Corruption of Security filters

Similar Messages

• Planning Security Filters not reflecting in Essbase filters for 2 of 4 cube

  We are using Hyperion Planning with essbase. In essbase we have 4 cubes in essbase (BSCF, EMP, IS, MGN). We would like to add security for the entity dimension as we don't use it currently but we do for other dimensions.
  I have created a new group (FIN_APAC) in SS so that restricted access be given to users in Asia for only their LE(s). Then I enabled security for the LE dimension in planning and set security filters through a command line load. For existing groups I gave write access to all LE members and for the new group (FIN_APAC) I gave write access to certain members.
  When I refresh the security filters in planning they should reflect in Essbase and it does for 2 cubes (BSCF & EMP) but for the other cubes (IS & MGN) the essbase security filters are NONE! In planning all the LE members are set to be included in all plan types.
  The main problem seems to be with this new group (CSR_FIN_APAC) as whenever this group is assigned the essbase filters are not assigned properly. For the existing groups that have added LE security for all members the security filters are updated for 4 cubes as expected.
  Any help appreciated
  x

  When you create a planning application we can create 3 essbase cubes as plan types. if you use Capex, Workforce you can able to create max of 5 databases in Essbase version 11.1.1.3.
  if it is 11.1.2 you can add one more cube
  In your question, have you created 4 Essbase cubes. can you explain how that is possible.
  if all the LE members in all plan types means in 3 Essbase cubes. when you refresh security from planning to essbase that works fine.
  Can you explain the situation perfectly so that can able to give ans.
  Thanks,
  Suneel kanthala.

• Autometic planning security refresh is not refreshing the security filters

  Hi Friends,
  We are using Hyperion planning system 9.3.1. While refreshing the planning security through automated script its not getting refreshed the security filters. In log its showing filter refreshed successfully but actually it’s not refreshing the filters. But when we are doing it manually from planning web its working fine. One more thing we are doing security refresh on daily basic as per business request. So daily its dropping the filters we refreshed manually from planning web.
  we are using the below scripts:
  CALL G:\Hyperion\Planning\bin\CubeRefresh.cmd /A:application_name /U:user_name /P:password /R /FSV /DEBUG >> In\Log\Refresh_HPOPROD.log
  Any help will be appreciated.
  Thanks,

  I guess you are missing /D

• System 9 Security Filters and VB Essbase API

  I currently maintain a lock and send Excel template sporting a custom login dialog which I use to capture the user's employee id. Having that, I then use a generic admin username/password and the API to get the security filter stored under the user's "underscored" ID on the Analytic server. I parse out the organizational entities stored in the write filter and use that to build a treeview to which the user can only select entities to which he/she can access. Basically, it gives me the ability to maintain a standard template across many lines of business. I also use the same code in a security management applet where superadmins can build/modify/delete the security filters of those people who have access to entities which are descendents of the entity to which the superadmin has access.
  Anyway, I understand in System 9, there is no longer an "underscored" id. I think I read that on the Planning forum. Other than a minor code change, will this have any further impact? The write filter has been migrated over to the non-underscored filter yes? We're going to System 9 soon and I'm just trying to get my hands around the impact this is going to have on all of the API (7.1.6) code I have deployed. This is just the first question that came to me. I expect I'll be on here for a few more. Any help or advice is appreciated.

  I wouldn't copy Essbase.sec from one server to another. The server name is embedded in there and it's drive/folder dependent.
  What you can do is use MaxL's display filter all command and then pipe the output to a text file. In turn you can import those definitions back into Essbase with a little work.
  I wonder if OlapUnderground's Advanced Securtity Manager might be used to move filters across servers and versions:
  http://www.appliedolap.com/free-tools/advanced-security-manager
  I've personally never used it, but I'm sure someone on this board will chime in.
  Regards,
  Cameron Lackpour

• How to Add multiple entry to the group policy security filtering

  How to Add multiple entry to the group policy security filtering
  Is there any way we can add multiple entry to the Domain group policy Security filtering tab.Currently its not allowing to add more then one entry at a time.
  Getting Error like "only one name can be entered,and the name cannot contain a semicolon.Enter a valid name"

  Hi
  Are you trying to add more users or groups through Group Policy Management Security Filtering tab?
  Try right clicking on the policy and then edit
  Then in Editor Right click on the name of the policy and Properties
  Security tab and add user or group from this tab. Just make sure if you are adding user or groups "Select this object type" has
  the correct option also "From this Location" is set to your entire directory not the local server.
  Update us with the above.
  Thanks

• New Group Policy not working on 2008 RDS in 2012 Domain - Security Filtering problem?

  We have a Windows 2008 R2 RDS in a Windows 2012R2 Domain. We want to lockdown the 2008 RDS for Domain users that we have added to a new  security Group--named "Data Collection Users". These users are "Domain Users" and login to the
  2008 RDS using Windows XP SP3 machines to run a specific application -they do not use their local desktops for anything. WE added this group to the local RDU group on the RDS.  We do not have any other users that login to the RDS through terminal,
  including any Domain Admins.
  So far we have done these steps:
  On the DC, created new OU (called Terminal Servers) and moved the RDS into it.
  Opened Group Policy on the DC, and under GP Objects, created a new policy called "TS Users Lockdown".
  Linked the Policy to the OU.
  Under Security Filtering we removed the Authenticated Users, added the RDS computer account (called QS2), added the "Data Collection Users" and chose Allow for "Read" and "Apply Policy"
  Under Security Filtering, for Domain Admins, we chose Deny for "Apply Group Policy"
  We edited the Policy (under Computer Configuration>AT>SYS>GP) to Enable Loopback processing - Replace mode.
  We first tested the policy by trying to remove the "Run" from startup menu and "prohibit access to Control Panel".
  We ran the Group Policy force update from within GP Management - ran successfully.
  We did not reboot the RDS.
  Neither of the settings we tried in Step 7 worked.  Why Not?
  Here are images from the Security Filtering:

  Ok--Do I reboot the RDS or the DC?  or both?
  Does it look like my Security Filtering is correct?  I have seen posts where you should not remove the "Authenticated users"?

• AGPM and security security filtering: gpos not showing up in uncontrolled tab

  Why Does a gpo not show up in uncontrolled tab? The only thing that is removed is "authenticated users" from security filtering of said gpo. Once I add authenticated users back, bang! its back visible in uncontrolled tab.
  Adding specific groups and removing authenticated users from security filtering is a standard practice to apply group policy. Can this not be used with AGPM?
  version 4.2

  Hi,
  For AGPM questions, in order to get accurate help, it's recommended that we ask for advice in the following dedicated AGPM forum.
  Microsoft Advanced Group Policy Management (AGPM)
  https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopagpm
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Problem assigning Essbase Security filters in Shared Services

  We recently upgraded Planning/Essbase to System 9 version 931 in Test. Everything went smoothly except for few users Security didn't migrate properly.
  In Shared Services, it shows that user has access to Planning & Native Essbase Applications. But in Essbase, only Planning Application access is shown.
  Also when I try to apply security filters for these users in Native Essbase Applications (in Shared Services), I don't see these particular users.
  There is no problem with Planning security, except when I refresh Security from Shared Services in Analytic Admin Console it wipes out Planning Application access in Essbase.
  For other users there are no issues. Only for few users this is the problem. I have tried to deprovision user & provision back, but no use.
  Please Help

  Essbase/Planning security is multi tiered. In Shared Services you setup your groups. You provision your groups with adequate security access. Depending on whether you have updated a cetain .css file(to fix bug) you may have to assign the read, write calc access to the group not just calc, but all three if your users need the access to actually, read, write & calc. of need user to just read & write etc... then you have to go to EAS refresh, run maxl script to assign environment access to user, go back to shared services go into projects assign any needed access to calc & filter groups and essbase is setup. For planning you also have to go to workspace and migrate identities within the security setup for any of your dimensions. this comes into play when adding or removing users as filters are created in planning workspace. I just learned this from one good tech that helped me setup & remove users as I had issues getting them in and out of the system..Now to move on to actually getting security reports that make sense for planning with the associated access. If anyone has the maxl code let me know.

• Wallpaper GPO + Loop-back Merge mode+ security filtering. issue

  I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
  in the loopback GPO because they don’t in your security filtering allow list.
  So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
  Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
  ========================issue is below================
  Now GPO is applying to other workstations which are not part of group filtered in GPO.
  its randomly but not for all workstations..
  Workstations are XP operating systems..

  I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
  in the loopback GPO because they don’t in your security filtering allow list.
  So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
  Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
  ========================issue is below================
  Now GPO is applying to other workstations which are not part of group filtered in GPO.
  its randomly but not for all workstations..
  Workstations are XP operating systems..
  "Domain Users" or I would prefer "Authenticated Users" should only have Read, Not Apply Policy. 
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Deployment error when creating security filters

  My client has been receiving the following error when deploying the Security Filters. The message below was a full deployment, but she gets that last line when deploying only the filters as well. The security changes made do actually get deployed, so at this time, it seems to just be a nuisance "error". However, we are both wondering why it is happening, if it can be fixed, and whether any other problems we aren't aware of might be associated with it.
  [Dec 18, 2013 1:42:09 PM]: Parsing Application Properties...Done
  [Dec 18, 2013 1:42:09 PM]: Parsing Dimensions info...Done
  [Dec 18, 2013 1:42:10 PM]: Registering the application to shared services...Done
  [Dec 18, 2013 1:42:12 PM]: Checking for rates properties...Done
  [Dec 18, 2013 1:42:12 PM]: Loading Smart Lists...Done
  [Dec 18, 2013 1:42:12 PM]: Loading Alias Tables...Done
  [Dec 18, 2013 1:42:13 PM]: Updating the default user preferences...Done
  [Dec 18, 2013 1:42:13 PM]: Loading Dimensions...Done
  [Dec 18, 2013 1:42:14 PM]: Loading Attribute Dimensions...Done
  [Dec 18, 2013 1:42:14 PM]: Loading Attribute Members...Done
  [Dec 18, 2013 1:42:34 PM]: Loading members for dimension Account...Done
  [Dec 18, 2013 1:42:35 PM]: Loading members for dimension Version...Done
  [Dec 18, 2013 1:42:35 PM]: Loading members for dimension Currency...Done
  [Dec 18, 2013 1:42:40 PM]: Loading members for dimension Time Periods...Done
  [Dec 18, 2013 1:42:45 PM]: Loading members for dimension Strategic Division...Done
  [Dec 18, 2013 1:42:45 PM]: Loading members for dimension Year...Done
  [Dec 18, 2013 1:42:48 PM]: Loading members for dimension Entity...Done
  [Dec 18, 2013 1:42:53 PM]: Loading Scenario Members...Done
  [Dec 18, 2013 1:42:55 PM]: Loading Base Currency Members...Done
  [Dec 18, 2013 1:42:59 PM]: Starting Cube Create/Refresh...Done
  [Dec 18, 2013 1:46:56 PM]: Creating Security Filters...[Dec 18, 2013 1:52:43 PM]: Index: 1, Size: 1
  [Dec 18, 2013 1:52:43 PM]: An Exception occurred during Application deployment.: Index: 1, Size: 1
  Thanks,
  Sabrina

  Hi Sabrina,
  Try refreshing only security filters !
  Thanks
  Amith

• How to apply Computer Configuration to users with Security Filtering?

  I have a gpo that contains both user and computer settings.  In order to test it, I want to link it to an OU that contains users and their computers, but I want to use Security Filtering to apply it only to certain users (I don't have their computer
  names).
  Is there a way to filter it to only certain users without losing the computer settings?

  > Is there a way to filter it to only certain users without losing the
  > computer settings?
   Computers look for computer settings in a GPO they have access to.
  Users look for user settings in a GPO they have access to.
  SO you might simply remove "Authenticated Users" (which includes both
  computers and users) from security filtering. Then add "Domain
  computers" which gives all computers access to computer settings, and
  add the users in question, which gives THESE users access to user settings.
  Don't enable loopback and play around with it unless you are sure you
  fully understand what it is doing!
  http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
  http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• AGPM and policy security/filtering

  I'm having a problem figuring out how you change security filtering & WMI filtering under the 'Scope' tab and edit groups/users on the 'Delegation' tab on a controlled policy in AGPM.
  All the options are greyed out in GPMC for controlled policies, but not on uncontrolled.
  I've tried checking the policy out, but those properties still remain unchangeable.
  Is there a special way to change these properties on an AGPM controlled policy? Or is it not possible?

  Below link might be helpful,
  http://www.grouppolicy.biz/2010/06/how-to-create-make-changes-to-group-policy-objects-in-agpm/
  Regards,
  Gopi
  JiJi
  Technologies

• How to Export Security Filters from ASO

  Hi everyone,
  I would like to export the security filters from our reporting application which is ASO. Through my research I have struggled to find a good method for doing this. I ran the Display Filter MAXL script to produce an output but the output cannot be manipulated for use.
  Does anyone have a good way extract these filters?
  Please and thank you in advance for any advice you may have!
  John

  You could have a look at the advanced security manager which is a free tool - http://www.appliedolap.com/free-tools/advanced-security-manager
  There is also the option at look at using one of the API's
  I would say LCM but I don't think that extracts it in a format that then can be manipulated.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Security Filtering for GPO processing

  Hi,
  I have an OU which contains all the servers accounts. I have multiple GPOs that are linked to this OU but I have a GPO that contains only User configuration part witha script to map files. Requirement is that this policy should be applied when a groups of
  users logs on to a group of servers only.
  If I add the required User group & required computer accounts to the Security filtering of this GPO, will it work good? Is there any other way that will give required result but with lesser GPO processing time.
  Thanks
  Vipin Tyagi (MCSE 2003) Windows Admin

  In our environment, all GPOs are applied to Computer OUs, not a single GPO applied to User OU. Do we need to enable Loopback processing for all GPOs having user setting?
  No.
  Loopback Processing is rather special, in the way that, if enabled in any GPO, and that GPO is linked to an OU, all GPOs linked to that OU will operate in Loopback mode.
  When you enable Loopback Processing, this changes the way that GPO is processed on computers in the linked OU.
  e.g. if you enable Loopback Processing on a single GPO linked to an OU, and there are 3 other GPOs linked to that same OU, all 4 GPOs will operate in Loopback Processing mode for that OU.
  For this reason, there are suggestions on how to implement Loopback Processing, e.g. create a new GPO, name that GPO something like "Enable GPO Loopback in Merge mode" or "Enable GPO Loopback in Replace mode", then link this GPO to the relevant OUs where
  you need it.
  Don't enable Loopback Processing in a GPO that also performs other GPO settings.
  Using this method, you can quickly see (due to the display name) when Loopback Processing is applying to any OU, and, clearly see in all RSOP/GPresult data when Loopback is occurring.
  [troubleshooting GPO can be tricky, particularly when you don't know Loopback is occurring]
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Is there a way to get GPO's security filtering groups only.

  Hello,
  Is there a way to get the GPO and the Security filtering groups assigned or configured for that GPO.
  A VBSCRIPT would be greatfull
  Thanks,
  Schan.

  > A VBSCRIPT would be greatfull
  Have a look at the GPMC samle scripts:
  http://www.microsoft.com/en-us/download/details.aspx?id=14536
  Also a good starter to learn about how to use the GPMC COM interface :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))