Get Involved. Join the Conversation.


    Isabel Zanotti
    workforce admin permission
    Topic posted May 15, 2019 by Isabel ZanottiRed Ribbon: 250+ Points, tagged Security, Workforce 
    102 Views, 5 Comments
    workforce admin permission
    EPBCS Application Admin has permission to admin tasks in Workforce

    Hi everyone, 

    we have had this question since the release of Planning in the cloud. As you probably know, workforce data is highly classified in a company, so is not possible for the EPBCS application admin (most of the times is the Finance user) to have access to Workforce admin tasks, like add metadata or navigate through the data itself. 

    Is there any role/ security solution for this, or as once Oracle told me, the Customer has to buy another subscription for this.

    I appreciate your answer, thanks in advance.




    • Peter Nitschke

      Hey Isabel, 

      Definitely agreed it's a real problem. Fundamentally an 'admin' in Hyperion Planning \ PBCS isn't really a usable account at all - as they bypass all the dimensional security. 

      I think the nirvana state is that you separate out your users and administrators completely and the PBCS application admin isn't a finance user, but instead is more of an IT role - similar to a DBA - where they fundamentally have higher levels of access, but that is written in and assumed in their role. Unfortunantly this goes very much against the drive to having Finance completely own the PBCS \ EPM layer as a SAAS product! 

      If it is a serious concern for the organisation then you'll have to work out how to minimise the requirement for a finance admin so that you don't need one in production - which means you'll need to automate all of the application administration tasks, ie: Data Loads, Metadata, Data Copies, Security Updates. Having an external consulting \  support party take over all business admin \ application support do it is also an option - but obviously that comes with risks (and costs!) of it's own. 

      Alternatively, a second pod is a real option, but obviously has an upfront significant build and support cost - and even there, some of the integration layer (ie: data management) exposes the data to anyone who is an admin in the target system. 

      Sorry I couldn't help more!




      • Isabel Zanotti

        Hi Peter, Thanks for your answer, it is what I suspected.

        I would like to know if there is an enhancement requested for this or not, do you know?



        • Ezra Fishman

          Hi Isabel,

          I've seen a few people submit this kind of question or enhancement, but I haven't seen any recent updates. I would definitely recommend posting this in the PBCS Idea Lab to add another voice in the request.


          • Peter Nitschke

            Agreed with Ezra - definitely recommend posting something on there (and maybe linking back here so we can all go and upvote it). 

            The reality is that there is no 'technical' fix so much as a process fix, a business change AND a technical fix. Admins\superusers in systems are not expected to have restraints placed upon them - but in most other systems, admins\superusers don't have production tasks. Restricting what an admin can do just creates the requirement to have a 'superadmin'. 

            I know that Mark R discussed a possible change to allowing security per database type which would allow for some of these types of controls - but the real fix is to simply remove the need to have a finance end user with admin access - which basically means everything they have to do as an admin needs to be automated. 

      • Isabel Zanotti

        Hi Everyone I have found in the Ideas lab this idea, Idea number: 5B361D183F, that seems related to what I was looking for. Please go to vote it and if you can please create a customer SR.


        Thanks for you help.