DTXEPM2018

$100 Discount
 EPMDALLASMeetUp
$25 Discount
(New Members Only)
That’s Not In the Documentation…
Gotcha’s During PBCS Implementation at GameStop
Presented by Trey Daniel, FP&A Sr. Manger and Global Hyperion Administrator
About Me
o Over 12 years working with Hyperion as both Consultant/Oracle Partner & Customer
o PricewaterhouseCoopers, LLP (PwC) – 2004 to 2010
o Accenture – 2010 to 2014 (with 2 years as US Hyperion Data Integration Lead)
o GameStop – FP&A Senior Manager and Global Hyperion Administrator, 2014 to Current

o Oracle Certified Implementation Specialist

o HFM 11 (obtained in 2012)
o Essbase (obtained in 2013)

o B.S., Management Information Systems & MBA, Louisiana State University (LSU)
o http://www.linkedin.com/treydaniel
Trey’s Safe Harbors
o Oracle Cloud applications are changing monthly; “Monthly Update” cloud services email
o I may have misread / skipped over / forgot a part in the documentation 
o Many ways to achieve the same outcome in Hyperion apps
o Check Oracle By Example (OBE), blogs, YouTube, books, etc. on building & using PBCS
GameStop Company Overview
A lobal family of specialty retail brands that makes the most popular technologies affordable & simple
GameStop PBCS Project Overview
o Combined one Essbase cube + one Planning application into a single PBCS application
o 4 Plan Types (Balance Sheet, Income Statement, Product/Statistics, and Consolidated)
o Migrated Hyperion users from Windows 7 32-bit / Office 2010 32-bit / Essbase Add-In
to Windows 10 64-bit / Office 2016 64-bit / Smart View
o User-driven conversion from historical Essbase Add-In to Smart View retrieves
o Migrated legacy SQL-based mapping solutions to Data Management within PBCS
o Enabled integration with existing Salt Lake City PBCS cube via Data Management
o Implemented Single Sign On (SSO) with GameStop MSAD credentials

 Went live for Oct FY17 Actuals close & Forecast creation on Sep 28, 2017
Oracle Cloud My Services
o Replaces Shared Services for user, security group role creation, security group provisioning,
and MSAD/SSO Connections
o Shared Services Native Directory User = Oracle Cloud Identity Domain User
o Shared Services External Authentication User = SSO Identity Provider User
Adding Oracle Cloud Identity Domain Users
o Each user must have a unique email address, which causes issues for creating test users
o However, Jake created a clever Gmail hack for this: http://turrellconsulting.com/blog/?p=769
o Check “Maintain Identity Domain Credentials” for any admins using EPM Automate (more
on this later…)
Custom Roles…What Do You Say You Do Here?
o Per Oracle’s documentation, “Users must be assigned to predefined roles that grant them
access to business functions and associated data“
o While you can create them and assign users to them, they can’t be used for Security Role
Groups / don’t show up in Security for dimension members
o Maybe more functionality added later?
Access Control Groups Though…
o Create Access Control Groups for Member Security (Read/Write access to member data)
o Assign users to Access Control Groups, assign Access Control Groups to Member Security
Security – Predefined Task Roles
o PBCS has 4 pre-packaged PBCS Task Roles (“what you can do”)
– Planning Viewer
– Planning User
– Planning Power User
– Planning Service Administrator

o Additionally, the users receiving the initial Oracle Cloud setup email will be setup as the
Identity Domain Administrator, (aka “Provisioning Manager” in Shared Services) and can
provision users to the above 4 groups + gets Oracle Cloud emails

o Can add additional Ad Hoc Grid, Approvals, Calc Manager, Mass Allocate, and Task Manager
to individual users, but not to 4 pre-packaged PBCS Task Roles
SSO Configuration from My Services
o I’m not an SSO or Network Security guy, so GameStop IT setup this part
o Okta and other SSO providers have pre-configured PBCS configurations to ease setup
SSO Configuration from My Services
o Once the above 3 steps are configured, click “Test” to ensure the connection works
o If the SSO Test is successful, click “Enable SSO” to enable the PBCS app with SSO
o Enable “Sign in to Oracle Cloud Services with Identity Domain Credentials” to ensure
admin’s with the previous “Maintain Identity Domain Credentials” in their user profile can
1) utilize EPM Automate with SSO enabled & 2) access the PBCS app should the SSO
connection or configuration ever fail/change
SSO Not Enabled – Sign in With Oracle Cloud ID
o Users sign in with their Oracle Cloud Identity Domain User ID and password
SSO Enabled – “Company Sign In” appears
o For Web Interface or Smart View, users simply click “Company Sign In” and are logged in via
SSO application for their company
o Additionally, check the “Remember my choice” to bypass this screen for non-admin users
o For admin users, keep unchecked so they can still get into PBCS if SSO goes down
Security – Provisioning Bulk Users
o While you can bulk Add users, there is no built-in bulk Provisioning users
o Alternatives I have read about include:
 Downloading the PBCS Security artifacts, editing the XML file, and re-uploading
 Potentially using REST API to cobble something together

o As I had a limited number of users, I manually added the users to My Services & GameStop
IT manually added to the SSO group on their end

o Applications with larger user counts may need to analyze one of the above 2 options until
bulk provisioning is included in PBCS
Security – All Plan Types or None
o Provisioning users to Task Roles or dimension member security goes across all Plan Types
(cubes) in the PBCS application

o In our design, we originally only had FP&A users writing to the Income Statement cube
since only a small group performed a high level Balance Sheet budget

o However, in building the security, we had to pivot and update the security design to account
for those FP&A users having write access to specific members in all cubes
EPM Automate
o Replaces the Essbase Client & MAXL for automation of application tasks
o Uses a .bat file calling an EPM Automate command & its parameters
o Download simple .exe from Reporting – Explore Repository – Tools – Install – EPM Automate

o I did not have to mess with Windows System or User Path Variables unlike installing the
Essbase Client, which was a giant improvement since I couldn’t terminal into the server
o Include “> \\server\folder\logfilename.txt” to capture the log output somewhere
EPM Automate & SSO
o EPM Automates works great with non-SSO-enabled PBCS apps (hooray!)
o EPM Automate originally did not work with SSO-enabled PBCS apps (big problem!)

o PBCS now works with SSO-enabled PBCS apps using the following configurations:
1. Enable “Sign in to Oracle Cloud Services with Identity Domain Credentials” in SSO Configuration
2. Check “Maintain Identity Domain Credentials” in Users profile for any admins or system accounts
3. In the EPM Automate .bat file, login via the Oracle Cloud Identity Domain password for the admin
or system account user, not the SSO / Provider Domain password
Encrypting Password in EPM Automate
o Since EPM Automate is used via a .bat file likely sitting on a network folder or server + is
likely tied to a powerful admin or system account, ensure the password used is encrypted

o call epmautomate encrypt password privatekey \\server\folder\passwordfile.epw

o Call epmautoamte encrypt: EPM Automate encryption command
o password: the password you are going to encrypt
o privatekey: you choose the name of the Private Key that stores the encrypted password
o \\server\folder\passwordfile.epw: Output location of the encrypted password (.epw) file

o The October 2017 PBCS update on Oct 20 will “now accept internet proxy server domain,
user name, and password as optional parameters”
EPM Automate with Multiple Cubes
o We have 2 separate PBCS apps (HQ in Grapevine & subsidiary in Salt Lake City)
o For jobs moving Actuals, Forecast, and Budget between them, I needed to login and run
jobs on both PBCS apps in a single process
o When running multiple EPM Automate Login/Logout commands in a single .bat file, EPM
Automate would stop running after the first encountered Logout

o Therefore, I needed to create multiple .bat files, called by a master .bat file:
1. Login to HQ PBCS, run clear current Forecast data, logout of HQ PBCS
2. Login to SLC PBCS, copy Forecast to HQ PBCS via Data Management, logout of SLC PBCS
3. Login to HQ PBCS, run agg on updated Forecast data, logout of HQ PBCS
EPM Automate Server Location
o By default, epmautomate.exe will install to C:\Oracle\EPMAutomate\bin
o When manually kicking off an EPM Automate .bat file outside this location, you are fine
o When trying to schedule an EPM Automate via Windows Task Scheduler or other task
automation software, I had to put the EPM Automate .bat file in the C:\Oracle
\EPMAutomate\bin folder
o Additionally, you need to include “C:\Oracle\EPMAutomate\bin” in the “Start In” box of the
“Task” tab of your Windows Task Scheduler job

o Is there an easier way to point Java to somewhere outside this C: drive…maybe?

Data Management – PBCS to PBCS Integration
o Out-of-the-box support from integration data from one PBCS cube to another
o OK if they are on different PBCS domains

1. Add new Target application

2. Select “Cloud”
3. Enter PBCS application details ->
4. “Refresh Metadata” to establish connection and update Dimension Details
5. “Refresh Members” to import members for Target Mapping selection
6. Create Import Format, Location, etc. with other PBCS as the Target Application
Data Management – SQL Mapping Scripts
o SQL Mapping Scripts ARE supported in Data Management! Previous PBCS documentation
had said otherwise (still no Jython scripting or custom events like on-prem FDMEE)
Data Management – Clear Fail on Export Replace
o Data Management clears Years, Period, Version, Entity, and Scenario using Replace in an
Open Batch definition (or “Store Data” when running manually)
o Since custom scripting is not supported in PBCS Data Management, we can’t implement
solutions like FDMEE on-prem or in previous FDM application where we scan the Import
step data to ensure it exists in PBCS
o Therefore, we ran into the issue of members in the Import data that weren’t setup in PBCS,
and are causing a fail on the clear script portion of Replace in the Export step, not the load
portion
o Therefore, when exporting the Process Details log for the failed Export step, we ended up
with a giant Clear Script string of 100’s of Entity members it was trying to clear, instead of
the real Entity that was missing from PBCS
Data Management – Clear Fail on Export Replace
o To get around this problem, we did the following as part of EPM Automate jobs:
1. Wrote a Business Rule (for BSO cubes) or Clear Cube job (for ASO cubes) to clear all data for the
Companies being loaded to from the specific GL
2. Ran the normal “Replace” Import step in the Open Batch definition
3. Ran a “Add” Export step in the Open Batch definition

o While new Entity members may be in the imported GL data but not PBCS, the individual
Entity members were now called out clearly in the Export load errors & prevented use from
trying to hunt down the missing member in a giant Clear script or VLOOKUP against PBCS
metadata

o Yes, ideally our business partners would tell us of all new GL members added 
Data Maps – Length of Clear Script Error
o Data Maps are a nice, no-code required way to clear target & move source data from one
PBCS Plan Type to another

o However, when clearing data in my Target Plan Type before loading from my Source Plan
Type (an option in Data Maps), I got an error that my PBCS-generated clear script was
something along the lines of “longer than 1000 KB”. Keep in mind this length of the clear
script, not the amount of data attempted to be cleared!

o Since I can’t reduce the number of entities I’m trying to clear and load to , I created a Clear
Cube job that performs the same clear script in the Target Plan Type, and am running that
via EPM Automate before performing the Data Map
Hyperion Financial [Web] Reporting (HFR)
o Only available via HFR Web Studio, no more desktop HFR Studio

o For bursting via HFR Batches:

o Logon Credentials actually validate in real-time instead of after clicking through 16 steps & finding
out in the “On Failure” email
o No configuration of the Export Directory in Java files, automatically defaults to PBCS Inbox/Outbox
Backup/Disaster Recovery – Set Timing
o Since PBCS is a SaaS solution, Oracle provides a nightly backup and maintenance window for
your application, which is stored in an Application Snapshot on their servers

o Be sure to set the Daily Maintenance Time that you want Oracle to perform this up-to-an-
hour backup and patching, assumingly when no users will be online

o Oracle previously required you to have the cubes refreshed before this step took place, so I
still have a “Refresh Database” job set an hour before Daily Maintenance starts
Backup/Disaster Recovery – Local Copy
o Your Application Snapshot is updated daily, so no rolling backups kept by Oracle
o Download your Application Snapshot to your own local servers in the highly unlikely event
of a catastrophic and unrecoverable server event at Oracle + use to refresh QA
o “Essbase Data” in Application Snapshot data is saved as .ind/.pag (BSO) or .dat (ASO) files

o I setup a 7-day-rolling, local PBCS application backup via the following:

1. Windows Task Scheduler runs my Nightly Backup .bat file 1 hour after the Daily Maintenance
2. The .bat file clears out the data in last week’s weekday folder
3. EPM Automate runs an “exportsnapshot” job to the PBCS Inbox/Outbox
4. EPM Automate runs a series of “exportdata” jobs to save Essbase data as delimited text files
5. EPM Automate runs a “downloadfile” job to download the Artifact Snapshot onto our servers
6. The .bat file moves the Artifact Snapshot into the empty weekday folder
Backup/Disaster Recovery - QA Refresh
o Upload PRD Snapshot to QA’s “Migration” module before deleting old QA application
o Refresh blank QA with PRD Snapshot via “Migration” option; select minimum-needed
artifacts for QA refresh
Backup/Disaster Recovery - QA Refresh
o Monitor the QA Refresh with the Migration Status Report
o Investigate anything that fails
PRD vs QA Background Colors
o Change the background color between PRD and QA to distinguish between environments
o Careful as not ALL backgrounds in QA will change to a different color

Production (Dark Blue, default)

QA (Crisp Green)
Where Are My EAS Sessions?
o Tucked away in the “Rules” module, obviously
o PBCS Menu – “Create and Manage” – “Rules” – “Actions” – “Database Properties”
Where Are My EAS Sessions?
o Same Action and Request Type filters to kill just like EAS, now prettier
Where Are My EAS Cube Properties?
o Same area, but left click on the specific Plan Type
Thank You!