Essbase - Shared services security , User provison

Similar Messages

• Essbase, shared services, projects, users

  I have installed shared services and cnfigured it
  now installed essbase
  EAS
  Provider services
  and configured in the above mentioned manner
  (DID not start essbase and EAS till now)
  when I log into shared services....i see only bussines rules under projects
  no analytical services under unassigned applications.....
  how can i see essbase server in shared services user management console.......
  it might be a basic funda....i am not getting
  help me in solving this....
  Thanks in advance

  Hi,
  Have you converted essbase from native security mode to shared services security.
  In EAS, right click security and choose "Externalize users"
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Essbase - Shared Services - Maxl - User creation

  Hi,
  I have an issue looking similar to [Automating User/Group creation & Assigning filters in Shared Services|http://forums.oracle.com/forums/thread.jspa?threadID=1009127]
  When trying to add internal groups to an external MSAD user, I get following messages:
  h3. when adding a group to an external user:
  h6. alter user 'x29027' add 'GR_GROUP';
  Maxl returns:
  h6. Statement executed with warnings.
  h6. User x29027 does not exist
  => the system does not recognize the user
  h3. when trying to create this user first as an internal user
  (based the settings from on another external user)
  h6. create or replace user 'x29027' identified by 'password' as 'i09740';
  Maxl returns:
  h6. Statement executed with warnings.
  h6. A user/group with the same name (x29027) exist at Shared Services
  => the system does recognize the user in MSAD!
  ===> both statements seem to be contradictory!!!
  h3. Other remarks/thoughts:
  - we have two MSAD links (to two different domains), does this matter?
  - no difference when addressing users as x29027@MSAD_FIB (a syntax similar to the HSS security report output)
  - any possibilities in creating a user internally first (using the 'as' option; to copy settings from another user) and then moving to external? (like alter user 'Test_EDR4' set type external;)
  Thanks in advance
  Erik
  Environment: Essbase 9.3.1.3. with Shared Services

  Hi Erik,
  When you create an user in Essbase, the user will be created both in Essbase as well as Shared Service,
  where as when you create an user in Shared service, the user will not be created in essbase untill you perform refresh.
  In your case you can create the external user in Essasbe by using "Create user 'x29027' type external;'.
  By this you will be creating the user in Essbase and the particular user is recognised in Essbase.
  Now you can add him to any group.
  - Krish

• Integrate active directory with Planning/ Essbase shared services security

  Hi All,
  we try to set up MSAD integration for Planning and Essbase 9.3.1.
  Everyting works fine but the accounts that pop up are first and last name in the user field instead of the userid used in windows to login. so in windows i login with mroest but now in Hyperion i have to use Marc Roest.
  DC=NL, DC=xxxx, DC=Corp
  ID Attribute = ObjectGUID
  User DN: CN=Adm Hyperion, OU=xxxx, OU=Utr
  Can anyone please help how to use the samID as defined in MSAD instead of the full name as is now?
  Thanks very much in advance,
  Marc

  Hi John.
  Do you know why OpenLDAP database would not migrate to the unique identity attribute say if I use sAMAccountName for the ID Attribute field on the MSAD User Configuration screen in Shared Service? It will not update the identity in OpenLDAP when I browse it, even after all the services have been restarted, including OpenLDAP and Shared Services...
  Any help would be appreciated.
  Thanks
  .-a furstrated programmer...

• Essbase - Shared Services security problem

  In a Shared services enabled Essbase server,
  For a user/group can we define different access levels (say Read on one & Write on the other) to different databases belonging to the same application (BSO)?
  If not, Is there any alternative?
  Appreciate your thoughts.
  Thanks,
  Ethan.

  Of course you can.
  If you're on v11, the steps are as follows:
  1) Create a group (I am going to assume groups and usernames).
  2) Provision the group Essbase server access and Read access to My Very Favorite Essbase Database In The Whole Wide World (MVFEDITWWW) -- Sample.Basic. You could get fancy and create a two level group hierachy with the upper level group provisioned ot Essbase server access and the second group Read access to Sample.Basic if you wanted to.
  3) Expand the application groups and drill into Sample. Right click on Sample and pick Assign Access Control.
  4) An Application tab will open up with a Database drop down. Select Basic and check off the box that relates to your group. It will have the role of Read.
  You have just assigned access to Sample.Basic.
  Follow the same steps for Sample.Intl, etc., etc.
  Regards,
  Cameron Lackpour
  P.S. I believe the above holds true for 9.3.1 but the interface looks a little different. I never did it there -- all of my System 9 work was, alas, Planning only.

• Automagic User Provisioning Essbase + Shared Services

  Hello All,
  I have recently been able to figure out how to use the Shared Services API for 11.1.2 in a previous post:
  Shared Service API Working 11.1.2
  However, all of the user management and provisioning examples work with native users. Has anyone used this API with active directory or LDAP users? Is there some other way (export/import utility)?
  My problem is that I need to be able to script the user management with shared services and have not been able to find much help. In the past, we ran Essbase in standalone mode and were able to handle this via MaxL generating essbase native user accounts. This will no longer work since we want to use shared services when upgrading to Essbase 11.

  After your comments I looked a bit more closely at the DDL for create user. It looks like i need "type external";
  MAXL> create user 'someuser' type external;
  OK/INFO - 1056060 - User [jdp5209] created.
  This is what i want!
  MAXL> create user 'someuser' identified by 'somepass';
  OK/INFO - 1056060 - User [someuser] created.
  This is not what i want, creates Shared Services native user.
  It seems obvious now, but before, shared services (CSS module to essbase) was "external" so the old external is the new native.
  Sorry, new to shared services! This works. Thanks all

• How can Manage Permissions for DB in Shared Services Security Mode

  In shared services security mode, after provisioning users for Essbase applications, only can assign database calculation and filter access. How can I grant permissions "Access Databases" like in native mode?

  Essbase will be default be in shared services security mode in 11.1.2, the wizard will not migrate security when in this mode.
  It is possible to revert it back but if you don't know the process then it is worth looking at alternatives first.
  You could use LCM to export the provisioning and then import into your target environment.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Auto Logoff while in Shared Services Security Mode

  Pretty simple question but I still haven't found the answer.
  My client's essbase server is set up in Shared Services Security Mode, so now the auto logoff options for the server don't apply. Is there a way to set this via shared services? Or is there some other means perhaps?
  Thanks for your time.

  Essbase will be default be in shared services security mode in 11.1.2, the wizard will not migrate security when in this mode.
  It is possible to revert it back but if you don't know the process then it is worth looking at alternatives first.
  You could use LCM to export the provisioning and then import into your target environment.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Shared Services: adding users to Planning

  Hi,
  I'm having a problem creating users to and provisioning them to Planning. I'm not getting any error in the web interface but the users are not being added to the relational Planning database (HSP_USERS), however groups are. When I can also add the created users to a group but they are failing in the Planning logs with reference constraints, because the user is not present on the users table.
  Does shared services have a log to check if I'm having any error while creating the users?
  Thank you

  Hi,
  I dug into the logs and found the following:
  EPMCSS-00001: Failed to initialize EPM Shared Services security instance. Component SYSTEM9/FOUNDATION_SERVICES_PRODUCT/SHARED_SERVICES_PRODUCT is null in EPM System Registry. Verify EPM System Registry configuration.
  at com.hyperion.css.registry.RegistryManager.initRegistry(RegistryManager.java:109)
  at com.hyperion.css.registry.RegistryManager.<init>(RegistryManager.java:94)
  at com.hyperion.css.registry.RegistryManager.getInstance(RegistryManager.java:131)
  at com.hyperion.css.CSSSystemFactory.getCSSMode(CSSSystemFactory.java:102)
  at com.hyperion.css.CSSSystemFactory.getCSSSystem(CSSSystemFactory.java:71)
  at com.hyperion.css.CSSSystem.initCSSSystem(CSSSystem.java:319)
  at com.hyperion.css.CSSSystem.getInstance(CSSSystem.java:273)
  [Thu Apr 26 12:51:14 2012]Local/ESSBASE0///1876/Info(1051283)
  Retrieving License Information Please Wait...
  [Thu Apr 26 12:51:14 2012]Local/ESSBASE0///1876/Info(1051286)
  License information retrieved.
  [Thu Apr 26 12:52:01 2012]Local/ESSBASE0///1876/Error(1051223)
  Single Sign On function call [css_init] failed with error [CSS Error: CSS method invocation error: getInstance: Failed to get CSSSystem instance, please check SharedServices_Security_Client.log for more information]
  [Thu Apr 26 12:52:01 2012]Local/ESSBASE0///1876/Info(1051198)
  Single Sign-On Initialization Failed !
  So it seems it's a problems in the EPM System Registry. Can you advise me please? How can I clean the EPM System Registry of problems? I think this might have happened when I changed the database servers, but I configured the registry again and I thought it was healthy again since I only had problems some days ago when I tried to add new users.
  Thank you

• Shared Services Security during LCM migration in 11.1.2.1

  I am migrating a Planning app from 1 environment to another.
  I vaguely remember ( from some presentation) that once I export Shared service security I need to modify the file to reflect the correct Essbase server name and than import the Shared service security file.
  Is this a mandatory step ? If yes which file should I modify ? Is it just listing.xml or any other file as well ?

  If you run an export of provisioning then for essbase you should by default see something like "EssbaseCluster-1", if your target environment is configured in the same way it should also be "EssbaseCluster-1" and you will not need to edit any files.
  If you don't start marking your posts I am not going to reply to any of your questions in future, hopefully everybody else will take that stance seeing as you have so many unresolved questions.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Shared services security- Is this even possible?

  I want to know if the following is possible using shared services security:
  I want to set up an MSAD group that will have say 50 sub groups.
  I will define this super group as an external directory in SS.
  I will then assign security (both roles and filters) to each of the 50 sub groups.
  There will be no groups or users in the native directory.
  Based on user needs, the MSAD team will move users from one subgroup to another without logging into Shared Services.
  My expectation is when they move the users from one subgroup to another, the user will have the security of the group they were moved to.
  Is it possible to set up security this way in shared services? I have been experimenting and having a miserable time getting it to work. So just wanted to know if I am doing something wrong or just wasting my time.

  I think this will work, but note that you are not really using SS inherited security.
  What you might do is something like this:
  MasterGroup <--Assign provisioning here
  |_Subgroup1 <--Assign filter
  |_Subgroup2 <--Assign yet another filter
  |_Etc.
  With the above layout you define provisioning roles once at the topmost group (MasterGroup) and then assign unique security at the subgroups.  The users are in the subgroups and their usernames will go to their ids (which will have no provisioning), then their immediate group (ditto), and then the parent group (which will). 
  What you have defined for security (as opposed to provisioning) sounds good to me although I have never tried to do this with MSAD groups.  I don't see a reason for it not to work.
  Regards,
  Cameron Lackpour

• Shared Services Security Migration

  Hi All,
  I need to migrate Shared Services Security from one server to another server(applications already migrated).
  Can you please let me know if we copy essbase.sec file will it work, or any other process we need to follow.
  Thanks,
  Pinky

  Dear Pinky,
  As John just mentioned - it depends a bit on the version that you use as well (11.1.2 is different from 11.1.1.3.x is different from 9.x)
  but you may find useful information in these guides:
  http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security.pdf
  http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_backup_recovery.pdf
  The CSSImportExport utiity is documented within its own zip folder on your installation of HSS (if you are using version 11.1.1.x)
  Basically you can think of the process as a backup and restore on a different machine.
  The complete list of steps is way too detailed and complex and touches too many sensitive areas to handle it in a thread here.
  (especially as I do not know the versions of HSS/Essbase, the OS or the scope of this migration)
  best regards
  Torben

• Shared Service Security Setup - Demo Doc

  Hello Friends,
  Was just checking if anyone of you have a quick small document which would explain the security setup module in Shared services
  with Users, Roles, Groups, filters
  Type of access READ WRITE, META READ WRITE etc in a pictorial format.
  Just have to give a demo to my fellows.
  Thanks in advance
  MS

  Try
  http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200/apas02.html
  http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200/ch09s04s08.html
  http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200/ch09s04s07s01.html
  http://docs.oracle.com/cd/E17236_01/epm.1112/esb_dbag/dsefilt.html
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Installation of Essbase, Shared services and Planning

  Hi,
  I am using Essbase (64 Bit), Shared server and Planning +mandatory component of hyperion:
  Can i install 32 bit applications Planning, Shared services, Analytic Provider on 64 bit OS (windows 2003 EE)
  Regards
  Kumar

  Cross post :- Installation of Essbase, Shared services and Planning
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Porting the Essbase/Shared Services to other landscape.

  Hi ,
  I need to port/refresh the Essbase/Shared Services (11.1.1.1 on Windows) from Development Environment to Test Environments. Both Environments are under different domains and I dont think I can usre LCM. I have already setup the Foudataion/Shared Services and Essbase on Destination Host. Can someone guide me how I can move the Essbase/Shared Services accross these Environment manually. Any document refrence or step by step instruction will be great help.
  Thanks in advance.
  -Samar-

  John,
  I never worked with CSSImportExport. I will be moving Planning Applicatoin, HFM and FMD along with Shared Services and Essbase. Can I use CSSImportExport for HFM/FDM etc. If you can point out to any good working example or doc on CSSImportExport that would be really very helpful to me. In the mean time , I willl be googling arround the internet about it.
  Regards
  -Samar-