Oracle EPM (Hyperion) Future Update: Predefined Role Name Change

[Update 7/26/2019] In the June and July Oracle Cloud Readiness documents for PBCS, this change was listed as a future update coming in August. As of the latest document for August, this change is still listed as a future update, but there is no specified date for implementation.

Oracle’s EPM Cloud (Hyperion) team announced a change to predefined roles, specifically those used to assign security access, in the August 2019 update. This blog post shows you how to check if you have predefined roles that were used to assign security access. The focus here is the Oracle Planning Cloud (formerly called Planning and Budgeting Cloud Service, Enterprise Planning and Budget Cloud Service, PBCS, or EPBCS) solution, but this change applies to all EPM Cloud solutions.

Oracle’s plan is to rename predefined role names displayed within EPM Cloud applications by removing the instance name prefix. This change does not affect how the role names are displayed in the “MyServices” customer portal.

For example, if the instance name is “Planning1,” predefined role names are currently:

• Planning1 Service Administrator

• Planning1 Power User

• Planning1 User

• Planning1 Viewer

The new role names will include:

• Service Administrator

• Power User

• User

• Viewer

According to Oracle’s July 2019 Update, if you “use the predefined roles for managing application-level provisioning and access to artifacts[,] you will need to reassign such assignments using the updated role name after the roles are renamed.”

Before the August update is applied to your system, you should determine if any of the predefined roles have been used to assign security access at the application level.

For Oracle Planning Cloud, you will need to check three areas to see if predefined roles were used to assign security. Before you do this, you’ll need to download a snapshot of your Oracle Planning Cloud instance. Make sure you keep a copy of this pre-update snapshot in case you need to reassign security after the update.

Next, you’ll want to follow these steps:

1. Check if predefined roles have been used to directly assign security access.

Open the directory <snapshot>\HP-<app>\resource\Security\Access Permissions\Groups.

Check the following files for any entries:

• planning-test Power User.xml

• planning-test Service Administrator.xml

• planning-test User.xml

• planning-test Viewer.xml

For example, the file screenshot below shows two task list names as “Administrator” and “Planner” that have security set using the “planning-test Service Administrator” role. After the update, the security for these two task lists will need to be reapplied using the new role name “Administrator.”

2. Check if predefined roles are members of any user-defined groups

Open the directory <snapshot>\HSS-Shared Services\resource\Native Directory, then open the file “Groups.csv.” Look for any predefined role name in the “group_id” column.

For example, the group “All Users” contains three of predefined roles: “Planning Power User,” “Planning User” and “Planning Viewer.” The corresponding new role names “Power User,” “User” and “Viewer” will need to be added to the group after the update.

3. Check if predefined roles have been used to directly assign security permissions in Financial Reporting

Security permissions for Financial Reporting are not readable in this screenshot, so the only way to check this is through “Explore Repository” in the web interface. Click on “Select Navigate,” then “Explore Repository,” right-click on a report or folder, and choose “Edit Permissions…” to see if any of the predefined roles have been used to assign permissions.

After the August update, you should check any security settings you have identified as using the predefined roles and updated the settings using the new role names.