Converting Shared Services (Native) users to MSAD

Similar Messages

• Neet to locate the shared services native users in SQL server tables

  Hi All,
  We are using Hyperion Shared services to provision users to essbase, planning and HFM(all version 9.3.1). And we are using SQL server 2000 as the database. We created few native users in shared services and provisioned them to HFM, Essbase and Planning. Now we need to find those native users' information in the underlying SQL tables. I followed the documentation and sync-ed the native to relational tables using shared services, but I cannot see the user info for all the users I have created. I would appreciate if you can suggest me how to find the shared services users' and roles information in SQL tables (in the back end).
  Legards,
  Leo

  Hi,
  There are a number of free Ldap browsers that you can download, e.g.
  http://www.mcs.anl.gov/~gawor/ldap/demo.html
  http://www.ldapbrowser.com/download.htm
  Once you have installed then ldap browser you just need to point it to your Openldap
  Host :- machine with OpenLdap running
  Port :- 58089
  Base :- dc=css,dc=hyperion,dc=com
  User DN :- CN=root,dc=css,dc=hyperion,dc=com
  And just the root password which you can change in HSS in 9.3
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Essbase - Shared Services - Maxl - User creation

  Hi,
  I have an issue looking similar to [Automating User/Group creation & Assigning filters in Shared Services|http://forums.oracle.com/forums/thread.jspa?threadID=1009127]
  When trying to add internal groups to an external MSAD user, I get following messages:
  h3. when adding a group to an external user:
  h6. alter user 'x29027' add 'GR_GROUP';
  Maxl returns:
  h6. Statement executed with warnings.
  h6. User x29027 does not exist
  => the system does not recognize the user
  h3. when trying to create this user first as an internal user
  (based the settings from on another external user)
  h6. create or replace user 'x29027' identified by 'password' as 'i09740';
  Maxl returns:
  h6. Statement executed with warnings.
  h6. A user/group with the same name (x29027) exist at Shared Services
  => the system does recognize the user in MSAD!
  ===> both statements seem to be contradictory!!!
  h3. Other remarks/thoughts:
  - we have two MSAD links (to two different domains), does this matter?
  - no difference when addressing users as x29027@MSAD_FIB (a syntax similar to the HSS security report output)
  - any possibilities in creating a user internally first (using the 'as' option; to copy settings from another user) and then moving to external? (like alter user 'Test_EDR4' set type external;)
  Thanks in advance
  Erik
  Environment: Essbase 9.3.1.3. with Shared Services

  Hi Erik,
  When you create an user in Essbase, the user will be created both in Essbase as well as Shared Service,
  where as when you create an user in Shared service, the user will not be created in essbase untill you perform refresh.
  In your case you can create the external user in Essasbe by using "Create user 'x29027' type external;'.
  By this you will be creating the user in Essbase and the particular user is recognised in Essbase.
  Now you can add him to any group.
  - Krish

• Export shared service active users (provision for Hyperion)only using MSAD.

  Hi..
  I m using Hyperion 9.x . and using active directory in shared services.
  while i m using importexport utility to export the active users list with provisioning.
  Issue is :
  Hyperion external authentication have all users of Active directory but i need to export only active users which are provisioned for Hyperion projects .
  I dont need the complete users list .
  Also i m unable to export the provisioning of users in exported file.
  Please can you help me in getting the correct export statement for the above.
  Thank you very much

  Thanks John !!
  I am using the following statement for 9.3.0 but not getting provisioning section in exported file.
  Only users/Groups/Roles are there in exported file.
  Please help me to overcome the problem .
  importexport.css=file:/C:/Hyperion/SharedServices/9.3/AppServer/InstalledApps/WebLogic/8.1/css.xml
  importexport.cmshost=HSS machine name
  importexport.cmsport=58080
  importexport.username=User name **User name i m using is Active Directory user with administrative rights in Hyperion**
  importexport.password=password
  importexport.enable.console.traces=true
  importexport.trace.events.file=C:/Hyperion/common/utilities/CSSImportExportUtility/importexport/trace.log
  importexport.errors.log.file=C:/Hyperion/common/utilities/CSSImportExportUtility/importexport/errors.log
  importexport.locale=en
  # export operations
  export.fileformat=csv
  export.file=C:/export.csv
  export.internal.identities=true
  export.MSAD.user.passwords=true
  export.provisioning.all=true
  export.delegated.lists=false
  export.user.filter=*@MSAD
  export.group.filter=*@MSAD
  export.role.filter=@MSAD
  export.producttype=*
  export.provisioning.apps=*
  Thank you very much
  Vivek Jaiswal
  Edited by: user11966901 on May 25, 2010 8:16 PM
  Edited by: user11966901 on May 25, 2010 8:19 PM
  Edited by: user11966901 on May 25, 2010 8:20 PM

• Essbase, shared services, projects, users

  I have installed shared services and cnfigured it
  now installed essbase
  EAS
  Provider services
  and configured in the above mentioned manner
  (DID not start essbase and EAS till now)
  when I log into shared services....i see only bussines rules under projects
  no analytical services under unassigned applications.....
  how can i see essbase server in shared services user management console.......
  it might be a basic funda....i am not getting
  help me in solving this....
  Thanks in advance

  Hi,
  Have you converted essbase from native security mode to shared services security.
  In EAS, right click security and choose "Externalize users"
  Cheers
  John
  http://john-goodwin.blogspot.com/

• One more on Shared Services - Removing Users w/o De-Provisioning

  What happens if a user is removed before it is de-provisioned?
  4-5 users were removed without do any de-provisioning first. Now the users are still appearing in certain areas, but not in default to remove them. Not sure if adding the users back in will tie them to their old SIDs and can then de-provision and remove them entirely or if would have to go through some other effort to remove them completely (which is the end goal). Any guidance on this is very appreciated.
  Thanks!

  You could try using the updatenativedir utility which comes supplied with Shared Serevices found in a rather odd location:
  <hyperion home>\common\utilities\SyncOpenLdapUtility\UpdateNativeDir.zip
  Take a backup of both your HSS Database and OpenLDAP Database before running it, just in case.
  I have never had any bad experiences using it.
  Run it with the -noupdate option to see what it change.
  Have a read of the whole readme, Some Text from the readme....
  Utility to update Hyperion Native Directory with updated data from external
  providers
  Description
  This utility will update external user and group identities in the Hyperion
  Native Directory for those objects that have moved in the external directory.
  This utility will also delete user and group entries from the Hyperion Native
  Directory that cannot be located in the external directory. If the external
  directory cannot be reached due to connectivity issues those user and group
  entries in the Hyperion Native Directory will not be deleted by the utility.
  Please ensure the you provide the same external authentication configuration
  file (CSS.xml) as configured in the Hyperion Shared Services.
  The data related to all the external providers in the search order is
  synchronized. User and group information such as membership, provisioning,
  cache will be deleted from Native Directory if the user or group is not found
  in the external providers.
  After this utility is run, we need to restart HSS so that the cache is
  refreshed and the data updated. The other option is to wait for cache to refresh.
  ...

• Hyperion Shared Services -- External user containers getting missed out .

  Hi All ,
  In my hyperion enviornment user authentication is done through native directory and also through External directories configured to LDAP - OIDM . Frequently the external containers are getting disappeared from the shared services console. But when i restart the services its getting back some time. Some times it take some time to reflect back. I dont understand why this is happening.Quick hep is appreciated.
  Thanks,
  roshi

  It was network problem

• Hyperion Shared Services (WebHal) user retrieval - slow

  Hi,
  I applied the Hyperion Shared service patch 9.3.1
  After that i am noticing a significant decrease in the user retrieval response time.
  Will deleting the users help me in any way ?
  Could you anyone point me as to how could i increase the response time ?
  Thanks,
  COldFIre
  Edited by: coldfire on Sep 15, 2010 9:17 PM

  Did you notice this behavior with nativ openldap or with an external directory ?

• Shared Services native group provision

  hi can someone help me in this issue..
  Shared Services.
  Some Existing Native groups. Right click on group > Provision > gives error "This operation is not supported".
  Have to deprovision to make this error go away. Right click properties OK, changes can be made, but cannot save, giving same error.
  help needed urgently..
  thanks..

  ok thanks a lot john.
  one more question for you John.
  We need to know who logs in?
  When they logged in and how long?
  Also can we log what they access ie: reports, planning, analysis
  How can we review these logs.
  i know we can see the user sessions in view statistics page in planningg. but apart from that is there a way i can know wht all reports, applications etc a user accesses. i need to keep a track. is there some log for this?
  thnks,
  Ricky.

• Shared Services Console - User is not authorized for the action

  Hi,
  I have installed Essbase 11.11.3 and configured on Linux. I started EPM and then the Shared Services Console. I created a new group Poweruser and assigned a new user to it. I provisioned the group withall the rights of the admin. This all works.
  When I log on with the new user on the Shared Service Console and go to Essbase Studio Server and click on the Essbase Studio Server application it gives me the message:
  User is not authorized for the action
  This is the same message as I get under the user admin. Can anyone tell me what I can possibly do to make it work.
  The service for EAS is started properly. The one thing that is not configured is HBR.
  Patrick

  Hi,
  What are you trying to achieve, provision a user for essbase studio ?
  EAS is a separate product from Studio.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Sync Shared Services External users & Provisioning for Essbase Applications

  Hi Experts !!
  i have externalised user authentication in Shared services . I provisioned all users for Essbase and refresh the security from Essbase ,So all users are working fine
  and can login in Essbase and "Excel add-in" as well..
  but there is one user who is still not working for "Excel Add in"..
  Error is "Login failed due to invalid login credentials"
  Please suugest me the solutions
  Thank you.

  Hi John !
  Yes, User can login in EAS .
  Also User is available under Users in EAS ,But no applications are displaying in Analytic Server , While I have given Administration Privileges for Essbase app.
  But still error while login in Excel add in ..
  Error : Login failed due to invalid login Credentials.
  Also ,After Provisioning , How Can we Sync all all Externalized users from Shared Services itself for All hyperion Projects ???
  Thank you

• Shared Services: adding users to Planning

  Hi,
  I'm having a problem creating users to and provisioning them to Planning. I'm not getting any error in the web interface but the users are not being added to the relational Planning database (HSP_USERS), however groups are. When I can also add the created users to a group but they are failing in the Planning logs with reference constraints, because the user is not present on the users table.
  Does shared services have a log to check if I'm having any error while creating the users?
  Thank you

  Hi,
  I dug into the logs and found the following:
  EPMCSS-00001: Failed to initialize EPM Shared Services security instance. Component SYSTEM9/FOUNDATION_SERVICES_PRODUCT/SHARED_SERVICES_PRODUCT is null in EPM System Registry. Verify EPM System Registry configuration.
  at com.hyperion.css.registry.RegistryManager.initRegistry(RegistryManager.java:109)
  at com.hyperion.css.registry.RegistryManager.<init>(RegistryManager.java:94)
  at com.hyperion.css.registry.RegistryManager.getInstance(RegistryManager.java:131)
  at com.hyperion.css.CSSSystemFactory.getCSSMode(CSSSystemFactory.java:102)
  at com.hyperion.css.CSSSystemFactory.getCSSSystem(CSSSystemFactory.java:71)
  at com.hyperion.css.CSSSystem.initCSSSystem(CSSSystem.java:319)
  at com.hyperion.css.CSSSystem.getInstance(CSSSystem.java:273)
  [Thu Apr 26 12:51:14 2012]Local/ESSBASE0///1876/Info(1051283)
  Retrieving License Information Please Wait...
  [Thu Apr 26 12:51:14 2012]Local/ESSBASE0///1876/Info(1051286)
  License information retrieved.
  [Thu Apr 26 12:52:01 2012]Local/ESSBASE0///1876/Error(1051223)
  Single Sign On function call [css_init] failed with error [CSS Error: CSS method invocation error: getInstance: Failed to get CSSSystem instance, please check SharedServices_Security_Client.log for more information]
  [Thu Apr 26 12:52:01 2012]Local/ESSBASE0///1876/Info(1051198)
  Single Sign-On Initialization Failed !
  So it seems it's a problems in the EPM System Registry. Can you advise me please? How can I clean the EPM System Registry of problems? I think this might have happened when I changed the database servers, but I configured the registry again and I thought it was healthy again since I only had problems some days ago when I tried to add new users.
  Thank you

• Essbase - Shared services security , User provison

  Hi,
  I am new to 11.1.1.2 Hyperion version.(worked on 9.3.1) I have some doubts on the user security in 11 version.
  We have Distribution environment setup like Essbase on linux and remainng applications on windows 2003 server. Essbase is also registerd with shared services. Here are my questions.
  1. If I change the Shared services Admin password (default password) will it effects any other applications?
  *2. How to change essbase admin password (default password)?(from foreground we can change first time only)*
  3. I am trying to login into EAS as well as essbase admin user but under essbase I am not able to create New User. The Create users option on security is disabled seems like already externalised. I am not able to get those users who are created in shared services evnthought using Refresh from Shared servcies+ option in essbase.
  4. If I want to a user with only essbase applicatons provisioned what is the procedure.
  Here i followed the procedure. Created xyz user in shared services and provisioned Only Demo applications. trying to loing EAS with xyz credentials login successfull and prompted for essbase credentials with server name , username (Extername authentication) getting failed. If i provide admin password at essbase server leverl i am able to connect and see all applications.
  Please help me on this...
  Regards
  PrakashV

  Hi,
  Is it the base install of 9.3.1 or is it a later version like 9.3.1.3
  I know there have been a number of security issues being addressed since the base version.
  e.g.
  Security. Users are not de-provisioned properly, causing Essbase applications to remain accessible to
  them. [7197541]
  Cheers
  John
  http://john-goodwin.blogspot.com/

• CSSimport.bat error: while migrating the Shared Services groups and users

  Hi,
  I am trying to migrate the shared services native users and group from 9.3.1(on server A) to 11.1.1.3(on server B)
  - I have taken the export in CSV format from 9.3.1 using CSSexport.bat.(export.csv) -Successful.
  - I have copied this on the 11.1.1.3 server and changed lil details like removing the admin user etc.
  - When I am trying the import this on 11.1.1.3, I am getting the below error:
  CSSimport importexport.properties2010-10-11 09:36:41,328 Attempting a import operation
  log4j:WARN No appenders could be found for logger (com.hyperion.css.common.CSSLogger).
  log4j:WARN Please initialize the log4j system properly.
  null
  Aborting program...
  - There are not log or error files geting generated - The only error recieved , is given above.
  - I have made the necessary changes to the impotexport.properties file on 11.1.1.3 before starting the CSSimport utility.
  Can you please let meknow what should I do to overcome this error.
  -thanks,
  Ankit

  First thing I would try would be on the 11.1.1.3, try and run an export, if it works then run the import on the same file, this way you will make sure you have the version 11 utility working.
  Once you have done that then you can move on to the 9.3.1 export file.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Automagic User Provisioning Essbase + Shared Services

  Hello All,
  I have recently been able to figure out how to use the Shared Services API for 11.1.2 in a previous post:
  Shared Service API Working 11.1.2
  However, all of the user management and provisioning examples work with native users. Has anyone used this API with active directory or LDAP users? Is there some other way (export/import utility)?
  My problem is that I need to be able to script the user management with shared services and have not been able to find much help. In the past, we ran Essbase in standalone mode and were able to handle this via MaxL generating essbase native user accounts. This will no longer work since we want to use shared services when upgrading to Essbase 11.

  After your comments I looked a bit more closely at the DDL for create user. It looks like i need "type external";
  MAXL> create user 'someuser' type external;
  OK/INFO - 1056060 - User [jdp5209] created.
  This is what i want!
  MAXL> create user 'someuser' identified by 'somepass';
  OK/INFO - 1056060 - User [someuser] created.
  This is not what i want, creates Shared Services native user.
  It seems obvious now, but before, shared services (CSS module to essbase) was "external" so the old external is the new native.
  Sorry, new to shared services! This works. Thanks all