Excluding Members in Security Filters

Similar Messages

• Planning Security Filters not reflecting in Essbase filters for 2 of 4 cube

  We are using Hyperion Planning with essbase. In essbase we have 4 cubes in essbase (BSCF, EMP, IS, MGN). We would like to add security for the entity dimension as we don't use it currently but we do for other dimensions.
  I have created a new group (FIN_APAC) in SS so that restricted access be given to users in Asia for only their LE(s). Then I enabled security for the LE dimension in planning and set security filters through a command line load. For existing groups I gave write access to all LE members and for the new group (FIN_APAC) I gave write access to certain members.
  When I refresh the security filters in planning they should reflect in Essbase and it does for 2 cubes (BSCF & EMP) but for the other cubes (IS & MGN) the essbase security filters are NONE! In planning all the LE members are set to be included in all plan types.
  The main problem seems to be with this new group (CSR_FIN_APAC) as whenever this group is assigned the essbase filters are not assigned properly. For the existing groups that have added LE security for all members the security filters are updated for 4 cubes as expected.
  Any help appreciated
  x

  When you create a planning application we can create 3 essbase cubes as plan types. if you use Capex, Workforce you can able to create max of 5 databases in Essbase version 11.1.1.3.
  if it is 11.1.2 you can add one more cube
  In your question, have you created 4 Essbase cubes. can you explain how that is possible.
  if all the LE members in all plan types means in 3 Essbase cubes. when you refresh security from planning to essbase that works fine.
  Can you explain the situation perfectly so that can able to give ans.
  Thanks,
  Suneel kanthala.

• Corruption of Security filters

  Hi
  We are facing a problem related to corruption of security filters ie whenever a user logins to excel addin to access the applications he gets an error like "Error while loading security filters".
  We then go to the console and try to vertify security filters sadly it also does not validate it.As a workaround we again create filters to solve this issue.
  So can anyone let us know the reason for the corruption of filters and also a proper solution to encounter this isssue other than the workaround suggested above.
  Waiting for a quick reply
  Thanks in advance
  regards
  krishnatilak

  Hi
  We found the RCA fro the corruption of filters.
  Some of the non business members have been deleted from plannning manually after which only a DB refresh has been performed without enabling the Security filters due to whcih the corruption of filters occured.
  After checking essbase.log we had come to this conclusion.Now everything seem to be okay.

• Deployment error when creating security filters

  My client has been receiving the following error when deploying the Security Filters. The message below was a full deployment, but she gets that last line when deploying only the filters as well. The security changes made do actually get deployed, so at this time, it seems to just be a nuisance "error". However, we are both wondering why it is happening, if it can be fixed, and whether any other problems we aren't aware of might be associated with it.
  [Dec 18, 2013 1:42:09 PM]: Parsing Application Properties...Done
  [Dec 18, 2013 1:42:09 PM]: Parsing Dimensions info...Done
  [Dec 18, 2013 1:42:10 PM]: Registering the application to shared services...Done
  [Dec 18, 2013 1:42:12 PM]: Checking for rates properties...Done
  [Dec 18, 2013 1:42:12 PM]: Loading Smart Lists...Done
  [Dec 18, 2013 1:42:12 PM]: Loading Alias Tables...Done
  [Dec 18, 2013 1:42:13 PM]: Updating the default user preferences...Done
  [Dec 18, 2013 1:42:13 PM]: Loading Dimensions...Done
  [Dec 18, 2013 1:42:14 PM]: Loading Attribute Dimensions...Done
  [Dec 18, 2013 1:42:14 PM]: Loading Attribute Members...Done
  [Dec 18, 2013 1:42:34 PM]: Loading members for dimension Account...Done
  [Dec 18, 2013 1:42:35 PM]: Loading members for dimension Version...Done
  [Dec 18, 2013 1:42:35 PM]: Loading members for dimension Currency...Done
  [Dec 18, 2013 1:42:40 PM]: Loading members for dimension Time Periods...Done
  [Dec 18, 2013 1:42:45 PM]: Loading members for dimension Strategic Division...Done
  [Dec 18, 2013 1:42:45 PM]: Loading members for dimension Year...Done
  [Dec 18, 2013 1:42:48 PM]: Loading members for dimension Entity...Done
  [Dec 18, 2013 1:42:53 PM]: Loading Scenario Members...Done
  [Dec 18, 2013 1:42:55 PM]: Loading Base Currency Members...Done
  [Dec 18, 2013 1:42:59 PM]: Starting Cube Create/Refresh...Done
  [Dec 18, 2013 1:46:56 PM]: Creating Security Filters...[Dec 18, 2013 1:52:43 PM]: Index: 1, Size: 1
  [Dec 18, 2013 1:52:43 PM]: An Exception occurred during Application deployment.: Index: 1, Size: 1
  Thanks,
  Sabrina

  Hi Sabrina,
  Try refreshing only security filters !
  Thanks
  Amith

• Creating New Security group and Refreshing Security Filters

  Hi
  I have created a new security group (and added people to it)
  I have given this security group write access to certain dimension members within the planning application
  I have refreshed the security filters via Planning_Manage Database_Security Filters
  But the people in the new security group still dont have write access to the dimension members
  If I look in EAS ... I cant see the the new security group that I have created
  Question 1
  Do I need to refresh the security filters via EAS
  If I do this ... I know that I need to make sure that no one is in the Essbase application
  Do I also need to make sure that no one is within the relavent planning application?
  Question 2
  Is it enough to refresh the security filters (tick security filters) .. or Do I need to tick database in the manage database options
  Question 3
  Does anyone have any suggestions that I havent mentioned above?
  Thank you
  PD

  Hi John
  Thanks for your suggestion
  I tried this and He still doesnt have write access
  He doesnt need to be able to lock and send values via essbase ... However when we are in planning, He cant submit data to the dimension members mentioned above.. i.e the cells are all green
  I have checked and doubled check the security on the dimension members (and form security) in the form that he cant edit
  Do you have any other suggestions?
  Thank you
  PD

• Autometic planning security refresh is not refreshing the security filters

  Hi Friends,
  We are using Hyperion planning system 9.3.1. While refreshing the planning security through automated script its not getting refreshed the security filters. In log its showing filter refreshed successfully but actually it’s not refreshing the filters. But when we are doing it manually from planning web its working fine. One more thing we are doing security refresh on daily basic as per business request. So daily its dropping the filters we refreshed manually from planning web.
  we are using the below scripts:
  CALL G:\Hyperion\Planning\bin\CubeRefresh.cmd /A:application_name /U:user_name /P:password /R /FSV /DEBUG >> In\Log\Refresh_HPOPROD.log
  Any help will be appreciated.
  Thanks,

  I guess you are missing /D

• System 9 Security Filters and VB Essbase API

  I currently maintain a lock and send Excel template sporting a custom login dialog which I use to capture the user's employee id. Having that, I then use a generic admin username/password and the API to get the security filter stored under the user's "underscored" ID on the Analytic server. I parse out the organizational entities stored in the write filter and use that to build a treeview to which the user can only select entities to which he/she can access. Basically, it gives me the ability to maintain a standard template across many lines of business. I also use the same code in a security management applet where superadmins can build/modify/delete the security filters of those people who have access to entities which are descendents of the entity to which the superadmin has access.
  Anyway, I understand in System 9, there is no longer an "underscored" id. I think I read that on the Planning forum. Other than a minor code change, will this have any further impact? The write filter has been migrated over to the non-underscored filter yes? We're going to System 9 soon and I'm just trying to get my hands around the impact this is going to have on all of the API (7.1.6) code I have deployed. This is just the first question that came to me. I expect I'll be on here for a few more. Any help or advice is appreciated.

  I wouldn't copy Essbase.sec from one server to another. The server name is embedded in there and it's drive/folder dependent.
  What you can do is use MaxL's display filter all command and then pipe the output to a text file. In turn you can import those definitions back into Essbase with a little work.
  I wonder if OlapUnderground's Advanced Securtity Manager might be used to move filters across servers and versions:
  http://www.appliedolap.com/free-tools/advanced-security-manager
  I've personally never used it, but I'm sure someone on this board will chime in.
  Regards,
  Cameron Lackpour

• How to Add multiple entry to the group policy security filtering

  How to Add multiple entry to the group policy security filtering
  Is there any way we can add multiple entry to the Domain group policy Security filtering tab.Currently its not allowing to add more then one entry at a time.
  Getting Error like "only one name can be entered,and the name cannot contain a semicolon.Enter a valid name"

  Hi
  Are you trying to add more users or groups through Group Policy Management Security Filtering tab?
  Try right clicking on the policy and then edit
  Then in Editor Right click on the name of the policy and Properties
  Security tab and add user or group from this tab. Just make sure if you are adding user or groups "Select this object type" has
  the correct option also "From this Location" is set to your entire directory not the local server.
  Update us with the above.
  Thanks

• New Group Policy not working on 2008 RDS in 2012 Domain - Security Filtering problem?

  We have a Windows 2008 R2 RDS in a Windows 2012R2 Domain. We want to lockdown the 2008 RDS for Domain users that we have added to a new  security Group--named "Data Collection Users". These users are "Domain Users" and login to the
  2008 RDS using Windows XP SP3 machines to run a specific application -they do not use their local desktops for anything. WE added this group to the local RDU group on the RDS.  We do not have any other users that login to the RDS through terminal,
  including any Domain Admins.
  So far we have done these steps:
  On the DC, created new OU (called Terminal Servers) and moved the RDS into it.
  Opened Group Policy on the DC, and under GP Objects, created a new policy called "TS Users Lockdown".
  Linked the Policy to the OU.
  Under Security Filtering we removed the Authenticated Users, added the RDS computer account (called QS2), added the "Data Collection Users" and chose Allow for "Read" and "Apply Policy"
  Under Security Filtering, for Domain Admins, we chose Deny for "Apply Group Policy"
  We edited the Policy (under Computer Configuration>AT>SYS>GP) to Enable Loopback processing - Replace mode.
  We first tested the policy by trying to remove the "Run" from startup menu and "prohibit access to Control Panel".
  We ran the Group Policy force update from within GP Management - ran successfully.
  We did not reboot the RDS.
  Neither of the settings we tried in Step 7 worked.  Why Not?
  Here are images from the Security Filtering:

  Ok--Do I reboot the RDS or the DC?  or both?
  Does it look like my Security Filtering is correct?  I have seen posts where you should not remove the "Authenticated users"?

• AGPM and security security filtering: gpos not showing up in uncontrolled tab

  Why Does a gpo not show up in uncontrolled tab? The only thing that is removed is "authenticated users" from security filtering of said gpo. Once I add authenticated users back, bang! its back visible in uncontrolled tab.
  Adding specific groups and removing authenticated users from security filtering is a standard practice to apply group policy. Can this not be used with AGPM?
  version 4.2

  Hi,
  For AGPM questions, in order to get accurate help, it's recommended that we ask for advice in the following dedicated AGPM forum.
  Microsoft Advanced Group Policy Management (AGPM)
  https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopagpm
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Problem assigning Essbase Security filters in Shared Services

  We recently upgraded Planning/Essbase to System 9 version 931 in Test. Everything went smoothly except for few users Security didn't migrate properly.
  In Shared Services, it shows that user has access to Planning & Native Essbase Applications. But in Essbase, only Planning Application access is shown.
  Also when I try to apply security filters for these users in Native Essbase Applications (in Shared Services), I don't see these particular users.
  There is no problem with Planning security, except when I refresh Security from Shared Services in Analytic Admin Console it wipes out Planning Application access in Essbase.
  For other users there are no issues. Only for few users this is the problem. I have tried to deprovision user & provision back, but no use.
  Please Help

  Essbase/Planning security is multi tiered. In Shared Services you setup your groups. You provision your groups with adequate security access. Depending on whether you have updated a cetain .css file(to fix bug) you may have to assign the read, write calc access to the group not just calc, but all three if your users need the access to actually, read, write & calc. of need user to just read & write etc... then you have to go to EAS refresh, run maxl script to assign environment access to user, go back to shared services go into projects assign any needed access to calc & filter groups and essbase is setup. For planning you also have to go to workspace and migrate identities within the security setup for any of your dimensions. this comes into play when adding or removing users as filters are created in planning workspace. I just learned this from one good tech that helped me setup & remove users as I had issues getting them in and out of the system..Now to move on to actually getting security reports that make sense for planning with the associated access. If anyone has the maxl code let me know.

• Wallpaper GPO + Loop-back Merge mode+ security filtering. issue

  I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
  in the loopback GPO because they don’t in your security filtering allow list.
  So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
  Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
  ========================issue is below================
  Now GPO is applying to other workstations which are not part of group filtered in GPO.
  its randomly but not for all workstations..
  Workstations are XP operating systems..

  I have deployed a loopback Merge Mode GPO to set wallpaper for all users who logon to specified workstations. And you have set security filtering just allow workstations in specified group can apply this GPO. Then you doubt whether user can apply user configuration
  in the loopback GPO because they don’t in your security filtering allow list.
  So I think why not add “Domain Users” group to security filtering. Then all domain users have both Read and AGP (Apply Group Policy) permission for user configuration in the loopback GPO.
  Loopback GPO only takes effect on computer objects in your specified OU, and your workstation group security filtering control apply scope, then “Domain Users” security filtering grant permissions for all users.
  ========================issue is below================
  Now GPO is applying to other workstations which are not part of group filtered in GPO.
  its randomly but not for all workstations..
  Workstations are XP operating systems..
  "Domain Users" or I would prefer "Authenticated Users" should only have Read, Not Apply Policy. 
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• How to apply Computer Configuration to users with Security Filtering?

  I have a gpo that contains both user and computer settings.  In order to test it, I want to link it to an OU that contains users and their computers, but I want to use Security Filtering to apply it only to certain users (I don't have their computer
  names).
  Is there a way to filter it to only certain users without losing the computer settings?

  > Is there a way to filter it to only certain users without losing the
  > computer settings?
   Computers look for computer settings in a GPO they have access to.
  Users look for user settings in a GPO they have access to.
  SO you might simply remove "Authenticated Users" (which includes both
  computers and users) from security filtering. Then add "Domain
  computers" which gives all computers access to computer settings, and
  add the users in question, which gives THESE users access to user settings.
  Don't enable loopback and play around with it unless you are sure you
  fully understand what it is doing!
  http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
  http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• AGPM and policy security/filtering

  I'm having a problem figuring out how you change security filtering & WMI filtering under the 'Scope' tab and edit groups/users on the 'Delegation' tab on a controlled policy in AGPM.
  All the options are greyed out in GPMC for controlled policies, but not on uncontrolled.
  I've tried checking the policy out, but those properties still remain unchangeable.
  Is there a special way to change these properties on an AGPM controlled policy? Or is it not possible?

  Below link might be helpful,
  http://www.grouppolicy.biz/2010/06/how-to-create-make-changes-to-group-policy-objects-in-agpm/
  Regards,
  Gopi
  JiJi
  Technologies

• How to Export Security Filters from ASO

  Hi everyone,
  I would like to export the security filters from our reporting application which is ASO. Through my research I have struggled to find a good method for doing this. I ran the Display Filter MAXL script to produce an output but the output cannot be manipulated for use.
  Does anyone have a good way extract these filters?
  Please and thank you in advance for any advice you may have!
  John

  You could have a look at the advanced security manager which is a free tool - http://www.appliedolap.com/free-tools/advanced-security-manager
  There is also the option at look at using one of the API's
  I would say LCM but I don't think that extracts it in a format that then can be manipulated.
  Cheers
  John
  http://john-goodwin.blogspot.com/