Forum Stats

  • 3,851,814 Users
  • 2,264,032 Discussions
  • 7,904,869 Comments

Discussions

FDMEE - Separate access for batches for different HSS users

AlexZh
AlexZh Member Posts: 18 Red Ribbon
edited Sep 17, 2019 10:25AM in Financial Data Management

Hi all,

We have different users in HSS for all business untis.

All of these users have Run Integration FDMEE role and see only appropriate locations and data load rules.

The question is how can different users see only appropriate batches?

In FDMEE Security Settings tab there is Role security for Batches f.e. for role - Run Integration we can tick all Batch groups what needed but in that case any user can see all batches from these groups.

We tried to create new roles in HSS, but these don't appear in the list on Role security tab.

Is there some way to do that?

Thanks.

Best Answer

  • user6692921
    user6692921 Member Posts: 179 Silver Badge
    edited Sep 12, 2019 4:45AM Answer ✓

    I've never seen any similar requirement for that number of secured batch groups either. Location security plus Role type (eg Corporate, Country, Unit) has always be sufficient for me. If you really need that number of secured batch groups you could use a Before Batch script to check the user's access. Let's say the users have access to a batch group that contains more batch definitions than they should execute. Create a dummy location that will contain maps which have the user id as a source and batch definition as description. In the Before Batch script check that the user has an entry in the maps in this dummy location for the Batch Definition. If not, stop the batch with an error message. It's not pretty and will have a bit of a maintenance overhead. I think you should really look at the reasons why you need some many securable types of batch group.

Answers

  • SH_INT
    SH_INT Member Posts: 3,192 Bronze Crown
    edited Sep 11, 2019 6:49AM

    In the Security Settings the Intermediate Roles are the ones that will allow you top provide custom settings. Use these roles to control what batches users can see. Copy the permissions from the Run Integration role into one of the Intermediate Roles as your base setting and then in the Batches tab for that role only select the Batch Groups you want users with that role to have access to

  • AlexZh
    AlexZh Member Posts: 18 Red Ribbon
    edited Sep 11, 2019 7:13AM

    Many thanks for your response, it's correct, we thought about that, but now we have 10 different business units (with separate users) and we will have future rollouts for new BUs, there are only 8 Intermediate Roles from 2 to 9.

    Can we use more than 8 predefined intermediate roles and how can we create them (because as I noticed before - we tried to create new roles in HSS, but these don't appear in the list on Role security tab)?

  • SH_INT
    SH_INT Member Posts: 3,192 Bronze Crown
    edited Sep 11, 2019 7:20AM

    No, you cannot create new FDMEE roles you are limited to the ones that are shipped with the product. Can't say I've ever come across a requirement before that requires more than the provided roles. Is your requirement just driven by the number of different Batch Groups you have?

  • AlexZh
    AlexZh Member Posts: 18 Red Ribbon
    edited Sep 11, 2019 9:31AM

    Yes, that's true we have a lot of batch groups (more than 8) which should have separate access to different users.

  • user6692921
    user6692921 Member Posts: 179 Silver Badge
    edited Sep 12, 2019 4:45AM Answer ✓

    I've never seen any similar requirement for that number of secured batch groups either. Location security plus Role type (eg Corporate, Country, Unit) has always be sufficient for me. If you really need that number of secured batch groups you could use a Before Batch script to check the user's access. Let's say the users have access to a batch group that contains more batch definitions than they should execute. Create a dummy location that will contain maps which have the user id as a source and batch definition as description. In the Before Batch script check that the user has an entry in the maps in this dummy location for the Batch Definition. If not, stop the batch with an error message. It's not pretty and will have a bit of a maintenance overhead. I think you should really look at the reasons why you need some many securable types of batch group.