Wednesday, January 14, 2015

HFM Security and the [Default] Security Class

The other day there was a post on the Oracle HFM forum where someone had two screenshots of from security and asking about the difference in them. One screenshot had the [Default] class set to ALL and the other screenshot had the [Default] class set to NONE. What's the difference and why is this important? For those who have not taken the 123OLAP HFM Administrator Bootcamp training class with my manual (see Chapter 6 - Shared Services), here are the details.

In HFM security classes are used to link metadata elements and various artifacts (data grids, data forms, journals, etc.) to users and/or groups with some level of access (NONE, READ, ALL, etc.). When a class isn't assigned to something, then the built-in [Default] class is used by the software. From a design standpoint, there are two primary ways of working with this behavior.

1) Give users ALL access to [Default]. If something isn't specifically secured then it's open for the users to modify, assuming everything else allows that.

2) Give users NONE access to [Default]. If something isn't specifically secured with access granted then it is not available to the users.

3) You could do something weird like give users one of the other levels of access to [Default] (Metadata, Read, or Promote) but really they're just variations on (2).

By far, number (1) is the preferred security design. The administrator secures what should be secured and everything else is left open. This design reduces the work in the initial setup and in ongoing maintenance. Also, and this is big, end users don't have to worry about security. If they create a HFM journal, ideally they assign a security class to it that relates to the entity being adjusted (ie, show the Canada journal to only the Canadians and not everyone else). BUT, if they don't assign a class, then with (1) they can still see the journal, edit it, etc. Under (2), if they don't assign a class to the journal then when they save the journal will appear to disappear: it's been correctly saved, but security is not letting them see it.

For some new administrators this can be a tough concept. If you're setting up security on a network firewall, you close all the network ports and open only those that are needed, right? But for HFM, it works best (and its widely done this way) to leave everything open and secure only the necessary metadata/artifacts.


  1. Hi!
    Here's a question. Roles and security classes don't override, right? I mean, if I have and Admin role, and a Default security class, and I don't have access assigned to a Security Class, I won't have access, right? What I could do is to provision my user with the security classes, but I'll need a Provisioning Manager role as well.

  2. Hi. There is no need to assign any level of class access for the administrators. If someone has the administrator role, then they automatically get full modify access to all classes, whether they have been explicitly assigned or not.

  3. Great post! Useful information!