2 Replies Latest reply: Apr 23, 2011 9:02 PM by 762759 RSS

    Managing Security by Active Directory Group in IOP

      Client would like to manage security of IOP objects within the IOP application by provisioning an Active Directory Group (instead of individual users).

      EPM Shared Services allows client to use MSAD to authenticate users in IOP.

      This question is about managing access to reports or data by GROUP - not by user - within IOP:
      Ie: Set up security for the group once. Then IOP manages security for the user based on what MSAD group they are a part of, so that client can add and remove MSAD members from groups without having to assign security by Individual.

      Example: Client provisions rights to MSAD GROUP (view some reports, access one uploadable report). Adding a user to that group would inherit the rights of the MSAD GROUP they belong to within the IOP application.

      Client is using IOP .
      Is this currently possible, or planned for future? If currently possible please explain how this could be implemented.

        • 1. Re: Managing Security by Active Directory Group in IOP
          Here is the text from the user guide for assigning a user to a report:

          Setting Access to View Reports
          You can set access so that users can only see one report in an Integrated Operational Planning
          model. For example, if users need to see a particular report in a model to which they do not
          currently have access, you can configure access to view the report in the model.
          ä To configure access to a particular report in a model:
          1 Create a new analysis type.
          2 Associate the report to the newly-created analysis type.
          3 Add the user to this analysis type.
          The user then inherits the ownership (or visibility) through the analysis type.
          Note: See “Creating an Analysis Type” on page 120.

          D'oh! Found it on page 145 of the User's Guide:
          Assigning Access Privileges
          ä To assign access privileges to a user or group:
          1 In the Users and Groups tab in the Administration Workbench, click a user or a group to select it.
          The Edit User or Edit Group screen is displayed.
          2 In Select Object Type, select Analysis Types, Report Workbooks, or Script Templates.
          The objects for the selected object type are displayed.
          l The analysis types that are displayed are defined in the Analysis Types tab in the Model
          l The report workbooks that are displayed are defined in Workbooks tab in the Model
          l The script templates that are displayed are defined in the Script Templates tab under
          Administration. Only non-system script templates are displayed (the System field on
          the Script Templates tab is set to false).
          3 Click the check box next to an object and select an access option.
          l For Analysis Types, you can provide access to create/update/delete the analysis type.
          l For Report Workbooks, you can provide access to read the report workbook.
          l For Script Templates, you can provided access to execute the script template.
          4 Click OK to save the object access assignments.
          • 2. Re: Managing Security by Active Directory Group in IOP
            It is not possible, but another customer found an issue and filed a SR. The problem it turns out is the tokens generated arent handled properly in some cases. We are fixing it in a patch for and we will be releasing it soon.