FDMEE Security can be a bit of a headache so in this blog I want to look at it in a bit more detail. I have never been happy with the sheer number of native groups that are created. All the literature on the subject says the same thing about designing security so here’s my opinion for what it’s worth.
There are two things to consider: user access and location access. Security by location is optional. If security by location is not enabled, every user has access to all locations. Every application I have seen has location access enabled. With security by location enabled, Shared Services native groups are created and, in order for a user to get access to the location, they must be added to the location group. A native group is created for each location and location security template combination. You can provision the users and/or the location native groups.
In a typical application you would have DATALOAD and DATAMAP type security location templates and you might have other security roles as well. The templates have a security role (e.g. Run Integration, Intermediate2 etc) which will give you a set of provisioned native groups per location. Add the users to the relevant native group for their locations and that’s it. The users are not directly provisioned. The users’ access comes from the security role that is applied to the location native groups.
As an example, say you have two locations: London and Paris. And you have two security templates: both have the prefix FDMEE and then the suffix is DataLoad and DataMap. They have the relevant roles applied to them. This means you will have four native groups in Shared Services: FDMEE_London_DataLoad, FDMEE_London_DataMap, FDMEE_Paris_DataLoad, FDMEE_Paris_DataMap.
So you provision the location native groups and add the users to these groups. You could also provision the users directly but that means that you are assigning security in two different places which makes things very confusing.
Why do you have different security templates which will produce a variety of roles per location? The reason must be that this allows you to have a user whose security role changes by location i.e. data loader here and data mapper there. The problem is that FDMEE security doesn’t work that way (tested in 11.1.2.3 and 11.1.2.4 up to .210 patch). If a user is provisioned somehow by more than one native group (e.g. DataLoad for London, DataMap for Paris), the permissions accumulate. The user has the same access rights to all their locations. If the user is provisioned to manage the maps in one location, they can manage the maps in all locations they have access to.
In effect, this means that the security is based on the user not the location. So having multiple security templates per location is pointless. You just need one location security template (e.g. FDMEE_<location>_Access) that will provide the users with access to the locations and that template does not have any permissions/roles set. You add the users to the location native group(s) and this only gives the users access to the location; there is no provisioning associated with it. You then create 3 – 4 native groups for the users e.g. FDMEE_DATALOAD, FDMEE_DATAMAP, FDMEE_ADMIN, provision them appropriately and add the users to the relevant groups.
If you provision the user rather than the location, security is much simpler from a number of aspects. Firstly you have much fewer location native groups; you still have to add the users to the groups but the list is much smaller. Secondly the security is provisioned in one place – the user native group. If you provision the location groups, you have to check what security a user has in all location groups to work out the actual access they have. Even worse, if someone asks who has access to manage the maps in a location, you have to get a list of all users who have any type of access to that location and then check the access they have in all their other locations. Following on from the previous example, if the country manager asks who can change the maps in Paris, it’s not enough to look at the users in the group FDMEE_Paris_DataMap. You will also have to look at the users in FDMEE_Paris_DataLoad and then check that list of users to see if they have been added to any DataMap groups.
Hemy's Extras for EPM 