Bloggers Note: This post is about basic DRM security modeling and does not include any workflow/DRG security. I’m working on a DRG post for the near future – so if you have any specific DRG questions, send them to and I’ll address them.

For DRM Basic Security, there are 3 different levels of security available: Object Access Groups, Node Access Groups, and User Roles. By using these 3 security options, different levels of access, hierarchy access, and object access can be achieved for all user types.

Object Access Groups

Object level security refers to the actual data-extraction/data-manipulation objects that reside within DRM. Examples of objects that can be maintained with “Object Level Security” include:

Applies to:

  • Saved Queries
  • Compare Reports
  • Exports
  • Imports
  • Blenders
  • External Connections (connections to databases or server folders)

These objects can be put into 3 out of the box groups, User, Standard, or System. Additionally, other custom “Object Access Groups” can be created and maintained – such as exports for only specific users (HFM specific exports for example).

User – Personal objects that are only available to an individual user to view and run. All user roles have the ability to create and manage objects of this access level.

Standard – Public objects that are available to all users to view and run. Only Data Manager role users have the ability to create and manage objects of this access level.

System – Restricted objects that are only available to Application Administrator role users to view and run. Only those users have the ability to create and manage objects of this access level.

To create a custom Object Access Group, go to the Administer menu and select New > Object Access Group. Name the group, then select the users for the group using the blue arrows, and then the associated Node Access Groups on the second tab.

Screen Shot 2015-04-21 at 3.45.36 PM

Then, when saving Objects like Exports, save them to the Object Access Group (using the drop-downs). To move objects from one Object Access Group to another, you must do a “Save As” of the object to the new Object Access Group, and then delete it out of the old Object Access Group.

Node Access Groups

Data Relationship Management controls granular user access to hierarchy nodes and their properties using Node Access Groups. You can assign users to groups that are granted access to specific nodes in a subset of hierarchies within a (Normal, Working) version. Node access groups use inheritance to assign similar access to descendant nodes of a hierarchy node where an access level has been explicitly assigned. This level of access can be overridden at a lower level or can be locked to prevent overrides.

Typically, node access groups represent functional areas of an organization, and a user may require assignment to multiple groups. If assigned access levels conflict, the highest security level is used.


  • Allow Product Owner to only update Product hierarchies (not all metadata hierarchies).
  • Allow Asset Accountant to add only base level accounts to specific Asset parent nodes.

To assign Node Access Groups to a hierarchy, go to the top node of the hierarchy and either select Nodes > Assign > Node Access or right click and select Assign > Node Access.


In the right hand property panel, the Category drop-down will change to “Limb Access” and have a list of the Node Access Groups and their associated access level. For each Node Access Group, set the appropriate level for the dimension. Remember, this is just for the Limb members at this time.

Then in the Category drop-down, select “Leaf Access” and assign the Node Access groups access for Leaf members of the hierarchy. When you are complete, press “Save” in the bottom of the property panel.


There are 7 levels of access for the Limb/Leaf Access for each Node Access Group:

  • None
  • Read
    • Read-only, view, report, cannot change
  • Limited-Insert
    • Users have Global access to the node, and can insert into the hierarchy
  • Edit
    • Users can edit the properties in the right-hand panel
  • Insert
    • Users can insert, remove, and move nodes, in addition to Edit functions
  • Inactivate
    • Users can be inactivate or re-activate nodes, in addition to privileges from Read + Limited-Insert + Edit + Insert functions
  • Add
    • Users can add or delete nodes, in addition to Inactivate, Insert, Edit, and Limited-Insert functions

User Roles

User Roles control what actions a user can do, for their appropriate Object Access Security and Node Access Group Security. The user roles are kind of like the different levels for planning – read only users vs. planner users vs. admin users. The highest level of security for DRM always takes precedence.

Using more than one role per user can accomplish different types of access. For example, you may want an administrative user to have access to edit the metadata/property placeholders of the application, but also be able to provision new users. To accomplish this, the admin user should be provisioned the Application Administrator and the Access Manager roles.

For a more detailed diagram of the types of user roles and activities per role, visit the Oracle’s DRM Administrator Guide. View the section Page 22, “User Roles”.

  • Access Manager
    • Audit user transactions & system transactions
    • Manage users & roles
    • Manage node access groups
    • Manage property access
  • Anonymous User
    • Basic “read only” user role
    • Browse versions/hierarchies/properties
    • Run queries
    • Run compares
    • Run exports of data
  • Application Administrator
    • Browse versions/hierarchies/properties
    • Manage system level queries
    • Manage system level compares
    • Manage system level exports
    • Manage system level imports
    • Manage system level blenders
    • Run Action Scripts
    • Manage application – properties, system configuration props, etc.
    • Audit user & system transactions
  • Data Creator
    • Browse versions/hierarchies/properties
    • Create versions and hierarchies
    • Manage user level queries
    • Manage user level compares
    • Manage user level exports
    • Manage user level imports
    • Manage user level blenders
  • Data Manager
    • Manage versions (need)
    • Manage hierarchies
    • Manage user & standard level queries
    • Manage user & standard level compares
    • Manage user & standard exports
    • Manage user & standard imports
    • Manage user & standard blenders
    • Run Action Scripts
    • Manage property lists (property categories, node type lists)
  • Interactive User
    • Browse versions/hierarchies/properties (read-only)
    • Manage user level queries
    • Manage user level compares
    • Manage user level exports
    • Run Action Scripts
    • Audit transaction history for users and system
  • Workflow User (for DRG only)
    • Browse versions/hierarchies/properties (read-only)
    • Create DRG requests
    • Run queries
    • Run compares
    • Run exports
    • Audit user transactions