these responsibilities • Use LCM to import the above data into Shared Services. This will create native EPM groups for each EBS responsibility • Schedule these two tasks to run them periodically, as needed Configuring EPM Security • EPM security is administered and managed in Shared Services. You need to launch Shared Services Console and configure the corporate directory where the EBS users reside as a provider in Shared Services. The following slides detail these steps using OID as an example. Configure EBS User Directory Configure EBS User Directory Configure EBS User Directory Configure EBS User Directory Configure EBS User Directory Configure EBS User Directory Again • Configure the EBS user directory once to be able to authenticate users based on their login attribute • Configure the EBS user directory again with the email address as the login attribute, because users are extracted and imported from EBS based on the email attribute • After configuring the EBS user directory with the email address as the login attribute, put that directory lower in the search order and disable group cache Configure EBS User Directory Again – using email address Configure EBS User Directory Again – using email address Provide a valid email address here and click autoconfigure Configure EBS User Directory Again – using email address Uncheck This to disable group cache Configure EBS User Directory Again – using email address Lower Search Order for New Directory Configured Use LCM to Create Migration Definition File • Use the LCM UI in Shared Services Console to build a migration definition file that will be used to import the responsibilities data • Once LCM data has been extracted as shown, add the EBS extracted data in the format specified to the groups.csv file that is found under the folder you will specify in the LCM UI at: $MIDDLEWARE_HOME\user_projects\epm system1\import_export\admin@Native Directory Create Migration Definition File for LCM Create Migration Definition File for LCM Create Migration Definition File for LCM Create Migration Definition File for LCM Create Migration Definition File for LCM Save Migration Definition File Execute Migration The Exported Shows up on the Filesystem Extract EBS Security • The following three slides show the sample SQL that can be used to extract the security from EBS. You will need to format the output as shown in the “Sample Format for Groups.csv” slide. • Merge the results of the two queries into a single CSV file. • Insert the headers and static text as shown in red in the .csv file prior to importing into Shared Services. • Note that in the slide that shows the sample format for goups.csv, the text shown in red is mandatory and static. • The sample query has a condition in the “where” clause to filter based on a given application name. Use the application name in EBS that will be used for managing user security for EPM. Extract Responsibilities in .csv Format Extract the responsibilities so that these will be the native groups. You may use the following sample but customize to your specific implementation. select distinct'"'||R.RESPONSIBILITY_NAME||'"',',Native Directory' from APPS.FND_USER_RESP_GROUPS G , APPS.FND_USER U , APPS.FND_RESPONSIBILITY_VL R , APPS.FND_APPLICATION_VL A where (1=1) /* joins */ and R.APPLICATION_ID = A.APPLICATION_ID and G.RESPONSIBILITY_ID = R.RESPONSIBILITY_ID and G.RESPONSIBILITY_APPLICATION_ID = R.APPLICATION_ID and G.USER_ID = U.USER_ID /* filters */ and R.START_DATE < SYSDATE and nvl(R.END_DATE, SYSDATE) >= SYSDATE and U.START_DATE < SYSDATE and nvl(U.END_DATE, SYSDATE) >= SYSDATE and G.START_DATE < SYSDATE and nvl(G.END_DATE, SYSDATE) >= SYSDATE /*and A.APPLICATION_SHORT_NAME = 'EPM'*/ and U.USER_ID is not null Extract Responsibilities and Assignments in .csv Format Use this query if using OID with EBS to extract the responsibilities and the users assigned to these responsibilities for the custom application created. You may use the following sample but customize to your specific implementation. select '"'||R.RESPONSIBILITY_NAME||'"',',',',',',' , '"'||U.USER_NAME||'"', ',Native Directory' from APPS.FND_USER_RESP_GROUPS G , APPS.FND_USER U , APPS.FND_RESPONSIBILITY_VL R , APPS.FND_APPLICATION_VL A where (1=1) /* joins */ and R.APPLICATION_ID = A.APPLICATION_ID and G.RESPONSIBILITY_ID = R.RESPONSIBILITY_ID and G.RESPONSIBILITY_APPLICATION_ID = R.APPLICATION_ID and G.USER_ID = U.USER_ID /* filters */ and R.START_DATE < SYSDATE and nvl(R.END_DATE, SYSDATE) >= SYSDATE and U.START_DATE < SYSDATE and nvl(U.END_DATE, SYSDATE) >= SYSDATE and G.START_DATE < SYSDATE and nvl(G.END_DATE, SYSDATE) >= SYSDATE /*and A.APPLICATION_SHORT_NAME = 'EPM'*/ and U.USER_NAME is not null Extract Responsibilities and Assignments in .csv Format Use this query if using EBS with native users to extract the responsibilities and the users assigned to these responsibilities for the custom application created. The email address in EBS should match the external directory as well. You may use the following sample but customize to your specific implementation. select '"'||R.RESPONSIBILITY_NAME||'"',',',',',',' , '"'||U.EMAIL_ADDRESS||'"', ',Native Directory' from APPS.FND_USER_RESP_GROUPS G , APPS.FND_USER U , APPS.FND_RESPONSIBILITY_VL R , APPS.FND_APPLICATION_VL A where (1=1) /* joins */ and R.APPLICATION_ID = A.APPLICATION_ID and G.RESPONSIBILITY_ID = R.RESPONSIBILITY_ID and G.RESPONSIBILITY_APPLICATION_ID = R.APPLICATION_ID and G.USER_ID = U.USER_ID /* filters */ and R.START_DATE < SYSDATE and nvl(R.END_DATE, SYSDATE) >= SYSDATE and U.START_DATE < SYSDATE and nvl(U.END_DATE, SYSDATE) >= SYSDATE and G.START_DATE < SYSDATE and nvl(G.END_DATE, SYSDATE) >= SYSDATE /*and A.APPLICATION_SHORT_NAME = 'EPM'*/ and U.EMAIL_ADDRESS is not null Sample Format for Groups.csv – using email_address #group id,provider,name,description,internal_id Sourcing Supplier Resp02 , Native Directory Cash Management , Native Directory General Ledger Super User , Native Directory #group_children id,group_id,group_provider,user_id,user_provider Sourcing Supplier Resp02 , , , procqa-seller1_us@oracle.com , Native Directory Cash Management , , , ARFinQA_in@oracle.com , Native Directory General Ledger Super User , , , Native Directory ebusiness_vision@oracle.com , Sample Format for Groups.csv – using user_id #group id,provider,name,description,internal_id Sourcing Supplier Resp02 , Native Directory Cash Management , Native Directory General Ledger Super User , Native Directory #group_children id,group_id,group_provider,user_id,user_provider Sourcing Supplier Resp02 , , , 555SECUSER14 , Native Directory Cash Management , , , ARFINQA_02 , Native Directory General Ledger Super User , , , EBUSINESS_AR , Native Directory Import Using LCM Administration Tasks after the first import and any subsequent application creation • In EPM: • Provision native groups created by the LCM import to the appropriate role(s) in the application. This is a “one time” activity. • If the groups and apps are high in number, bulk provisioning can be done via LCM. Provision EPM Roles to EBS Responsibility Groups Provision EPM Roles to EBS Responsibility Groups