Hyperion Planning Security – Managing Filters for Very Large Dimensions


December 7th, 2011

There is no doubt that Hyperion Planning security is robust and extremely flexible. The tool enables administrators to control access at the member level. The limits to the security filters are capped only by the administrator’s creativity.

While the security model is robust, managing the filters for extremely large dimension can be a daunting task. Security for Hyperion Planning is managed through two applications:

  1. Shared Services:  controls the security groups and user assignments
  2. Hyperion Planning: controls the assignments of groups to dimension members.

While working with the two interfaces is simple and straightforward, the administrator must constantly switch from one application to the other to answer questions such as: “What access does Gidon Albert have?” or “Why can’t I see my entity?”

To answer these questions, the administrator must first identify if the user belongs to specific groups by looking at the user and group information in Shared Services. Then, the admin must go into Hyperion Planning and identify which members are assigned to specific members or groups. When working with simple security models, this may not be too difficult. However, as the dimensions grow and the security model becomes more complex, the task of managing the model can become daunting, impractical, or even impossible.

One approach to make the task of managing complex security models is to use Microsoft Excel.

At a recent implementation, I implemented a complex security model that required creating more than 15,000 individual filters. Managing these filters using the Shared Services and Hyperion Planning interfaces was almost impossible. The filters were loaded using the ImportSecurity.cmd. Searching or making changes to specific filters in Hyperion Planning was slow and cumbersome. Instead, the client and I came up with a different approach.

Using the ExportSecurity.cmd, we exported all the group-to-member assignments from Hyperion Planning. We created a simple batch file that ran the command and exported all the assignments into a shared folder. Since the model had so many filters, the process of exporting the entire model took almost eight hours. The batch file was scheduled to run on the weekend, as part of the scheduled maintenance and back-up tasks. The group-to-member file was imported into an Excel file, where it is combined with an export of the users and groups information exported from Shared Services.

At this point, the administrator has all the information about the security model available in Excel. The client created a series of macros that utilized pivot-tables to facilitate searches based on users, groups, members or any combinations of the three. Since all the information was in one place, answering access questions became simple and quick.

Additionally, any changes needed to be made to group-to-member assignments were done directly in the Excel file. A simple macro exported the changes into a text file that could be processed by the ImportSecurity.cmd. This approach allows the Administrator to load changes made in the Excel file directly into Hyperion Planning. Changes to the users and group assignments would still have to be performed directly in Shared Services, though.

Finally, once a week, after the weekly security export process was completed, a macro would compare the freshly exported security detail to the Excel file to verify that the changes made in the Excel file during the week matched the actual security filters in Hyperion Planning. Of course, this step is only verification since the changes that were made during the week would be tested after the ImprtSecurity.cmd was run.

This innovative solution facilitated management of this very complex security model. In addition, it made it easier for the client to compare the Hyperion Planning security filters to the filters and groups of other applications (HFM and Essbase). These filters are also managed in Excel. Comparing the filters and groups on the same platform was one of the main reasons the client took this approach. Working together with the client, we were able to create a simple, innovative and effective solution to a complex problem.



About TopDown Team

The TopDown Team includes members of TopDown Consulting who want to let the community know about webcasts, conferences, and other events. The team also conducts interviews on various EPM industry topics.

3 comments on “Hyperion Planning Security – Managing Filters for Very Large Dimensions”

  1. Mohamad says:

    We are having a problem which is:
    1) We create a folder in the explore repository. (By default everyone has access permission to this folder)
    2) We need to assign only 1 user to access this file.
    3) When we do that in a normal situation and try to change the provisioning to make only 1 person view the files, we get a list of 10,000 users who have access permissions and we have to remove them one by one which is a very slow process.
    This problem is because the default of Hyperion is when you create a folder, everyone has access to it by default. Can we alter the default option to not include anyone who can access it?
    Any method to solve this will be highly appreciated.


    1. Gidon Albert says:

      “Try to put everyone in a group that does not have access to everyting. This should overwrite the default).”

Leave a Reply

Your email address will not be published. Required fields are marked *