Been having some fun with EPBCS security lately and partial / selective migrations. So many pods, so little time?
I’ve had to do these partial migrations many times before, but every time I feel like I’m starting from scratch. I figured I would create a guide of what security files are available and where under Migrations. It’s confusing enough that there are two “nodes” where you can export security from in Planning Cloud (Core > Security, and Groups and Membership). So, what do you export and from where, when you want to migrate only some groups, or a handful of users, or one group’s access, etc?
Here’s what I’ve come up with:
- Core / Security / Access Permissions / Groups / <group_name>
- XML (<group_name>.xml). File lists the group’s dimension access. It does not list who belongs to the group, or anything else. Importing this XML alone does not create the group (see Cute Trick #3 – Adventures EPBCS in Security Migration).
- Core / Security / Access Permissions / Users
- XML (Users.xml). Dimension member access given directly to individual users. Not the best approach to security, so ideally you don’t have much in here.
- Groups and Membership / Native Directory / Groups
- CSV (Groups.csv). In one single file, it lists all your custom, native directory groups and who belongs to them. If you follow the format, you can edit the file to add and delete users from groups (doesn’t work for adding or removing groups). If you import this file from one server to another, your groups will merge, and while you will get a failure if the users in the source don’t exist in the destination, the new groups will still be created (just the groups, not their access).
- Groups and Membership / Native Directory / Assigned Roles / Foundation / Shared Services
- CSV (Shared Services.csv). Lists all groups or users with Foundation application level roles (the ones assigned from Access Control > Assign Application Roles). By the way, I’m working on a blog post that lists which record code is equivalent to each role. Stay tuned.
- Groups and Membership / Native Directory / Assigned Roles / Default Application Group / <app_name>
- CSV (<app_name>.csv). Lists all groups or users with application level roles (the ones assigned from Access Control > Assign Application Roles) other than the ones that appear in Shared Services.csv or FDM Enterprise Edition.csv.
- Groups and Membership / Native Directory / Assigned Roles / Default Application Group / Document Repository
- CSV (Document Repository.csv). Application level role assignment does not seem to have an effect on this one. From what I’ve tested, as soon as a group is created a record is added to this file and that’s it. But then again, I’m not working with reports so that could be why. If you see anything different, let me know in the comments below!
- Groups and Membership / Native Directory / Assigned Roles / FDM / FDM Enterprise Edition
- CSV (FDM Enterprise Edition.csv). Lists all groups or users with FDM application level roles (the ones assigned from Access Control > Assign Application Roles).
- Groups and Membership / External Directory / Roles / <role_name>
- CSV. One file per OOTB role (example: <instance_name> Service Administrator) Each file lists all users that belong to each of the roles.
- Groups and Membership / External Directory / Users
- CSV (Users.csv). Flat lists of all users, SSO or otherwise. Importing this file however will not create users in the destination environment.
A few additional notes:
- From the documentation: “You can no longer use Access Control to import group information from a file to create groups. Similarly you cannot export group information using Access Control. You may use Migration or EPM Automate commands to export and import groups”.
- There is also EPM Automate’s importAppSecurity and exportAppSecurity commands. I know the format if different than the files above but I’ve not played much with these. When I get to it I’ll write another post contrasting both.