Monthly Archives: April 2015

Oracle’s Latest White Paper: A New Way to Authenticate Oracle BI (OBIEE) and Oracle Essbase?!

April 29, 2015

Here at Performance Architects we typically find ourselves perusing the Oracle Support blogs on a daily basis as they are a hotbed of new and interesting information. One article recently made the rounds of our company email because the content piqued some serious interest – and so, of course, we’re sharing our thoughts with you as well!

Oracle’s latest business analytics white paper, entitled “OBIEE to Essbase Authentication Methods,” covers all of the various means to provide access between Oracle Essbase and Oracle Business Intelligence Enterprise Edition (OBIEE).

The methods outlined range from a common shared user accessing the Essbase cubes, to security pass-through where OBIEE users are passed down to Essbase for authentication. Any flavor of the latter is our personal preference, as it allows Essbase to manage data security. This leverages the strengths of Essbase filters, and provides common security throughout the tools that access Essbase – like OBIEE, Smart View, or Hyperion Planning. But we digress – back to the article, and to different options!

The white paper reviews the following options:

  1. A hardcoded “Shared Username/Password” combination that allows all users to access OBIEE via one Essbase user. We find that this is great when testing those first time connections and doing basic development, but does not offer much of a data security model.
  1. A “BI Username/Password” pass-through, where the OBIEE username and password are sent down to Essbase to be authenticated against Shared Services. This works really well when both OBIEE and Essbase have access to the same LDAP directory. However, as the article highlights, the one downside is when trying to schedule content (via Agents) that acts on user security. Since the password is not preserved, it’s not an option.
  1. CSS token-based single sign-on (SSO), where SSO is configured across both environments using tokens, which involves making a series of configuration changes to both the EPM middleware instance and the OBI instance.
  1. The highlight of the article is the newest feature of Essbase impersonation using EssLoginAs. Using this method, OBIEE connects and calls the EssLoginAs API function using the Essbase Admin user, and then passes through the actual OBIEE username. This prompts Essbase to run the OBI query as the OBIEE user, without the need to store or capture the user’s password. This allows you to use Deliver content too! The EssLoginAs method is available as of 11.1.1.7, patch 141014 and later. It does not require any special setup on the Essbase server side. On the OBI side, the setup can be done via the connection pool used to connect to Essbase. Here, the administrator will provide shared administrator credentials and also check the “SSO” box:

TBMB 1

Assuming the same OBI user is present in Essbase, the work is basically done. A quick check of the Essbase log confirms the impersonation (here, “WebLogic is the admin, “test_biauthor” is the desired user):

TBMB 2

Once the connection pool expires, OBI will also make sure to log out the user:

TBMB 3

Here is a link to the article: https://blogs.oracle.com/proactivesupportEPM/entry/new_whitepaper_obiee_to_essbase.

Authors: Tom Blakeley and Michael Bender, Performance Architects


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.

Using Dimensional Security with Oracle Hyperion Business Rules

April 28, 2015

Previously, business rule security was discussed in coordination with menu options in the blog, “Oracle Hyperion Right-Click Business Rule Security”. As mentioned in that article, there are some potential issues with only using Business Rule Security to control the use of menu options for planners in Oracle Hyperion Planning. Below, I’ll overview a possible alternative to control the execution of these rules, without having to change Business Rule Security or attached menu items.

This brings us to Run-Time Prompt (RTP) security to limit member selection. Recently, Oracle added a nice feature to leverage dimensional security into business rules that seems to go relatively unused. As you will see from the image below, there are four options available: Use Default, Read, Write, and Approvals.

tyler 1

When RTPs are initially created, they are assigned the “Use Default” option. This will simply show all members in a prompt that a user has read or write access. The major two possible changes here are the ability to change the member selection to be “Approvals” or “Write”. By using these options, business rules will use the same status of security and approvals used throughout the application. For example, if a user attempts to run a rule that requires “Write” access to the budget, they will receive an error when attempting to run the rule when the administrator takes write access away at the end of the cycle.

By using this component, security can be much more dynamic. There has always been a disconnect between data entry and right-click menus. By allowing security to be used by both business rules and data entry, there is less of a chance for administrators to forget to perform all the necessary post-cycle steps. Additionally, it makes opening and closing the cycle to go much more smoothly and quickly.

There will be pros and cons to using this method versus the other options that were discussed in the previous blog, “Oracle Hyperion Right-Click Business Rule Security”. A quick analysis can be done to decide which path is the correct one for you.

Author: Tyler Feddersen, Performance Architects


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.

Oracle Hyperion Right-Click Business Rule Security

April 28, 2015

If you are a user of right-click menus in Oracle EPM (Hyperion), they most likely are primarily used for business rules. They’re excellent for allowing users to leverage the form layout in determining how a business rule should be selectively run. However, there is a bit of a disconnect between the use of menus and how data is entered into forms. For example, a scenario might be made “read-only”, but this won’t stop a business rule from being run by default. Because of this, data integrity is threatened if proper steps are not taken.

In the past, there have been two common ways to correct this issue. The first is to simply use web forms and menu option combinations that allow or disallow menu use. For example, at the end of the cycle, the administrator could simply remove all menu options from planner forms. Likewise, there may be web forms that only give access to administrators to prevent planners from executing admin-only menu options. While this represents the simplest solution, it is also the most manual and redundant. It is especially difficult for organizations that may have many web forms with menu items.

The second solution is to use business rule security. Prior to Oracle Hyperion Planning 11.1.2.3.500 (more on this later), assigning security to business rules would allow the security to “pass-through” to menu options. This means that if a business rule was given “No Launch” access to users, the menu option referring to this rule would not show up. To accomplish this easily, administrators could set up folders for business rules that included all necessary Planning menu items. Security could then be set up to “Launch” or “No Launch” access, accordingly, throughout a budget cycle. Additionally, any administrator-only rules would be unavailable to the general planner.

If you have used the second option, there is an unpublished bug that has been brought up with the 11.1.2.3.500 version. This bug basically breaks that “pass-through” that was allowing the menu options and business rule security to properly communicate. Due to this issue, all business rule menu items on forms will be visible to all users, regardless of security.

The “pass-through” technique has worked previously and will work again. However, this does not help those that are currently experiencing the issue. The most obvious workaround to this issue is to just use the first steps that were described until a fix comes out.

However, as previously mentioned, the manual removable method is quite redundant. Fortunately, there are a few more alternatives that are more nontraditional that can be used in place of not only the manual steps but also the business rule security if desired. To see how one of these alternatives can be applied, check out the follow-up blog, “Using Dimensional Security with Oracle Hyperion Business Rules”.

For further information on incorporating a solution like the one described here, please contact Performance Architects at sales@performancearchitects.com.

Author: Tyler Feddersen, Performance Architects


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.

Five Themes and Outcomes from the Higher Education Data Warehousing (HEDW) Conference

April 27, 2015

The Higher Education Data Warehousing Forum (HEDW), “a network of higher education colleagues dedicated to promoting the sharing of knowledge and best practices regarding knowledge management in colleges and universities, including building data warehouses, developing institutional reporting strategies, and providing decision support,” hosts an annual conference every year for networking and knowledge-sharing purposes.  The event is comprised of training sessions, presentations by universities and select vendors, and a vendor showcase.

Performance Architects has been proud to participate as an invited sponsor of the HEDW Forum for the past five years running, and appreciates the opportunity to teach, learn, and collaborate with such an experienced and talented group of individuals.  We wanted to share our thoughts about the top five trends and outcomes from the HEDW Forum held last week at Illinois State University for our friends and colleagues who weren’t able to attend this year. 

Our team attended at least three or more sessions a day, and held numerous conversations with attendees, so we were able to get a strong overall sense of key trends.  The topics definitely resonate with our first-hand experience working in the higher education and data warehousing markets for the past several years.

Theme #1: Institutions are increasing their use of cloud technologies, especially “private cloud” capabilities.

Several institutions discussed their in-flight projects to move nearly all their infrastructure to cloud-based solutions, although these are mostly “private clouds” (meaning Platform-as-a-Service or PaaS).  This is quite understandable considering the security concerns around the sensitive nature of data involved with many higher education transactional systems, including social security numbers, bank accounts, and other personal information like addresses, phone numbers, etc.

One big surprise for us in this area was a move by several universities from traditional “big software vendor” data warehouses to the Amazon Redshift solution.  Amazon Redshift is a petabyte-scale database which uses columnar storage technology to improve I/O efficiency and parallelizing queries across multiple nodes.  On the downside, Redshift doesn’t provide for stored procedure capabilities, which many small-to-medium-sized universities rely on for their day-to-day operations.  Those who have migrated to Redshift say that this deficit in functionality can be managed effectively through the use of extract, transform and load (ETL) or extract, load and transform (ELT) technologies.

Theme #2: Data discovery tools are a compliment to – but not a replacement for – existing business analytics capabilities and solutions.

Data discovery continues to be a hot topic.  One of the sessions demonstrated the use of Tableau, replacing a Cognos environment.  This was a standing-room-only session as there is a tremendous appetite for the insight and performance capabilities that data discovery provides.

On the downside, tools like Tableau rely on your team to manually extract data from your online analytical processing (OLAP) system (such as Essbase) to produce custom data sets.  You can use these data sets locally or upload them to Tableau’s cloud.  Tableau and its competitors claim their solutions are fast and dynamic, but any solution is faster if you essentially strip away data integration and security capabilities by preparing the data sets manually before you load them into the system!  This reinforces the idea that these tools are best suited as a complimentary solution to – not a replacement for – your current business analytics environment.  To this end, most of the institutions attending the conference saw Tableau and related solutions as “another tool in their arsenal” in addition to the more enterprise-strength business intelligence solutions they already have in place.

Theme #3: Big data is important to understanding key trends in higher education and institutions need to start thinking about solutions in this arena now!

Traditional universities are just entering the realm of big data as they compete with for-profit, online educational offerings (e.g., University of Phoenix) and even not-for-profit institutions with a strong online presence (e.g., Southern New Hampshire University).  These online offerings generate a tremendous amount of data and valuable information.  In addition, schools also maintain inside-the-firewall, web-based learning management systems such as Blackboard and Moodle that generate massive amounts of information including student-teacher and student-student conversation data.

Our presentation at HEDW, “A New Business Analytics Definition: Performance Architects Clarifies Business Intelligence & Data Discovery, Storage, and Integration Confusion,” discusses the big data trend in detail and provides case study examples of ways your institution can get started in this realm.  If you’re interested in obtaining a copy of this presentation, please sign up for our free Learning Center here; the Performance Architects Learning Center is a community and forum that provides access to all of our content, including functional, technical and industry-specific conference and event presentations, webinars, and white papers developed during our many years of experience working with organizations with similar interests and needs.  Performance Architects also recently published another blog entry, “Five Ways to Evolve Your Business Analytics Software Environment to Address the Big Data Revolution,” that discusses actions you can take in this arena.

Trend #4: Increase emphasis on data governance capabilities as a result of the move to the cloud.

Universities need data governance more than ever in order to preserve the “single source of data” for their data warehousing systems.  Most universities maintain multiple data warehouse and business intelligence systems on-premise and in the cloud that are a mix of legacy and current technologies.  While true data governance is a lofty goal for even the most forward-thinking organizations, this represents an idea that universities should be striving towards.

We believe the shift to cloud-based technologies is the main driving force behind this need to update university data governance systems and processes.  Without the capability and maturity in data governance, institutions are challenged in migrating and maintaining information spread across several cloud-based systems.

Trend #5: The integration of the business intelligence (BI) and institutional research (IR) functions continues, with mixed results.

Hank Childers, the Executive Director for University Analytics and Institutional Research at The University of Arizona, discussed a study he conducted with several U.S. institutions about their BI and IR organizational structure.  Although this wasn’t a statistically significant sample, some clear themes emerged from the research.

The first is that this combination of functions is not common across the institutions he surveyed.  Many are still feeling their way to an organizational structure that makes sense at their institution.  This has a lot to do with the different perspectives of these two groups, which are a result of their varying missions and constituencies.  In addition to the cultural differences between the two functions, institutions also appear to be fighting the familiar foes of silo-ed activity, limited enterprise system scalability, and the challenge of big data management, which creates even more barriers to success.

One critical success factor Hank noted is that BI and IR leaders need to cooperate to achieve common goals. Organizations should consider adopting an “agile” philosophy to kick-start any combined BI/IR projects. Specifically, institutions should gather requirements; prototype; collect feedback; iterate; and repeat.  It is often best to consider the idea of starting small while thinking big to deliver quick wins to gain user and leadership endorsement. Success can further hinge on involving both groups in requirements gathering and solution design.

Finally, he maintained that institutions have an opportunity to meld the technology and systems skill sets within BI with the business and user focus of IR to ensure analytics has a “seat” at the leadership table.  It is becoming ever-clearer that good data management and analytics capabilities will influence strategic and tactical decision-making.

In conclusion, HEDW is a thriving conference and forum for those in higher education and data warehousing and we cannot encourage our clients enough to participate in this group.  There are several grants available for those who are unable to secure budget for travel and lodging to this conference.  Next year’s conference will be held in Rochester, NY and we hope to see you there!  The details on the conference aren’t published yet, but will eventually be posted here.

If you’re interested in assistance with any of the topics covered in this blog post, please contact us at sales@performancearchitects.com and we would be happy to set up a time to discuss.

Authors: Kirby Lunger, Richard Maher and John McGale, Performance Architects


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.

How to Automate Oracle EPM (Hyperion) Administration

April 24, 2015

Lights-out automation is often times a top priority during a large implementation of Oracle EPM (Hyperion), and it’s easy to see why. The primary reasons for implementing a new solution are to cut redundancy times and allow for more data investigation. One of the most obvious ways to accomplish the former reason is to create automated data integration flows, such as nightly loads of actuals. Using a variety of tools, a quick integration between source and target systems can take a large workload off any system administrator.

However, there is a missing element that too often comes along with this solution: availability of an ad-hoc run. For example, the idea of nightly data load is great for 95% of the year….but what about during that yearly close? Or even the monthly close? In modern times, the timeliness of data is taken for granted at this point. Every piece of information is expected to be updated at any moment, on demand.

For those in a more technical position, there seems to be a very easy solution for this. Generally speaking, any piece of automation combines the use of a “scheduler” and scripting, where the scheduler’s job is to simply kick off the scripting at the requested time. Based on this logic, a user should be able to easily launch this same set of scripting manually, without having to wait for the scheduler to automatically execute the process.

While this approach is the most simple, it’s not always the most effective. If a financial administrator of an application does not have an ability to access this scripting, a request to IT will need to be submitted. Depending on an organization’s set-up, there might be hours of lag time between the request and the response. This is where the need for an administrator-run on-demand process comes into play.

Here’s where Oracle Hyperion Planning’s functionality can be leveraged to connect the administrator and the automation scripts. Within Planning, there are Substitution Variables that are used throughout the application. Generally they are used for items such as “Current Year” and “Current Month” in input forms, reports, etc. The importance of these variables from our automation example is the ease of modifying the value of the variable through the application front-end in addition to the variable values being available to the rest of the system.

By using a little extra “back-end” scripting, the value of the variables can be connected to the same automation script that’s run on a scheduled basis. Instead of making a request or waiting for the next run to complete, an administrator can modify the variable value to notify the script that an ad-hoc run has been requested. Then, the request is processed immediately by the system, instead of having to go through any request process.

The gains on data timeliness can be phenomenal, but the notification of errors/successes can be just as important. For example, Oracle Hyperion Financial Data Quality Management Enterprise Edition (FDMEE) is a great tool for the sourcing of hierarchies/trees in addition to data. However, a long data load will require an administrator to continually monitor the rule for successes/failures. While this may not be the most intensive task, it takes the administrator away from much more valuable opportunities. Using this idea of a front-end execution, the administrator can execute scripting that may not only execute the same FDMEE job, but it could also perform error handling with the errors/successes emailed to the administrator upon completion.

While this blog may have primarily focused on the Hyperion side of things, the issue of ad-hoc capabilities for financial administrators goes beyond both Hyperion and Oracle. There is a major wave of applications like Hyperion being put more into the hands of financial users while IT controls the infrastructure and server-side of the business. With more tasks being consolidated into the responsibility of a few people, the demand for a simple yet robust answer to data timeliness is becoming more important. By using the ideas described above, a quick and efficient solution can be put on top of an existing Hyperion Planning implementation to give it that extra push for those most demanding of days. When it comes down to it, a user that gets data one hour faster can respond with further input one hour quicker. And with so little time in the day, it’s sure to add up quickly.

For further information on incorporating a solution like the one described here, please send a note to sales@performancearchitects.com.

Author: Tyler Feddersen, Performance Architects


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.

Join us at COLLABORATE 15!

April 8, 2015

It is almost time for the annual COLLABORATE Conference, the largest meeting of Oracle user groups representing the full family of Oracle business applications and database software. COLLABORATE 15 is co-hosted by Independent Oracle Users Group (IOUG), the Oracle Applications Users Group (OAUG), and Quest International Users Group (Quest), in Las Vegas, Nevada! We have nine sessions starting this Sunday and we are also exhibiting at Booth #710 so be sure to stop by and say hello!

We are also attending the Hyperion Connect Reception on Tuesday night at 7:00 PM. Join us and your fellow Oracle Hyperion users for an evening of networking! Share ideas, make connections and meet Oracle’s top Hyperion executives and product developers. Enjoy music, cocktails, food and good times.

Our COLLABORATE Schedule is below:

Stay tuned for our post show blog with updates and news from the conference and be sure to follow us on Twitter (@PerfArchitects) to keep up with us during the event!

Lastly, if you are at COLLABORATE, please click here to schedule a 15-minute meeting with one of Performance Architects’ business analytics experts at Collaborate15 and be entered into our drawing for the new Apple Watch!

Author: Melanie Mathews, Performance Architects


© Performance Architects, Inc. and Performance Architects Blog, 2006 - present. Unauthorized use and/or duplication of this material without express and written permission from this blog's author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Performance Architects, Inc. and Performance Architects Blog with appropriate and specific direction to the original content.