Whodunnit? A Hyperion Murder Mystery • Casey Ratliff, System Architect • Jon Harvey, EPM Practice Lead • HUGMN TechDay • 03/19/14
eCapitalAdvisors Overview • Oracle/ Hyperion/ OBIEE • Strategic assessments & technology roadmaps • Project Managers with extensive implementation experience • Business consultants with planning, financial reporting & consolidation delivery experience • Certified Oracle Planning, Essbase, HFM, OBIEE Consultants • Customer enablement services (training, hosting, extended support and managed services) • Employee lead engagements with minimal contractor utilization • Board of Director Advisors to the MN Hyperion User Group
Founded in 2001 – Profitable every year in business Performance management consulting firm Over 250 performance management customers eCapital Advisors employees: Dedicated to Enterprise Performance Management and Business Analytics, helping client better understand business drivers Proven record and high customer satisfaction Experience across a variety of industries and have worked with companies of all sizes eCapital Advisors Overview
2013 Inc. MagazineInc. 5000 award: #1558 2013 MSP Business Journal Fast50 award winner, #17
Agenda • Well, “agenda” ruins the fun of it… • Key points we’re going to cover • Who changed the system? • Who changed data? • Who changed the application objects? • New functionality in 188.8.131.52
Why audit? • Why are systems audits important? • Mandated by data set • Prevention of malicious acts • Useful for troubleshooting • The perils of not auditing?
Our story begins… • We know that our nightly batch completed successfully at 10PM • Batch runs metadata updates, redeployment and calc scripts
Our first suspect… • Was it: • Who: Col. Mustard • Where: Server console • Weapon: The EPM Configurator
Windows Event Viewer • Security log failures • System reboot • Backup conflicts • EPM Deployment Report • Architecture • Configurations • Changes to Registry
Digging in • While the IT department continues to troubleshoot… • The system is up and running fine now, but our tie outs are hosed
Who changed the data? • Data audit options available to us • SSAUDIT • Planning Data Audit • Let’s take a look at both…
SSAUDIT • Essbase.cfg setting • Tracks Essbase writes only
SSAUDIT • Generates 2 files • Generates an ALG and ATX file
SSAUDIT • ALG File • History records from every update transaction • Includes user name, time stamp, and number of updated rows
SSAUDIT • ATX File • Transaction records in a format that can be used as the input source for data load
Planning Data Audit • 184.108.40.206, 220.127.116.11 (Administration→Application→Reports) • 18.104.22.168 (Tools→Reports)
Our next suspect • Who: Nick Chihak • Where: Planning App • Weapon: Data Form
The Plot Thickens… Who would try to frame Nick???
Shared Services Audit Reports • What information is available to us in Shared Services?
Shared Services Audit Reports • The catch – not enabled by default
Looking back, the fake ID only changed one YearTotal dollar amount, but our variances are much bigger. • Could calcs or other objects have been changed?
Now what? • We know the batch completed successfully, like it always does • The nightly batch does a bunch of stuff, including: • Imports Metadata • Redeploys the application • Runs calc scripts • Runs report scripts • Let’s take a look at what information is available to us about these objects’ change histories…
Were Objects Modified? (Calc Manager) • No history of changes, but has user ID and date
Were Objects Modified? (Essbase) • No history, no user ID, only update date
Where do we look next? • One of the first places we should have looked, EAS: • Half of the Entity dimension is missing!
Were Objects Modified in EPMA? • We found our culprit!
The Culprit • It was: • Who: Jim Farley • Where: Dimension Library • Weapon: Import Profile
22.214.171.124 • Fun exercise, but could have been a lot easier in 126.96.36.199 • New in Shared Services 188.8.131.52: • “Artifact Change Reports”