Shared Services Users Disappear from Groups
We have Native Groups in Shared Services that we added users from our MSAD directory to. Yesterday we found that the groups no longer have these users in them and IT did say they did some moves in the directory over the weekend. But I'm wondering if that would really cause SS to drop all the users from the groups like this.
Basically, no one is able to log in although we are testing adding users back to the groups and think that's working.
I just don't want to have to re-create our groups anytime our MSAD is updated.
I'd appreciate any help in understanding this better,
Paul
Our MSAD administrators moved some OU's around one day and it caused a lot of problems for us since our Shared Services MSAD configuration setting for "User DN" had all the OU's hard coded or what have you. I had to change them to the same that the AD folks had changed them to, then restart everything.
So on the native side I can see how if they moved OU's around that could throw off what you had done. There's a utility which I've been too scared to use (probably harmless but I can't afford any mishaps) which tells Shared Services to search for MSAD changes and to force them through Shared Services, which is probably a nice thing to do once in a while especially when MSAD OU's are moved around. SS does not automatically poll for that type of change but you should be able to automate this.
There's an updatenativedir utility that you can read up on which might help. Don't forget to do backups first of all the security-related databases & files, etc. first.
Perhaps someone reading this is comfortable running UPDATENATIVEDIR and can help provide better guidance, if that's the issue here.
Karen
Similar Messages
-
Need to migrate Shared services users and groups from 9.3.1 to 11.1.2.2 ver
Hi All,
We need to migrate Shared services users and groups from 9.3.1 to 11.1.2.2 version. Any help would be appreciated. Can we use CSS import export utility?
Thanks in advance!!Hi John, In my another environment I have to migrate the users and groups from Hyperion HSS 11.1.1.2 to Hyperion shared services 11.1.2.2. I am using LCM for that, when I export the users and gropus from 11.1.1.2, it exports fine but when i import it to my 11.1.2.2 using LCM, I am getting the below errors.
Error when I try to import the groups:
ErrorEPMIE-00051: Failed to perform operation on role. Could not locate role matching filter {0} and filter attribute {1}. Please ensure that a role exists matching the filter with filter attribute.
EPMIE-00024: Failed to import all of the membership info for group test group. Invalid group members encountered. Please ensure the validity of members and its existence in their respective providers.
Errors when i try to import the users:
ErrorEPMIE-00051: Failed to perform operation on role. Could not locate role matching filter {0} and filter attribute {1}. Please ensure that a role exists matching the filter with filter attribute.
EPMIE-00020: Failed to update user 04668162 during import. Invalid identity for user. Please ensure that the user is available in the system with the identity specified in the import file.
Any idea?
Thanks in advance. -
IOP 11.1.2.0 integration with Shared Services (User Provisioning)
In the IOP 11.1.2.0 install guide, the Admin and Admin provisioning roles are provisioned through Shared Services.
"Provision Integrated Operational Planning Administrator and Integrated Operational Planning
Provisioning Manager roles for the Integrated Operational Planning instance to the Admin user through
Oracle's Hyperion® Shared Services Console
a. Connect to the Oracle's Hyperion® Shared Services Console; for example, http://
hss_server:hssserver_port/interop.
b. Log in as the administrator.
c. Expand User Directories and Native Directory.
d. Select Users and click Search.
e. Right-click the Admin user and select Provision.
f. Expand Default Application Group.
g. Expand the Integrated Operational Planning instance created.
h. Highlight IOP Administrator and Provisioning Manager.
i. Click the right arrow in the middle of the two windows to select the roles.
j. Click Save, and then click OK."
The users and groups are defined in Shared Services, per the IOP 11.1.2.0 admin guide (p. 144).
Is there an IOP user provisioning example in the shared services user's guide, and which version of the guide would I find that in?
Access priveledges are controlled from the Admin workbench for IOP users, per p.145 of the IOP 11.1.2.00 user's guide.
Thank you.IOP Roles are listed in the 11.1.2 Shared Services User and Role Security Guide, on page 158:
Integrated Operational Planning Roles
Table 39 Integrated Operational Planning Roles
Roles Tasks per Role
Provisioning Manager Provisions users and groups with Disclosure Management roles
IOP Administrator Administers Oracle Integrated Operational Planning, Fusion Edition. IOP Administrators can modify models, access
ACL pages, and perform all Integrated Operational Planning tasks
IOP User P erforms Oracle Integrated Operational Planning, Fusion Edition actions as a normal user -
Shared Services Users Export............
Hi All,
I want to export shared services users for a particular application.
Is there any way for this?
ThanksYes, you can export / import the provisioning for a particular application.
By default the utility export all Users / Groups and provisioning for all applications.
To export provisioning for a particular application you need to modify the below parameters in CSS Import Export properties file.
export.provisioning.all=false
export.provisioning.apps=(<Project Name>:<Application Name>)(<Project Name 1>:<Application Name 1>)
Hope this helps you...
Kind regards,
Manmohan Sharma -
Service Request disappears from the list of My Service Requests after changing status to In process
Service Request disappears from the list of My Service Requests after changing status to In process
Incident manager (resp.) > Agent DashboardHi,
As far as I know, this is a new feedback, Please vote this customer voice, here is the link:
http://feedback.azure.com/forums/216926-service-bus/suggestions/6062851-batching-in-rest-api, or create a new voice at azure feedback forum:
http://feedback.azure.com/forums/34192--general-feedback
Best Regards,
Jambor
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Shared Services got disconnected from FDM
Hi All,
How and Why Shared Services got disconnected from FDM?
What is the reason for this,please provide the root cause of this.
Anyone help me regarding this issue,
Thanks in advance,Hello Venu,
Unfortunately without more information and the background to your belief/statement an answer can not be provided. Maybe if you would provide more information we can assist.
Alternatively for this style of question/comment the forums might not be able to help. For 100% valid answers to such things, you should contact support. While the people that answer/post in the forums maybe helpful ... we are not the developers/support engineers responsible for such answers.
Thank you, -
Hyperion Shared Services user Management Guide
Hi ,
Can any one share the Hyperion Shared Services User Management Guide.
Regards
naveenHi,
For 9.3.1 Try - http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_cas_help/toc.htm
11.1 - http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security_11111/cas_help.htm
Cheers
John
http://john-goodwin.blogspot.com/ -
The cellular data services have disappeared from my settings. Can anyone help me restore it please?
The cellular data services have disappeared from my settings. Can anyone help me restore it please?
Try this - Reset the iPad by holding down on the Sleep and Home buttons at the same time for about 10-15 seconds until the Apple Logo appears - ignore the red slider - let go of the buttons. (This is equivalent to rebooting your computer.) No data/files will be erased. http://support.apple.com/kb/ht1430
Cheers, Tom -
Shared Services User Directory
Hi Gurus,
I was wondering if there is a way of hiding the groups from the Microsoft Active Directory.
For example,
we want the users from Active directory, but when we check the properties of the users in shared services, it shows the user belonging to a lot of groups that are not hyperion-related. Is there a way to make sure that we see the user to be under only the native directory groups.
ThanksIn my production environment, i have a user "john"
When i look at the user's properties in shared services, the user is under only hyperion-related groups.
However, we have secondary environment, which we just imported the active directory, and on this one, the same user is under several more groups that are not related to hyperion, for example the user is under CITRIX group, and all other different ones.
Is it possible for us to filter so that the users will show only under the hyperion related groups -
UsersByGroup SS report crashing;Shared Services Users not removed correctly
Apparently, there are not many experts on Shared Services – nor is there much documentation.
We have an urgent need to get a Users By Group report successfully run from an Shared Services installation today (auditors!)! Opening a support ticket as well as making last ditch attempts to get more suggestions on how to resolve.
It appears as those the users causing the problem (the UsersByGroup Shared Services reports crashes) are NTLM. Apparently, several users were removed – before they were de-provisioned. Now they are not appearing on the default area but are appearing in other areas within SS. An attempt to re-add them failed to sync them back up (likely gave them each a new SID). We believe it is likely that the two issues are related (the not quite completely deleted users and the User By Group report bombing out – due to a user – since the provisioning is there, but the user is not, for these instances). Two of the Users show under Admin also, which should not be the case.
Any suggestions on next steps would be greatly appreciated.
Thanks!Hi,
You should have a look at using the Update Native Directory Utility, this will clear out any stale users in your OpenLdap.
It should be situated in \Hyperion\common\utilities\SyncOpenLdapUtility
There is a zipped file called UpdateNativeDir.zip
It does have a read me on how to use it but it is pretty simple, on windows it is something like updateNativeDir.bat -cssLocation <location to your>CSS.xml
e.g updateNativeDir.bat -cssLocation C:\Hyperion\deployments\Tomcat5\SharedServices9\config\CSS.xml
You may need to update the bat file to include the correct location to your Java Home, you will get an error message anyway if it is not set correctly when you run the batch file.
It will create a log of all stale users removed.
Good luck.
John -
Where is the Shared Services user security stored?
On Hyperion Planning 9.3. I can view the security of my users/groups via the report in Shared Services, yet I would like to put the output in Excel and there is no option other than Print/Print Preview.
which repository database contains the Shared Services security?
Thanks
JTSHi,
If you are talking about the security to members, forms then this is held in the planning application database.
If it is provisioning of the application then it is a combination of the Shared Services database and OpenLdap database. (not so easy just to create a report on the provisioning by looking at the database)
Cheers
John
http://john-goodwin.blogspot.com/ -
Shared Services User Reports - for HFM Users
Does anyone have some good material or knowledge they can share with me today regarding the following Shared Services topics?
1. What might cause a run of the Users By Group report to fail? After about 15 mins bombs out and receive the following error: "User not found with identity = ntlm:SID=S-1-5-21-787380144-986785343-375376054-10174?USER(-2147216700). Then gives much more detail on error.
2. How to remove users that appear under admin role but not in default?
3. For audit (TODAY), ideally should produce a report of HFM users – including dates (when added, when security /provisioning was changed for them) – is there a report or combo of reports that will provide this information?
Any help or a point in the right direction is hugely appreciated.
Thank you!Ok - just some pointers, so use as suits.
1: this looks like it is not seeing your AD/NTLM user. You see a similar SID if in Properties of any file share where the connection to the domain is not available, or the user no longer exists. Remember, if a user ID in NTLM or AD has been changed, Shared Services does not recognise this, and stores the original SID, so you need to remove and reprovision the user.
2. The cleanest INHO is to do a CSS Import/Export and 'clean' the file. RTFM :)
3. There are some reports in Shared Services, but see if this is of use - especially the Security Matrix, (http://www.epmmaestro.com/dnn/Products/EPMWebSymphony/tabid/56/Default.aspx)
Good luck -
Shared Services Mixed Native-MSAD group nesting
Is anyone doing this?
I am trying to make an MSAD group a member of a native group using shared services and after adding the MSAD group, the console errors out for the group i just made whenever trying to view the group members. This is repeatable and happens before i have even provisioned the parent group when i am trying to view the group members.
When i nest a native group inside another native group, it works fine.
In the SharedServices_Security.log found in Oracle/Middleware/user_projects/domains/EPMSystem/servers/FoundationServices0/logs
I see the following stack trace:
[2010-12-14T09:09:22.156-06:00] [FoundationServices0] [ERROR] [EPMCSS-7019] [oracle.EPMCSS.CSS] [tid: 7] [userId: <anonymous>] [ecid: 0000In_RR_eDKeoLwUg8yW1D1Yoh00001G,0] [APP: SHARE
DSERVICES#11.1.2.0] [SRC_METHOD: execute:129] [SRC_CLASS: com.hyperion.css.web.action.CSSStatefulAction] Failed to process the request.
[2010-12-14T09:16:16.365-06:00] [FoundationServices0] [NOTIFICATION] [EPMCSS-17306] [oracle.EPMCSS.CSS] [tid: 7] [userId: <anonymous>] [ecid: 0000In_T0hhDKeoLwUg8yW1D1Yoh00001J,0] [AP
P: SHAREDSERVICES#11.1.2.0] [SRC_METHOD: ] [SRC_CLASS: ] [arg: native://nvid=af1814bfd20d7272:58ecdd0:12ce020823f:-7f66?GROUP] x
[2010-12-14T09:16:17.473-06:00] [FoundationServices0] [ERROR] [EPMCSS-37000] [oracle.EPMCSS.CSS] [tid: 8] [userId: <anonymous>] [ecid: 0000In_T0z1DKeoLwUg8yW1D1Yoh00001K,0] [APP: SHAR
EDSERVICES#11.1.2.0] [SRC_METHOD: execute:128] [SRC_CLASS: com.hyperion.css.web.action.CSSStatefulAction] Error while processing the request.[[
java.lang.NullPointerException
at com.hyperion.css.web.util.DTOFactory.createGroupDTO(DTOFactory.java:49)
at com.hyperion.css.web.util.DTOFactory.createGroupDTOEscDoubleQuote(DTOFactory.java:75)
at com.hyperion.css.web.action.EditGroupAssignGroupsFormAction.executeAction(EditGroupAssignGroupsFormAction.java:109)
at com.hyperion.css.web.action.CSSStatefulAction.execute(CSSStatefulAction.java:119)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:226)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:415)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3594)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
I think its a bug and have opened an SR with oracle, but i'm curious what others out there are doing.
Edited by: Javanator on Dec 14, 2010 10:25 AMHi Dear
Is this issue resolved? i too get the similar error in the log file . Please let me know if it is reolsved for you -
Shared services user/admin guide
Is there any pdf doc for shared services admin/user guide,,
I tried searching for it but couldnt find it..
i can see a help option when I work with SS which gives goo d help ...but is there any pdf doc to go through before I really start working on SS??
Please let me knowYou want to look at the Hyperion Security Administration Guide to understand Shared Service, Provisioning and External Authentication.
http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/hyp_security_guide.pdf
Brian Chow -
Our client wants that all the users logging for Hyperion application should be able to reset or change the default passwords.
As far as i know, while creating users for planning application administrator set the password for the users which can't be changed by users.
Any help Guys!Hi,
You should use one of the active directories like MSAD then you will have much more control of user accounts, native security does not have many options.
Though I know users can change their password through excel addin, smart view and through workspace (I think), this is more aimed at essbase passwords but once as it is using shared services it will change it across the board.
Cheers
John
http://john-goodwin.blogspot.com/
Maybe you are looking for
-
When I first open firefox, two windows open at the same time. Welcome to firefox with a pop up window and the second one is the mozilla firefox start up page. It is very annoying.
-
What exactly is PO Document Date?
Dear forumers, In the SAP MM module, what exactly does the term PO Document Date refer to? Does this PO Document Date refer to the BUDAT field from the EKBE table or does it refer to the BEDAT field from the EKKO table? Please help. Many thanks!
-
Not printing name2 in address line
Hello All, I dont want to print the name2 in the shipper address. Is there any option in address window? If I change Number of Lines to be Used , then shall the name2 will not get printed? Or I need to take the text window and print there? rgds, Madh
-
Gray Screen Bootcache.playlist missing
I installed Mavericks on my early 2008 24" iMac, and now it got stuck on "grey screen of death" (after a month of use during wich it was working perfectly fine). When I launch it in verbose mode, I can see the following : "unable to open /var/db/boo
-
BI Bean that displays the data in tabular layout (multi-row)
Hi, I know there isn't a graphic type in BI Beans that can display data in multi-row tabular layout as one graphic object. Oracle Forms can actually display this layout but they want to display everything in one page without scrollbars (without the n