Hyperion Financial Management (HFM) data resides at the intersection of all the application dimensions. Consequently, data security should be defined at the dimension intersection.
One of our clients requested us to review their HFM security in preparation for their annual audit. The application was previously built by a different consulting group and based on the client requirements, security was defined as follows:
- User Group A are the corporate accountants and they have All access to all entities
- User Group B should have All access only to Sub Parent YY and all its children. They should not have any access to Sub Parent XX nor any of its children
- User Group C should have All access only to Sub Parent XX and all its children. They should not have any access to Sub Parent YY nor any of its children.
In the application, Security classes were assigned to the Top Parent and the Sub Parents. Base entities did not have any security class assignment. The assumption was that the base children will carry the same security definition of its Sub Parent. In summary, the security class assignments and access control were as follows:
Explore key considerations, integrating the cloud with legacy applications and challenges of current cloud implementations.
(Note: the table above was simplified to illustrate the security set up in the application)
In our review, we pointed out that the security set up did not comply with the client requirements. Base entities do not automatically inherit the security definition of its parents. HFM data needs to be secured at dimension intersections. For example, if the application dimensions are:
- Security for Sub Parent XX is defined at the intersection of:
Actual|2017|Jan|YTD|<Entity Currency Total>|Sub Parent XX|[ICP None]|Cash Account|Custom1|Custom2
Data in above intersection will comply with the definition of security applied to Sub Parent XX as defined for Security Class XX.
- Security for Base Entities XX is defined at the intersection of:
Actual|2017|Jan|YTD|<Entity Currency Total>|Base Entity XX|[ICP None]|Cash Account|Custom1|Custom2
Base Entity XX was not assigned any security class. Thus, data in this intersection will not be covered by security defined for Security Class XX.