Configuring Security Options
  • 18 Minutes to read
  • Dark
    Light
  • PDF

Configuring Security Options

  • Dark
    Light
  • PDF

Article summary

Security Options refer to settings or configurations that control access, permissions, and security-related aspects for users within those groups.

First, let's understand the Status Indicators of security icons to assess the level of configurations for each user or user group. 

  1. Navigate to Maintenance > Administration > User & Role Management.
  2. Click the User or User Group tab.
  3. You can start configuring these settings by selecting the security options icon in two ways:
    1. Select the created user or the user group and click directly on the security options icon within the Security column.
      Notes:

      When you hover over the security options icon, you can interpret the status as follows: 

      • No color: Indicates that no access has been configured
      • Red: Indicates that the access has been configured for a few areas
      • Green: Indicates that the access has been configured for all areas

      Once the user or user group is created, the configurations are not done, so the default color and status is "no color".

      Additionally, when you click the security options icon, you can determine the configuration status of each area by the associated indicators. There are two statuses: Configured and Not configured. A green checkmark indicates that the configuration is complete, while the other indicator suggests that other areas are yet to be configured.


    2. Select the user or the user group and click the security options icon in the header.

Using this option, you can configure the following areas:

Add-In Security

Setting up add-in security is important when using Planful Offline Planning, which is an Excel planning tool that allows you to download and perform budgeting tasks while not connected to the application. To know more about add-in click here.

Note:
This is optional and you need to complete this only if you use Planful Offline planning. 


How to Set Up Add-In Security?

Here's how you can set up add-in security for users and user groups:

  1. Navigate to Maintenance > Administration > User & Role Management.
  2. Click the User or User Group tab.
  3. Select User/User Group and then go to Security Options > Add-In Security.
    Note:

    You can access the Add-in Security option in two ways:

    1. Select the user/user group and click directly on the security options icon within the user group's Security column. (or)
    2. Select the user/user group and click the security options icon in the header.
  4. Select the Add-In from the Excel Query or Offline Planning from the drop-down menu.
  5. Select the users and user groups you wish to give access to from the Unmapped Users/User Groups left pane, then click the right arrow to add them to the Mapped Users/User Groups right pane. To unmap users or user groups, select them from the right mapped pane, then click the left arrow to add them to the left unmapped pane.
  6. Click Save.

Approval Role Setup

Approval roles are used in the Planning module to specify the actions users can perform during the budgeting process. For example, you can assign a budget manager with an approval role. Given this role, the budget manager can approve budgets.

Approval roles may have varying levels of user responsibility for budget entities. For example, when a user has access to two entities (A and B), but has HR responsibility for entity B only, the user can be restricted to view only specific data based on HR access for the approval role assigned for the entity.

To learn about how to set up the Approval Role, click here.

Consolidation Security

The Consolidation Security used to set security for Centralized and Decentralized users. A centralized user has access to all company members in a scenario. A decentralized user has access to specific dimension members only. The Company/Legal Entity Member Selector distinguishes between Centralized and Decentralized Consolidations. If you are at the root member (defined as the top member in the hierarchy), then you are interacting as a Centralized user managing the Consolidation Process in its entirety. If you have been provided specific member access within the hierarchy and you select a Company from the member selector, then you are interacting in Decentralized mode. This means that the modules available may be restricted and you may have limited access to Company intersections for modifying data.


How to Set Up Consolidation Security from User & Role Management? 
Note:
Navigation Access must be given to a user to enable access to the Administration items in the Consolidation Control Panel.
Note:
You can also find Consolidation Security under the Administration section in the Consolidation Control PanelTo configure security from the Consolidation Control Panel, click here.
security

Processes

You can assign security permission for the Process using the Processes tab. 


Description of fields on the Process table
Note:
Workflow actions do not result in email notification. For example, if you authorize a user to post a journal and another user has the authority to approve it, the approver does not receive an email when the Standard Journal is posted.

Process

Action

Standard Journal

Recurring Journal

Dynamic Journal

Non Controlling Interest

Reclass

Eliminations

Actual Data Load

Validations

 

Consolidation Process

Full

Enables all entry and approval actions. Active/Inactive is not applicable.

Enables user to manage all Recurring Journals and post/process.

Enables user to manage all Dynamic Journals and active/inactive applies.

Enables user to manage all non controlling interest and active / inactive applies.

Enables user to manage all reclasses and post/process.

Enables user to manage all Eliminations, clear /unpost, and post/process.

Provides user with ability to load data using Actual Data Load templates in Decentralized mode. User can perform template input and all privileges associated with Actual Data Load.

Enables user to manage all Validations, clear/unpost, post/process, and active /inactive applies.

 

Allows user to run the Consolidation Process.

Manage

Allows user to access Standard Journals, add new journals, and edit journals. .

Allows user to access Recurring Journals, add new journals, and edit journals.

Allows user to access Dynamic Journals, add new journals, and edit journals.

Allows user to access Non Controlling Interest, add new rules, and edit rules. .

Allows user to access Reclasses, add, and edit.

Allows user to access Elims, add, and edit.

Not Applicable.

Allows user to access Validations, add and edit.

Not Applicable.

Forward

Submit an entry for review. Select a journal entry that is in process and click Forward to move the entry to Pending Review.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Send Back

Return a journal entry to an In Process status to make required changes. This option is only available when the journal is in the Pending Review or Approved statuses.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

In Process

A journal entry that has not in a forwarded state.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Approve

Approve a journal entry that is Pending Review, which confirms the entry for posting.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Post / Process

Post the entry to the application. Once posted, a message indicates whether the post was successful or not.

Post the entry to the application. Once posted, a message indicates whether the post was successful or not. You can give a user the ability to post a journal without having full control.

Not Applicable.

Not Applicable.

Post the reclassification to the application. Once posted, a message indicates whether the post was successful or not.

Post the Elimination to the application. Once posted a message indicates whether the post was successful or not.

Not Applicable.

Post the Validation to the application. Once posted a message indicates whether the post was successful or not

Automatically enabled when Full is selected. Entries will post during Consolidation.

Reject

Refuse a journal entry. To re-use a rejected journal, create a copy of it (which will return the entry to the In Process status) with a new name.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Unpost / Clear Data

Current period or prior period journals can be unposted. This action removes the original posted entry from the system.

Not Applicable.

Not Applicable.

Not Applicable.

Not Applicable.

Current period or prior period Eliminations can be unposted. This action removes the original posting from the system.

Not Applicable.

Current period or prior period Validations can be unposted. This action removes the original posting from the system.

Not Applicable.

Active / Inactive

Not Applicable.

Not Applicable.

The journal entries that are valid for the period in which they are defined when created.

The non controlling interest that are valid for the period in which they are defined when created.

Not Applicable.

Not Applicable.

Not Applicable.

The Validations that are valid for the period in which they are defined when created.

Not Applicable.

When an action a user doesn't have access to is selected by that user, a message will display indicating that the user doesn't have access to the action. It is important to note that entry and approval actions that users don't have access to will display in the actions pane, however, these users will not be able to perform the displayed actions.



Perform the below steps to assign Processes security permissions to a user:

  1. Navigate to Maintenance > Administration > User & Role Management.
  2. Click the User tab.
  3. Click Security Options and select Consolidation Security under Security Configurations.
  4. Select a user from the User dropdown for which you want to assign security privileges.
  5. Click the Processes tab.
  6. Assign the selected user with access privileges by checking/unchecking the checkboxes.
  7. Click Save.

Decentralized

Use the Decentralized tab to grant distributed users access to Consolidation activities. Upon entering the Decentralized page, the entity access tree is grayed out. Select the Decentralized Consolidation checkbox to enable the entity access tree.


Perform the below steps to assign decentralized security permissions:

  1. Navigate to Maintenance > Administration > User & Role Management.
  2. Click the User tab.
  3. Click Security Options and select Consolidation Security under Security Configurations.
  4. Select a user from the User dropdown for which you want to assign security privileges.
  5. Click the Decentralized tab to grant distributed users access to consolidation activities.
  6. Select the Decentralized Consolidation checkbox.
  7. Once you’ve enabled the Entity Access Tree by selecting the Decentralized Consolidation checkbox, select the members you want the selected user to have access to. If you provide a user with access to a descendant but not its parent, the user will have access to the descendant and will have implied access to the parent member. This way, a tree can be created for the user to access only a portion of the Legal Entity/Company hierarchy.
  8. Click Save.


Enable Preview Assigned to display the Security tree in read-only mode. This view is helpful for Security Administrators to view the assigned security details for a selected user.

preview assigned

Select Export All User Security to download the list of users along with the security permissions they hold.
excel(1)

Data Integration Security

Data integration security is comprised primarily of Data Load Rules. A Data Load Rule tells the system how to handle data values in the data source during a data load.

You can assign users and user groups with data integration security options, which allows users and user groups to access specific Data Load Rule (DLR) processes. You can create data load rules to load files, copy and paste data, and use web services to load segment hierarchies, attributes, attribute hierarchies, entity hierarchies, users, HR data, currency exchange rates, and other data.

How to Set Up Data Integration Security? 

Here's how you can set up Data Integration Security for a User or User Group:

  1. Navigate to Maintenance > Administration > User & Role Management.
  2. Click the User or User Group tab.
  3. Select a user or user group you wish to give access to Data Integration Security and click the Security Options.
    Note:
    You can also select the security icon from the Security column next to the selected user.
  4. Click Data Integration Security.
    Note:
    You can select the user or user group and proceed with the security settings from this screen as well.
  5. Select one of the following options to assign to the user or user group from the Data Load Rules Access Settings section:
    • All rules (View & Load): This option is suitable for Super Users and Admins who have access to all functionality within the Data Integration module. Allows the user or user group to create new data load processes or update existing ones. Select one of the following options:
      • Create & Edit: The selected user or user group can create data load rules and will have edit privileges for all data load rules
      • Edit: The selected user or user group will only have edit privileges for all data load rules
    • Selected rules (View & Load): This option is suitable for regular users. Allows users or user groups to access restricted data load processes and corresponding translations
      • Selecting the Edit option under this section allows the users to edit only the mapped data load rules. The Unmapped and mapped data load rules information is displayed when selected (see Step 5, below)
      • Select the Unmapped ETL Processes and click the forward arrow to move the process to the Mapped ETL Processes pane, which provides the selected user or user group with access

    Note:
    ETL = Extract, Transform, and Load data from a database, as one process.
    4. Click Save. To set up or edit more users or user groups, select them from the User or User Group pull-down menu and repeat the appropriate above steps.


Important Notes on Data Integration Security

  • Users without edit permission may still upload files, modify the grid on the Select Sample Input File page, and modify all Load Data page selections
  • All functionality on the Data Load Rules page will be disabled for users without edit privileges. The Next button on the Select Sample Input File step takes the user to the Load Data step, bypassing all other pages and selections.
  • For Web Services, users without edit privileges will have access to the Load Data page only
  • For Actual Data Templates, there is a change in behavior, regardless of the option chosen
  • Users without edit privileges may not change the scenario on the Load Data page
  • Access to the Define Data Mapping page will be disabled. This impacts the option of performing a partial data load using the across-columns option. A user without edit access will not be able to map additional columns

Dimension Security

Secure dimension members (financial segments) based on reporting area and activate security for one or more dimensions.

How to Set Up Dimension Security from User & Role Management?

To set the security configuration, follow the steps below:

  1. Navigate to Maintenance > Administration > User & Role Management.
  2. Select the user for whom you want to configure Dimension Security and click the Security Options on the User page.
  3. Click Dimension Security.
    Note:
    You can also find the Dimension Security option under Maintenance > Reports > Dimension Security.

    Before providing dimension security to a user, you must configure it on the Dimension Security Configuration tab.

  4. Go to the Dimension Security Configuration tab.
  5. Select the Copy Scenario Security to Report Security checkbox when you want to apply scenario security (defined on the Scenario Accesspage) to report security so that each user has access to view specific scenarios in the Reporting module.
    Note:
    By default, this option is not selected, which means that all the scenarios are displayed (available) to all the users irrespective of the Scenario Access in the Reporting module.
  6. Select the reporting area to secure dimensions.
    • If you select the Sales reporting area, a checkbox appears. Select the Copy Sales Entity Security to Report Security checkbox to allow Planful to copy all sales entity security data to report security data
    • If you select the Financial reporting area, a checkbox appears. Select the Copy Budget Entity Security to Report Security checkbox to allow Planful to copy all budget entity security data to report security data
  7. Select the dimensions you want to secure by clicking the Secure checkbox. This activates dimension security so that you can apply it to users on the Dimension Security Setup page.
  8. Click Save.

    Once the security configuration is done, provide dimension security to the user on the Dimension Security Setup tab.

  9. Go to Dimension Security Setup tab.
  10. Select a Reporting Area to select associated dimensions.
  11. Once dimensions are displayed, click the arrow next to the dimension to access its respective hierarchy.
  12. Now, choose the necessary hierarchy for configuration.
  13. Then, click Save.

    You can set up Dimension Security for other users by changing the User name and following the steps outlined above.

Export Option:

To export the dimension security data, follow the steps below:

  1. Click the Export option.
  2. Select Export All Users or Export Selected User
    • Export All Users - Export Dimension Security reports for all users
    • Export Selected User - Export the Dimension Security report for the currently selected users
  3. Click OK and then click Continue.

Important Details:

  • Dimension Security applied to attributes cannot be exported to the Dimension Security report
  • You can download a report with a maximum size of 10MB
  • You can download a report with a maximum of 100K rows

If you select the Export Selected User option, then the Dimension Security report is downloaded directly to your system. When you select the Export All Users option, a notification is displayed that the Dimension Security report has been submitted for processing. After the process is complete, a link to download the report is displayed. You can either click the link to download or you can view the report sent to your registered email address.

When you export the Dimension Security report, all leaf members are displayed in level-based format if:

  • The user has access to a rollup member in the Dimension Hierarchy
  • The Copy Scenario Security to Report Security and Copy Budget Entity Security to Report Security checkboxes are selected on the Dimension Security Configuration page
Note:
Only one row is displayed in the report (with the appropriate text) if you have access to the root node on a hierarchy or all scenarios.

Report Access

To provide users and user groups with access to generated reports, each user or user group must be assigned access privileges. Any user with access to User & Role Management can update Report Access for a user, user group, or artifact.

To learn about how to configure Report access, click here.

Scenario Access

To provide users and user groups access to a scenario, each user or user group must be assigned access privileges.

The user will only have access to the selected scenarios and members for Reporting purposes. For example, when a user runs a report that includes a scenario the user doesn’t have access to, that scenario will not be available in the report. Similarly, if a user has permission to view a scenario when a report was created and later the permissions are revoked, the report is run for only those scenarios on which the user currently has permissions. Data will not be displayed for the scenarios for which permissions are revoked.

Note:
The Actual scenario is not subject to security and is available to all the users.


How to Assign Scenario Access to a User?

Users must have access to scenarios to perform budget input on a selected scenario entity. To assign scenario access to a user or user group, follow the steps below:

  1. Navigate to Maintenance > Administration > User & Role Management.
  2. Click the User or User Group tab.
  3. Select a user or user group you wish to give access to Scenario and click the Security Options.
    Note:
    You can also select the security icon from the Security column next to the selected user.
  4. Click Scenario Access.
    Notes:
    • The administrators can manage scenario permissions for users at the user group level in addition to the individual user level. When you select any user group and update scenario permissions, all users within the user group get access to the selected scenarios.
    • If the Scenario access is inherited from user groups, click the User Group and select the respective user group from the drop-down
    • The admin user can switch between User or User Group on the Scenario Page
  5. Select the scenarios you wish to give the user/user group access to. To provide the user/user group with access to all scenarios, click the All Scenario checkbox.
  6. Click Save.

    To set up or edit more users or user groups, select them from the User/User Group drop-down menu and repeat 3 to 5 steps.

Workforce Reporting Access

By default, users gain access to Finance and Workforce reports based on their Dimension and Budget Entity Security settings. 

The Workforce Reporting Access feature allows administrators to restrict specific users from viewing Workforce data, ensuring only authorized users can view them.

Note:
This is an opt-in feature. Contact the Planful Support team to enable the Workforce Reporting Access feature.

Once the feature is enabled, administrators can grant users permission to view the workforce data when running reports. The reports still inherit security settings from Dimension Security and Budget Entity Security.

Note:
Users without permission can still view the reports but cannot view the data within them when running reports.


How to Provide Workforce Reporting Access?

To provide users with access to Workforce Reporting, complete the following steps.

  1. Navigate to Maintenance > Administration > User & Role Management.
  2. Click the Security Configurations icon from the top menu bar. 
  3. Select Workforce Reporting Access. The Workforce Reporting Security page appears. 
  4. Select a user or user group in the Unmapped Users/User Groups pane.
  5. Click the forward arrow. The user/user group will appear in the Mapped Users/User Groups pane.
    Note:
    To add multiple users/user groups, perform steps 4 and 5.
  6. Click Save.
    Note:
    When you add charts from the Workforce Reporting Area, non-numeric measures like Start Date, Review Date, Work State, Pay Plan, etc. are not supported on the charts. However, they can be used in Tables as columns.

Dimension and Budget Entity Security

Workforce Reporting enables structured, ad hoc analysis of workforce planning dimensions and measures. Workforce Reporting is integrated into the application as a Reporting Area, allowing you to report on employee-specific compensation and other financial dimensions.


Secure Reports and Data

The following describes the ways in which Workforce Reporting security can be applied across various application features, to secure your reports and data.

Dimension and Scenario Security

Workforce Reporting inherits the Dimension Security applied to the Financial Reporting Area, for dimensions such as Company, Department, Project, etc.

Data is filtered according to user privileges for dimensions. You can also activate dimension security for each user by navigating to Maintenance > Report Administration > Dimension Security > Dimension Security Setup and assigning users to specific reporting areas.

You can also apply Dimension Security so that Scenario Security is honored in the Workforce Reporting Area by navigating to Maintenance > Report Administration > Dimension Security > Dimension Security Configuration and selecting Copy Scenario Security to Report Security.

Budget Entity Security

Data displayed in Workforce Reports is controlled using Budget Entity security, as configured via Maintenance > Administration > User & Role Management > Security Options (icon in the header) > Approval Role Setup page.

Template Access Security

HR data is displayed in Workforce Reports only if the user has access to Workforce Planning for a given budget entity. To provide Workforce Planning access for an employee:

  1. Navigate to Maintenance > Workforce > Workforce Planning Setup. The Employees page appears.
  2. Select the Budget Entity you want to provide access to.
  3. Click Add and enter user information, and then click the Save icon.

Reports Security

You can provide security to users and user groups for Workforce Reports by navigating to Maintenance > Administration > User & Role Management > User, selecting a user from the list, then clicking Security Options (icon in the header) > Report Access.

Security Example

The following table lists example security settings for a user John Doe—approval role, scenario access, and so forth—with a navigation path to the page where the settings are located:

In this example, with these settings, Workforce Reporting security is honored for Dynamic Reports, for the given scenarios and budget entities, in the following ways:

For Budget Scenario:

  • 1000-HQ-Exec —John Doe cannot access any employee data as the Approval Role on this Budget Entity does not have the HR Template mapped.
  • 1000-HQ-MKTG —John Doe can access Salaries and Bonuses data for all employees for this Scenario and Budget entity combination. However, he cannot view Non-Cash Stock Compensations and Benefits for the employees.
  • 1000-HQ-HR —John Doe cannot access any employee data as HR template mapping does not exist for this Scenario and Budget entity combination.

For Forecast Scenario :

  • 1000-HQ-MKTG —John Doe cannot access any employee data, even though HR Template is mapped to the given Scenario and Budget Entity combination, because he does not have access to the Forecast scenario.



Was this article helpful?