Hall 8 of the FCCS EPM Cloud Study Tour

Security Hall

Five layers between the internet and your consolidated data. Infrastructure is Oracle's problem. Everything from Identity Domain inward is yours. The gap that kills live go-lives is not application role misconfiguration — it is the default security posture on dimension members: None, which means every provisioned user sees every entity, every account, every scenario until you explicitly restrict them.

5 Security Layers 4 Application Roles Dimension Security Approval Unit Hierarchy Default = None (⚠️ Go-Live Gap) 5 GlobalMerge Personas
🔐 Five Security Layers
From Oracle-managed infrastructure to your Approval Unit close workflow
1
Infrastructure Security
Network perimeter, DDoS protection, data centre physical security, Oracle Cloud Infrastructure (OCI) platform hardening. Fully managed by Oracle. Implementers have zero configuration responsibility here.
Oracle Managed
2
Identity Domain (User Provisioning)
Oracle Identity Cloud Service (IDCS) / Identity Domain manages authentication: user accounts, password policies, MFA enforcement, SSO federation with corporate IdP (Azure AD, Okta, etc.). Users must be provisioned here before they can be granted application roles in FCCS.
Admin Configured
3
Application Roles
FCCS-level roles assigned to provisioned users: Service Administrator, Power User, User, Viewer. Controls what actions a user can take in the application — running consolidations, managing metadata, entering data, read-only access. Role assignment is separate from dimension security.
FCCS Configured
4
Dimension Security
Controls which dimension members a user can see and interact with — independently of their application role. Configured per dimension (Entity, Account, Scenario) per user or group. Default access for all three key dimensions is None — meaning unrestricted until explicitly configured. This is the most common go-live security gap.
FCCS Configured
5
Approval Unit Security
Controls who can submit, review, approve, and lock data for specific entity-scenario-period combinations as part of the financial close workflow. Defines the escalation hierarchy: DeutschWerk Controller → Group Finance Manager → CFO. Separate from and additive to all other security layers.
FCCS Configured
⚠️ Critical Go-Live Gap — Default Security = None

The default security for the Entity, Account, and Movement dimensions in a new FCCS application is None. In FCCS security terminology, None does not mean "no access." It means no restriction — all users see all members. A freshly provisioned User-role user with no dimension security configuration can see every entity's data, every account, and every scenario across the entire application.

This is the most common live go-live security failure. Implementations that configure application roles correctly but skip dimension security ship with full data transparency. DeutschWerk's trial balance is visible to AsiaLink's controller. This must be explicitly addressed before go-live.

🎭 Four Application Roles
What each role can and cannot do — and one role that does not exist
Service Administrator
GlobalMerge: EPM Administrator
Full application control — metadata, security, data management, consolidation, reporting
Manages Identity Domain user provisioning and FCCS role assignments
Can lock and unlock periods, refresh the cube, deploy rules
The only role that can configure dimension security and Approval Units
Power User
GlobalMerge: Group Finance Manager, CFO
Can run consolidations, load data, manage journals, approve Approval Units
Cannot manage metadata, security configuration, or application settings
Without dimension security: sees all entity data. With dimension security: restricted to assigned entities
Appropriate for Finance team leads who need operational but not admin access
User
GlobalMerge: DeutschWerk Controller
Can enter data in data forms, create and submit journals, submit Approval Units
Cannot run consolidations, load data via Data Management, or manage any configuration
Dimension security is critical for this role — without it, User can see all entities
Typical persona: subsidiary controller responsible for their own entity's data input
Viewer
GlobalMerge: External Auditor
Read-only access to reports and data forms — no data entry, no journal creation
Cannot run any process — consolidation, translation, or rule execution
Dimension security still applies — Viewer access is scoped by dimension security filters
Appropriate for auditors, board members, and read-only stakeholders
⚠️ Exam Distractor — "Metadata Administrator" Does Not Exist

One of the most reliable exam distractors is "Metadata Administrator" listed as a fourth or fifth application role option. This role does not exist in FCCS. There are exactly four application roles: Service Administrator, Power User, User, and Viewer. Metadata management — importing, editing, refreshing — is performed by the Service Administrator role, not a separate Metadata Administrator role. When you see this option in an exam question, it is always wrong.

👥 Five GlobalMerge Personas
Mapping real-world roles to FCCS security configuration
🔧
EPM Administrator
Service Administrator
Owns application configuration end-to-end. Provisions users in Identity Domain, assigns FCCS roles, configures dimension security, deploys Groovy rules, manages metadata refreshes, and controls period lock/unlock. No dimension restrictions — full visibility by design.
📊
Group Finance Manager
Power User
Reviews consolidated figures, approves journals, manages the Approval Unit workflow at the group review level. Needs access to all entities to review consolidated P&L and entity submissions. Dimension security: full Entity access, full Scenario access (Actual + Budget + Forecast).
🏭
DeutschWerk Controller
User
Submits DeutschWerk trial balance data, creates journals, submits the DeutschWerk Approval Unit for review. Must be restricted to DeutschWerk entity only — no access to BritEdge, AsiaLink, or NovaTech data. Dimension security: Entity = DeutschWerk only. Scenario = Actual (can enter) + Budget (read only).
🔍
External Auditor
Viewer
Read-only access to consolidated financial statements and audit trail reports. Cannot enter data, create journals, or run any process. Dimension security configured to match their engagement scope — typically all entities but Actual scenario only. The Bursting feature in Hall 7 can deliver periodic report packages directly to this user.
💼
CFO
Power User
Final approver in the Approval Unit hierarchy — approves and locks the period after consolidation sign-off. Reviews board pack reports, approves material Enterprise Journals, manages Approval Unit at the final sign-off stage. Full Entity access, full Scenario access. The CFO's Power User role enables them to lock periods after approval — a Service Administrator is not required for this step.
📋 Access Capability Matrix
What each role can do across every key FCCS function
Capability Svc Admin Power User User Viewer
Application Administration
Manage metadata (import, edit, refresh)
Configure dimension security
Provision users / assign roles
Configure Approval Unit hierarchies
Lock / unlock periodsWith AU
Deploy and manage calculation rules
Data Operations
Load data via Data Management / EPM Automate
Enter data in data forms
Run Consolidation
Run Translation
Journals
Create Standard Journals
Create Enterprise Journals
Approve Enterprise Journals
Post journalsOwn entity
Reporting
View reports and data forms
Create / edit reports (Report Designer)
Create Books and Bursting definitions
Drill-through to source data
🗂️ Dimension Security — Default States & Configuration
The critical distinction: None means unrestricted, not denied
Dimension Default Access What "None" Means GlobalMerge Configuration Required
Entity None All entity members visible and accessible to all users DeutschWerk Controller: Entity = DeutschWerk leaf only. Group Finance Manager + CFO: all entities.
Account None All account members visible — no account-level restrictions External Auditor: restrict to P&L and BS aggregates only. Hide detailed sub-accounts if sensitive.
Scenario None All scenarios visible — Actual, Budget, Forecast all accessible DeutschWerk Controller: write access to Actual, read-only to Budget. No access to Forecast if not applicable.
Movement None All movement members accessible Usually left unrestricted — movement security is rarely required operationally.
Year / Period None All years and periods accessible Controlled via Period Lock (Hall 6) rather than dimension security in most implementations.
💡 Role + Dimension Security Are Independent Layers

A Power User with no Entity dimension security configured sees all entity data across the entire application. The Power User role grants capabilities (run consolidation, enter data) but does not restrict data visibility. Dimension security is the separate, orthogonal layer that scopes what data is visible. Both must be correctly configured — correct role assignment without dimension security leaves all entity data exposed.

Approval Unit Hierarchy — Q1 FY2026 Close
GlobalMerge's three-stage approval workflow for the Actual scenario

The Approval Unit hierarchy defines who must sign off on each entity's data before the period can be locked. It enforces the close workflow — data cannot be consolidated into the parent until all subsidiary Approval Units have been promoted through their required stages. FCCS blocks consolidation if a required Approval Unit is not at the required promotion level.

1
DeutschWerk Controller
Enters Q1 data → creates journals → submits Approval Unit to Group Finance Manager. Access: DeutschWerk entity only (dimension security enforced).
Submit → promote
2
Group Finance Manager
Reviews DeutschWerk submission, validates IC eliminations, reviews Enterprise Journals. Can reject back to Controller with comments. Promotes Approval Unit to CFO after review.
Review → approve/reject
3
CFO
Final review and sign-off. After CFO approves, the Approval Unit is fully promoted — the period can be locked. CFO's Power User role enables the lock action. No Service Administrator required for period lock via Approval Unit promotion.
Sign off → lock period
💡 Approval Units and Bursting Security

The Approval Unit hierarchy connects directly to the Bursting behaviour described in Hall 7. When the CFO approves and locks, the Bursting job for entity reports is typically triggered. Because DeutschWerk Controller has been configured with Entity dimension security scoped to DeutschWerk only, the burst output they receive contains only DeutschWerk data — the Bursting engine enforces their dimension security filter. The Group Finance Manager, with full entity access, receives all entity outputs.

Approval Units can be configured at multiple granularities: per entity, per entity-scenario combination, or per entity-scenario-period. For GlobalMerge, the Approval Unit is configured at Entity × Scenario level (DeutschWerk × Actual), allowing the same hierarchy to govern every period close without reconfiguration. Period-specific Approval Units (DeutschWerk × Actual × Q1) are also supported but require more maintenance.

🔬 Lab Scenario — Provision GlobalMerge Security
Provision all five personas, configure dimension security, build the Approval Unit hierarchy

You are the EPM Administrator (Service Administrator) for GlobalMerge Corp. The application has been created and metadata loaded. No security has been configured — all five personas are in the Identity Domain but have no FCCS roles or dimension security. Your task is to provision the complete security configuration before the Q1 FY2026 close cycle begins.

🧰 Setup

FCCS sandbox · Service Administrator access · Identity Domain users already provisioned: epm.admin@globalmerge.com · finance.manager@globalmerge.com · deutschwerk.controller@globalmerge.com · external.auditor@auditfirm.com · cfo@globalmerge.com · All entities at metadata-ready state.

1️⃣ Exercise 1 — Provision Application Roles
Estimated time: 15 minutes
  1. 01 Navigate to Navigator → Access Control → Manage Roles. You will see the four FCCS roles listed: Service Administrator, Power User, User, Viewer.
  2. 02 Assign Service Administrator to epm.admin@globalmerge.com. This user is already the admin — confirm the role assignment completes without error.
  3. 03 Assign Power User to finance.manager@globalmerge.com and to cfo@globalmerge.com.
  4. 04 Assign User to deutschwerk.controller@globalmerge.com.
  5. 05 Assign Viewer to external.auditor@auditfirm.com.
  6. 06 Validation: Log in as deutschwerk.controller@globalmerge.com. Confirm the Navigator shows data forms and journals but not application administration options. Without dimension security, you should see all entity data — note this for Exercise 2.
⚠️ The Default Gap — Observe Before Fixing

Before configuring dimension security, log in as the DeutschWerk Controller and open any data form. You will see data for all entities — BritEdge, DeutschWerk, AsiaLink, NovaTech. This is the default None security state. This is what goes live if dimension security is not configured. Observe this, then fix it in Exercise 2.

2️⃣ Exercise 2 — Configure Entity Dimension Security
Estimated time: 20 minutes
  1. 01 Navigate to Navigator → Access Control → Dimension Security. Select dimension: Entity.
  2. 02 Locate user deutschwerk.controller@globalmerge.com. Set access for GlobalMerge (top parent) = None (no access to the group rollup). Set access for DeutschWerk = Read/Write.
  3. 03 Confirm BritEdge, AsiaLink, NovaTech have no access assigned for this user — they inherit None from the parent override you set in Step 02.
  4. 04 For external.auditor@auditfirm.com: set GlobalMerge = Read (read access to the consolidated total). Set all individual entities = Read. The Viewer role means they cannot enter data regardless — this Read access controls report visibility.
  5. 05 Leave finance.manager@globalmerge.com and cfo@globalmerge.com at default (None = all access) since they need full entity visibility.
  6. 06 Validation: Log back in as DeutschWerk Controller. Open the same data form. Confirm only DeutschWerk entity appears — BritEdge, AsiaLink, and NovaTech are no longer visible. The go-live gap is closed.
3️⃣ Exercise 3 — Configure Scenario Security & Approval Unit Hierarchy
Estimated time: 25 minutes
  1. 01 Scenario Security: Navigate to Dimension Security → Scenario. For DeutschWerk Controller: set Actual = Read/Write, Budget = Read, leave Forecast with no access. This prevents the controller from entering Budget data (a Finance team responsibility).
  2. 02 For External Auditor: set Actual = Read. No access to Budget or Forecast — auditors should not see forward-looking scenarios.
  3. 03 Approval Unit Setup: Navigate to Approvals → Approval Unit Hierarchy Definition. Create a new hierarchy named: GlobalMerge_Q1_FY2026_Actual.
  4. 04 Add DeutschWerk as an Approval Unit in the hierarchy. Configure the promotion path: Stage 1 = deutschwerk.controller@globalmerge.com (submit), Stage 2 = finance.manager@globalmerge.com (review), Stage 3 = cfo@globalmerge.com (approve and lock).
  5. 05 Repeat for BritEdge, AsiaLink, NovaTech — each with appropriate controllers at Stage 1, the same Group Finance Manager at Stage 2, and the CFO at Stage 3.
  6. 06 Validation test — External Auditor read-only: Log in as external.auditor@auditfirm.com. Navigate to a consolidated report. Confirm data is visible (Read access). Attempt to open a data form for input — confirm no input cells are active. Attempt to create a journal — confirm the option is not available. The Viewer role with Read dimension security is correctly enforced.
  7. 07 Bursting security test (linking Hall 7): As the EPM Administrator, run the Q1 entity P&L Bursting job from Hall 7. Confirm DeutschWerk Controller's inbox contains only the DeutschWerk report. Confirm the External Auditor's inbox contains all entity reports (they have Read access to all entities).
✅ Security Configuration Complete

All five personas are correctly provisioned. DeutschWerk Controller is scoped to DeutschWerk entity, Actual write / Budget read. External Auditor is read-only across all entities, Actual scenario only. The Approval Unit hierarchy enforces the three-stage close sign-off. Bursting respects dimension security. The application is ready for Q1 FY2026 close.

📝 Exam Preparation
Security Hall — Oracle FCCS Implementation Specialist objectives

Security questions in the FCCS exam reliably test: the four application roles (especially the "Metadata Administrator" distractor), the meaning of the default None dimension security setting, the independence of role and dimension security, the Approval Unit workflow, and the interaction between security and Bursting. Scenario-based questions are standard.

Question 1 of 8 · Application Roles — Distractor
A junior implementer needs to grant a user the ability to import metadata, refresh the cube, and manage dimension security. Which FCCS application role provides these capabilities?
  • AMetadata Administrator — the dedicated role for all metadata management tasks.
  • BService Administrator — the only role with metadata management, security configuration, and application administration capabilities.
  • CPower User — Power Users have full operational access including metadata import.
  • DApplication Administrator — a specific sub-role granting admin access without full Service Administrator privileges.
Correct: B. "Metadata Administrator" (A) and "Application Administrator" (D) are exam distractors — these roles do not exist in FCCS. There are exactly four application roles: Service Administrator, Power User, User, and Viewer. Metadata import, cube refresh, and dimension security configuration all require Service Administrator. Power Users cannot perform any application administration tasks.
Question 2 of 8 · Default Dimension Security
A new FCCS application has been created and metadata loaded. A User-role account is provisioned with no dimension security configured. What data can this user see?
  • ANo data — the default security of "None" means the user has no access until explicitly granted.
  • BAll data across all entities, accounts, and scenarios — "None" means no restriction, not no access.
  • COnly the data for their own user entity as set in their Identity Domain profile.
  • DRead-only access to all data — "None" grants read but not write by default.
Correct: B. In FCCS, the default dimension security value of None means no restriction is applied — not "no access." With no dimension security configured, a User-role account sees all entity data, all accounts, and all scenarios. This is the critical go-live gap: correctly assigned application roles combined with unconfigured dimension security leaves the full application exposed to all provisioned users.
Question 3 of 8 · Role vs Dimension Security Independence
The Group Finance Manager at GlobalMerge has the Power User role but no Entity dimension security has been configured for their account. They open a data form for AsiaLink. What do they see?
  • ANothing — Power User role only grants access to entities explicitly assigned in dimension security.
  • BAll AsiaLink data — no Entity dimension security configured means no restriction, so all entity data is visible.
  • CRead-only access to AsiaLink — Power User role provides read access to all entities by default.
  • DAn error — Power Users must have explicit dimension security configured before accessing any entity.
Correct: B. Application role and dimension security are independent layers. The Power User role grants capabilities (run consolidation, enter data, manage journals) but does not restrict data visibility. Dimension security controls visibility — and with no Entity dimension security configured, there is no restriction. The Group Finance Manager sees all AsiaLink data at full Power User capability level. This is intentional for this persona — but the same logic makes it a critical gap for subsidiary controllers who should be restricted.
Question 4 of 8 · Approval Unit Workflow
DeutschWerk Controller has submitted the DeutschWerk Q1 Actual Approval Unit. The Group Finance Manager reviews it and finds an unexplained journal entry. What action should the Group Finance Manager take, and what is the outcome?
  • ADelete the journal entry directly and re-promote the Approval Unit — Power Users can edit journals in any Approval Unit state.
  • BReject the Approval Unit with a comment explaining the issue. The Approval Unit is returned to the DeutschWerk Controller to correct and resubmit.
  • CEscalate directly to the CFO — the Group Finance Manager cannot reject, only promote or escalate.
  • DPlace the Approval Unit on hold — this pauses the workflow without returning it to the submitter.
Correct: B. The Group Finance Manager can reject the Approval Unit at Stage 2. Rejection returns it to the Stage 1 owner (DeutschWerk Controller) with the rejection reason attached. The Controller must address the issue — in this case, explain or unpost the unexplained journal — and resubmit. The full rejection event is audited with timestamp and comments. This mirrors the Enterprise Journal rejection workflow from Hall 6.
Question 5 of 8 · Viewer Role Capabilities
The External Auditor has been assigned the Viewer role with Read Entity dimension security for all entities, and Read Scenario security for Actual only. They attempt to create an Enterprise Journal for BritEdge Q1 Actual. What is the result?
  • AThe journal is created but goes directly to Submitted status — Viewers can create journals but cannot validate them.
  • BThe journal is created successfully — Viewers have read access to all entities and can therefore create journals within their accessible scope.
  • CThe Viewer role does not include journal creation capability. The option is not available in the Viewer's Navigator. The journal cannot be created regardless of dimension security.
  • DAn error is raised because Q1 is locked and Viewers cannot post to locked periods.
Correct: C. The Viewer role is strictly read-only. Journal creation, data entry, consolidation runs, and all write operations are unavailable — the menu options are simply not present in the Viewer's interface. Dimension security controls what data is visible, but it cannot grant capabilities that the application role does not provide. No amount of dimension security configuration can make a Viewer into a journal creator.
Question 6 of 8 · Security Layer Ownership
The FCCS implementation team is assessing security responsibilities. Which of the following security layers is entirely Oracle's responsibility and requires no configuration by the implementation team?
  • AInfrastructure Security — Oracle manages the OCI network perimeter, data centre physical security, and platform hardening for the cloud service.
  • BIdentity Domain — the implementation team must configure MFA, password policies, and SSO federation.
  • CDimension Security — Oracle pre-configures default dimension security based on the application type selected at provisioning.
  • DApplication Roles — Oracle assigns roles to users by default based on their Identity Domain profile attributes.
Correct: A. Layer 1 (Infrastructure Security) is entirely Oracle-managed. The OCI platform, network perimeter, DDoS protection, and physical data centre security are Oracle's responsibility — the implementation team has zero configuration access or responsibility here. Identity Domain (B) requires customer configuration for SSO, MFA, and user provisioning. Dimension Security (C) and Application Roles (D) are implementation-team responsibilities with no Oracle defaults set.
Question 7 of 8 · Bursting and Dimension Security
A Bursting job is configured to deliver entity P&L reports for all four GlobalMerge entities to the DeutschWerk Controller. The Controller has Entity dimension security scoped to DeutschWerk only. Which reports does the Controller receive?
  • AAll four entity reports — Bursting overrides dimension security to ensure complete distribution.
  • BAll four reports with BritEdge, AsiaLink, and NovaTech figures redacted to zero.
  • COnly the DeutschWerk report — Bursting enforces dimension security and silently excludes entities the recipient cannot access.
  • DThe Bursting job fails entirely because the recipient lacks access to all entities in the burst definition.
Correct: C. Bursting enforces FCCS dimension security. Before generating each entity's output, the engine checks whether the designated recipient has access to that entity. Entities outside the recipient's dimension security scope are silently excluded — no output generated, no error raised, no redacted document delivered. The DeutschWerk Controller receives only the DeutschWerk report. The job does not fail — it simply produces one output instead of four for that recipient.
Question 8 of 8 · Period Lock and Approval Units
After the CFO approves the final Approval Unit for Q1 FY2026 Actual, who can lock the period, and which role is required?
  • AOnly the Service Administrator — period lock is always an admin-only function.
  • BOnly the EPM Administrator via EPM Automate — GUI-based locking requires a special admin flag.
  • CThe CFO (Power User) can lock the period after their Approval Unit promotion completes — Power Users with the final approver role in an Approval Unit hierarchy can lock periods without Service Administrator involvement.
  • DThe Group Finance Manager locks the period after the CFO approves, because Group Finance Managers manage the close calendar.
Correct: C. When an Approval Unit hierarchy is configured with a final approver stage, the user at that stage — in GlobalMerge's case the CFO (Power User) — can lock the period as part of their Approval Unit promotion action. This does not require Service Administrator involvement. Service Administrators can also lock periods directly outside of the Approval Unit workflow (for administrative corrections), but the designed close process routes the lock action through the CFO's Approval Unit promotion.