Hyperion Planning Runtime Prompt Security

Situation

As many of you know, one of the benefits of using a business rule over a calculation script is their ability to utilize run time prompts.  Run time prompts allow the business rule to be dynamically customized to the point of view (POV) the user is currently working with.  This allows for more focused calculations and aggregations to a specific portion of the cube.

Once the run time prompts have been populated with their respective member(s) the business rule is then passed to essbase for execution.  The executed code is run with administrative privileges and is not dependent upon the specific user’s read/write access to the members select.  Typically, this is not a problem because the rules are set to run with the POV the user is currently working with, which is usually only an intersection they have access to.

A security issue can arise when the user is allowed to select members for the run time prompts.  When the user launches a business rule they might select a member which they do not have write access to but because the rule will execute with administrative privileges the data will still be updated.

Solution

To resolve this security gap, Oracle has recently incorporated a security setting for each run time prompt specific to each business rule.

From the Variable tab you will see each run time prompt variable and its respective Security.

The Security Options are:

• Use Default – provides users the ability to see and either enter or select any of the dimension members
• Read – provides users the ability to see and either enter or select only those members the user has Read access to.
• Write – provides users the ability to see and either enter or select only those members the user has Write access to.

Example

A user is utilizing the workforce application and is trying to transfer a position from cost center A to cost center B in the Version “No Version” but the user only has Write access to “Version1.”  When the user executes the transfer process they are prompted to provide the corresponding member for each run time prompt including Version.

The IT Leader's Guide to Multicloud Readiness

This guide provides practical key insights and important factors to consider to make informed decisions in your multicloud journey.

Download the Guide

The Users do not have access to the “No Version” member in the Version dimension.

The Version run time prompt’s security on the Transfer business rule is set to “Use Default” so the user will be able to see and enter or select the member when they execute the business rule and open the member selection window.

Changing the Version run time prompt security to Write will restrict the version available to the user to only those they have Write security access to.

When they execute the Transfer business rule and open the member selection window they will only see the members they have Write access to.

Even if the user manually enters a member name they will receive an error stating the member is not valid.