BPC Security Migration
I'm wondering how people migrate security between environments i.e. production to development.
Security is typically quite different in development vs. production. Some users will have more access in development and some users will not be active in development. Also in some cases, users may have different id's because they are on different domains. This means that there are many changes that need to be made before the development environment can be used.
In version 4 of OutlookSoft, security was all contained within an Excel workbook which made it very easy to apply these types of changes very quickly. For example, there was a column that indicated whether or not a user was active. You could very quickly go through this column and change users from Yes to No. Also, security could be processed all at one time.
In BPC, there are many dialog boxes to go through which is time consuming. There does not seem to be a way to flag a user as inactive. I notice that the field still exists in the database table but it is not in the UI. Also, it seems that each of the Task Profiles, Member Access Profiles, and Teams needs to be saved whenever an appset is restored or else you will get errors. There does not seem to be a way to process the security so you do not have to visit each of these dialog boxes.
Is anyone automating this type of migration by modifying the database tables directly instead of going through the UI?
Furthermore, in the corporate environment we are in today (i.e. SOX, Enron, etc.), current customers would be very WEARY to implement a "workaround" (not endorsed by the vendor) to migrate security settings into a live production environment.
I suggest you send an enhancement request via the SAP Support portal and ask that something like this be implemented in the next release of BPC.
As a starter here are some security functions that I think should be automated via a menu option in the Security UI of BPC:
Importing Security Information
-Import ALL Security info.
-ImportUsers
-ImportUserGroupNames
-ImportUserGroupMembers
-ImportPrivileges
Exporting Security Information
-Export ALL Security info.
-ExportUsers
-ExportUserGroupNames
-ExportUserGroupMembers
-ExportPrivileges
Deleting Security Information
-DeleteUsers
-DeleteUserGroups
-DeleteUserGroupMembers
-DeletePrivileges
Regards,
John
Similar Messages
-
BPC security can be used in SQL Reporting Services?
Hello,
We are trying to implement SQL Reporting Services(RS) as web reports of BPC.
Is it possible to use BPC security user access control in SQL RS?
We know that SQL RS user access can be managed by windows domain, but we like to use BPC security as SQL RS user control.
Thank you in advance.
SamHello,
We are trying to implement SQL Reporting Services(RS) as web reports of BPC.
Is it possible to use BPC security user access control in SQL RS?
We know that SQL RS user access can be managed by windows domain, but we like to use BPC security as SQL RS user control.
Thank you in advance.
Sam
==================================================================
Hi Sam,
Could you be more specific on what you are going to do with RS?
BPC, as you know, uses Windows AD. If you intend to use RS in BPC, you have already introduced Windows AD and BPC access security for RS. But only given RS report is eligible in this case.
If you want to make a report that refers to business data of BPC, and need to pass argument as query parameter such as what category, what entity, not possible actaully, no way to make it happen with standard feature of BPC. But you can think of possibility of customizing and need to find out how to pass the argument for a user(read ACS table containing security info).
Reg. the reporting tool, if you are using 7.5, BO products is aligned well. Xcelsius and Voyager will be a tool for your requirement.
Regards,
YH Seo -
How to add "Team leader" field in standard BPC security report
BPC Expert,
We are using BPC MS 5.0 version.
There is a checkbox in the security setup to make someone a "Team Leader" when you add him/her to a team and this checkbox determines who can post data and who cannot. When we run the user report we see which team the user is in but we do not have visibility to whether or not they are a "Team Leader" which is what business owner needs to see to approve user access.
I figured out "dbo.userteamassign" is the table which hold team leader value. Can anyone please tell me all the steps of adding team leader field in the standard BPC 5.0 security report.
Thanks,
KetanRoberto,
Thanks for the response. I know associated steps to declare business user as a team leader but my original question is "how to add a column in standard BPC security report that says who is team leader or who is not".
Do you know the Dtx package that is responsible to supply the data to Standard BPC security report? We can enhance standard data package to pull/display extra "Team leader" column in standard security report.
Appreciate your inputs.
Thanks,
Ketan -
We are installing an ADF 11g EAR into our development instance of WLS 10.3.1 and are seeing some strange behavior with the ADF policy migration. During the EAR install from either the WLS console, or using WLST scripts, the ear deployment appears to create entries in our domains system-jazn-data.xml file in the .../config/fmwconfig directory. The policies work fine when testing the application. Users in the various application roles see expected security behavior. If we then start and stop a completely different managed server from the console, the entries that were in the system-jazn-data.xml file disappear, but the our application security continues to work as expected. If we then bounce the server our ear is deployed to, the entries show up again in system-jazn-data.xml.
Can anyone explain this behavior and verify if this is expected?
Additional Information: We have followed the enterprise deployment guide when setting up our middleware home directory. We have the following directory structure:
/opt/oracle/admin/snidomain/aserver
/opt/oracle/admin/snidomain/mserver
The aserver directory contains the admin server and the mserver directory contains our managed servers. Each directory contains a config/fmwconfig subdirectory each containing a system-jazn-data.xml file. Each also contains a jps-config.xml file that specifies an XML policy provider pointing at "./system-jazn-data.xml". When we install an EAR that utilizes ADF security, the system-jazn-data.xml file in the mserver directory is updated during deployment, but the one in the aserver directory is not. Each recycle of a managed server appears to replace the contents of the system-jazn-data.xml file in the mserver directory.
Also, when I bring up Fusion Middleware Control and view the roles/policies of the ear, none are displayed in the UI. If I add a role/policy using Fusion Middleware Control, the new role/policy is placed in the system-jazn-data.xml file in the aserver directory, and the contents of the one in the mserver directory is completely replaced with the same contents as the one in the asever directory, overwriting the ones added during the deployment.
Sorry this is getting so long...just wanted to share these additional observations.
Edited by: mike mckeehan on Aug 19, 2009 8:21 PMMike,
this question should be posted to the FMW, WLS or Security forum. This forum is on development specific topics. The behavior of WLS clusters and managed donains is a bit out of scope here
Frank -
BPC Security: User should only see status of packages started by himself
Dear Experts,
we have the users run packages to perform their planning process and we also trained them to check their package status so they know when to go on within the process. Until now we have not had a very intelligent security management since it's only a pilot system with a few pilot countries. Everybody had full_tsk profile. But now it should get a llittle more restrictive. Very important in the first place is, that the user only sees his own package. If he can see other user's packages this would meen he can see copied values too within the protocol but thats very sensitive data.
I cannot find a security setting that helps me here. Do you have any hints for me?
Thanx in advance,
regards,
CoraSorry to confirm that security does not limit the visibility to the individual DM logs. There is a filter capability however that could be taught to your users.
Please include your request on the BPC page at SAP Idea place. See the top of this forum for more information.
Best regards,
[Jeffrey Holdeman|http://wiki.sdn.sap.com/wiki/display/profile/Jeffrey+Holdeman]
SAP Labs, LLC
BusinessObjects Division
Americas Applications Regional Implementation Group (RIG) -
Any way to exclude BPC security settings and profiles from backup/restore?
We are on BPC 10 MS and restoring the PROD version to a DEV environment, but do not want to restore the security profiles. Need to figure this out before new BPC development is sent back to PROD with same b/u restore process. DEV security is different than PROD and we do not want the security profiles/settings in DEV to overlay PROD...
Hi Mike,
No automate process to maintain different set of users in both environments while restoring . Manually manage after refreshed based on required user profiles.
Thanks,
Vivek. -
Essbase security Migration from native mode to external authentication
Hi!!
I want some guidance on setting up security, all the users are currently in Native user mode and Native groups.
Now we want to migrate to external mode, current version of hyperion is 11.1.1.3, any steps to follow in
this direction would be really helpful.
What is the best way of migrating huge user base from native directory to setting up for external authentication,
this is the first time move from native to external authentication, If anyone who has done this will be helpful.
steps to setup , maxl based migration will be helpful or utility based.
ThanksWhen you say native mode do you mean that that essbase security is in native mode and you want to convert to shared services security mode,or do you mean you are using shared services securtiy with native users and you want to use an external directory like MSAD.
For your question ::
Yes the first piece is correct, our security is in native mode.
and we want to convert to shared services security mode,
The request involves moving from essbase native mode to Shared services native user mode (moving all the existing users, groups and existing provisioning)
The next stage is moving from Shared services native user mode to external directory. (moving all the existing users, groups and existing provisioning)
Your input will guide me in the direction.
Thanks -
Direct security migration from 9.3.3 to 11.1.2.3
Gurus,
My environment has HFR reports, FDM and HFM applications.
Source: 9.3.3
Target: 11.1.2.3
Is there a way to migrate security directly from the source to target??
Let me know if there are any ways possibleHi
We have done the same exact migration between these versions. For HFM we used HFM Copy app utility and hssmigrate.bat , we did direction migration of HFR and for FDM applications we migrated directly the RDMBs and connected to it.
We faced below issues
1. All Intercompany transacations were not visible (Date format between the two enviroments differed , in 11.1.2.3 more stringent format was expected but in 933 format did not matter)
2. Post all/unpost all options were not posting all the entries together (There was a patch for this 11.1.2.3.500)
3. SOAP error when opening HFM application (We were not able to fix this but workaround was found)
4 FDM locations had some minor issue , I don't remember exactly.
Thanks
Anjum -
Shared Services Security Migration
Hi All,
I need to migrate Shared Services Security from one server to another server(applications already migrated).
Can you please let me know if we copy essbase.sec file will it work, or any other process we need to follow.
Thanks,
PinkyDear Pinky,
As John just mentioned - it depends a bit on the version that you use as well (11.1.2 is different from 11.1.1.3.x is different from 9.x)
but you may find useful information in these guides:
http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security.pdf
http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_backup_recovery.pdf
The CSSImportExport utiity is documented within its own zip folder on your installation of HSS (if you are using version 11.1.1.x)
Basically you can think of the process as a backup and restore on a different machine.
The complete list of steps is way too detailed and complex and touches too many sensitive areas to handle it in a thread here.
(especially as I do not know the versions of HSS/Essbase, the OS or the scope of this migration)
best regards
Torben -
I have a TEST box and point Shared Services to PROD LDAP.
I want to develop security in TEST using Shared Services to set up groups/filters in an automated fashion, a feed from the LDAP group.
Is there an easy way to migrate the security settings in TEST to PROD?
Can you just take the essbase.sec file from the TEST box and restore to PROD box?
JzHmm, I have used ASM with Essbase 6.1.3a before.. was I using an older version?Although it is supposedly not supported, we have had success migrating our security files simply by installing the newer version of Essbase over the old, and starting it up. No problems to date, and we have done this from versions 5.0.2p7 -> 6.1.3a -> 6.5.1. This was done on three servers, the most recent version upgrade was done almost one year ago. We use groups, filters, etc. We use replicated partioning. OS: Win2k sp3 on one box, sp4 on other two.
-
BPC Security - Edit Logic Script
Trying to find the security task that give edit access to Logic Script(BPC 10 NW SP9). Is this combined with the "Edit Packages" Data Manger task?
Thank you.
Regards,
Vinod SwarnapuriVinod,
I think the one you are looking for is Manage Business Rules.
Akos -
Stabilize technical names during BPC 10 migration
Hello Experts,
I am working on a migration project to BPC 10. We are facing a big issue when it comes to choosing a scenario.
We have 40 Bex Queries et 6 Workbooks supporting by a multicube containing 3 BPC Infocubes. I know this is not a best practice but it is current situation.
As a result we want to stabilize the technical names in the BPC Infocubes and InfoObjects during the migration.
To do so, I know the restore option : "Use tech names from Backup Files". My question is :
Will the program "UJT_MIGRATE_75_TO_10" modifiy these tech names?
Best Regards,
Axel LEMAITREHi Mikkel,
Did you have any luck with this? The only time I had any luck was changing the target structure (adding a dimension in the target), when the transport went through it changed the structure and reset the technical name to the source name. It doesn't appear to work if the technical name is not due to be reset.
Best,
Chris -
BPC security - task profile definition
Hi all,
I am trying to create a task profile which contain only the 'AppSet' task under 'Administration' interface. Here are the situations I faced: (I am using the default user when setting up BPC Server which has all authorizations)
1. If I checked 'System Admin' in Step 1, I can not remove the other task 'Define Security' in Step 2.
2. If I did not check any existing admin role, I can not even see the 'Administration' interface in Step 2.
May I ask your opinion on how could I resolve this?
Thank you all in advance.
Eric LinEric,
You want to create a brand new profile with every task available in BPC.
I had the same problem and found SAP table in BI. I think if you modify this table, you can manage the security as you want but I didn't try this method.
In sap BW, transaction se16, all the security table begin by UJE_ :
UJE_TASK_SEC u2013 Task table (Application, Dimension,u2026),
UJE_TASK u2013 Task Interface (Administration, Audit, u2026),
KR,
Samir -
Hello Experts,
I need to implement a new security model for our BPC application and was curious if anyone have done mass rollouts from a backend. i.e. using BPC stored procedures instead of front end.
Specifically, i am looking for the following tasks:
- Delete a member access profile
- Add a member access profile
- Delete user
- Add user
Thanks in advance,
AkimTraced deletion of profiles/user T-SQL. Adding profiles/users manually - not worse scripting.
-
Hey folks,
I´m quite new to BPC 7.0 SP01.
I read a lot about Applications Sets, Applications, Dimensions etc.
Now, the next (and last menu) on the left hand in the AdminConsol is "Security". Unfortunately, I can't find any documentation about this.
This menu has 4 subemenus:
1) Users
2) Teams
3) Task Profiles
4) Member Access Profiles
I think, 1) and 2) are self-explanatory. But what about 3) and 4)??? My problem is, that we only con login with bpcadmin to our AppSets, but not with our user-specific users? Is there any access which need to be granted in each AppSet to all users? And what are 3) and 4)?
Any documentation and help will be rewarded!
Thanks a lot!Christian,
I could send you the doc about security if i have your email...
However, I will explain quickly how to set it up:
Basically you have Tasks, Users, Teams and MemberAcess profile. (MAP)
Task answers to the question : WHAT. What does the user/team is allowed to do...
MAP: answers to the question : WHERE. In wich Cube for which entity, which category...
User/Teams answers to the question : WHO. The best is to give your rights to the teams. Never to users. Then you drop the users in the teams you want.
You create a MAP for the cubes you want the users to work on...
Lets say I create a MAP for Japan and in Entity i would select only Japanese entity..
Then you create a MAP for CATEGORYREADANDWRITE and you select category and all categories if you want it only to write on all categories.
Note that categories and Entities are 2 seperate MAP.
Then you create a Task by selecting the task you need: You will find some information about the tasks in http://SERVERNAM/OSOFT/OSOFT/Help/Admin/Task_profile_descriptions.htm
Personnaly I create a task for SUBMIT DATA, a task for FILEACCESS and a task for DATAMANAGER...
Then I create a Team called SUBMITDATA and I give it the task Submitdata. Not any MAP.
Then I create a Team called Japan lets say with no task but with JAPAN in MAP.
THe users is gonna be in the team JAPAN, SUBMITDATA and CATEGORYREADANDWRITE
Hope this helps
Nic
Maybe you are looking for
-
My Ipad2 won't turn off. I have tried the reset method by holding both buttons down for at least 10 seconds, but this doesn't work. I can't get onto the internet via wi-fi either (don't have a 3G card fitted). All other functions seem to be workin
-
Hi , I have a BBZ10 , and I have a problem in sending e.mail and with the syncronization of the calendar with iCal of my MAC. My smtp is configurated with the details of my domain , and the configuration is ok. ICal is also configurated by follow
-
Tables from 2 different database schemas in 1 module
I'd like to have only one module to store my source transactional tables. In my transactional system, I've got, differente database schemas. For example: I've got a schema, schema1 with a table called table1 and schema2 with table2. I've got a public
-
Signature logo disappears on iphone 6+ emails?
I have created my signature on Microsoft Word and emailed it to my phone. Then I have used copy and paste to place the signature in my mail settings for signature. (i have two email signatures for each of my email accounts) When I email with logo
-
Why is there no podcast playlist option? I want to control the order podcasts are played.
Yes, you can go over to the Music Playlist and add podcast to it, but the Music Playlist features are not best suited for podcasts. I want to list to news podcasts in date time sequence. Typically, I only want to listen to them once. I'm trying to us