Mapping EUS groups to shared schema

Hi, everybody
Has anybody done such thing ? I tried to map "cn=test_group,cn=groups,dc=test,dc=com" to schema GLOBAL_SCHEMA by ESM on target database but it silently skip my action. Moreover, I haven't found in documentation any mention about mapping groups to shared schema.
I'm using OID version 10.1.4.0.3 running on RHEL4/x86 and Database 10.2.0.4 running on Solaris 10/SPARC.

Hi, everybody one more time
I've just comprehend the idea. There is no sense in mapping directory groups to shared schema. I've made the following experiment:
1. created mapping of arbitrary user to GLOBAL_USER by esm
2. modified attribute 'orcldbdistinguishedname' of entry which corresponds mapping I had made at point 1. In my case it was 'cn=mapping0,cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,cn=OracleContext,dc=test,dc=com'
to value 'cn=test_group,cn=groups,dc=test,dc=com' by ldapmodify
3. added someone to group 'test_group'
4. tried to login to target database as user who had been added to group 'test_group' at point 3
5. got ORA-01017: invalid username/password; logon denied
The point is: There were no changes in DIT when you change membership of users in any group. LDAP server doesn't create new user's entry down below 'cn=test_group,cn=groups,dc=test,dc=com', instead it add attribute 'uniquemember' to corresponding group entry. This attribute contains dn of user's entry who is member of this group. So, there is no possibility of mapping directory groups to shared schema. The only way to emulate such behavior is to create something like cn=group1,cn=users,dc=test,dc=com ... cn=groupN,cn=users,dc=test,dc=com and sort out users to those entries manually. However, drawback of such solution is one to one relationship among users and "groups", but anyway it's better than nothing.

Similar Messages

Creation of Group in Shared Services

Hi All,
I am creating groups in Shared Services using Import export utility, to create a group I have given record like
#group,,,,,,,
id,provider,name,description,internal_id,,,
Test.30.7202,Native Directory,Test.30.7202,,,,,
But group is not getting created, when I checked the trace log file I found
Trace...
     2010-06-09 15:28:20,822 Attempting a import operation
     2010-06-09 15:28:22,147 Import : Attempting to create group Test.30.7202
     2010-06-09 15:28:22,162 Import : Create group Test.30.7202 failed.
Can you please someone explain, is there I missed any information?
We are using Hyperion system 9.3.1
Thanks in Advance

Hi John,
Thanks for the prompt response, its working fine without intenal id. One more issue, Now I am provisioning groups for Planning Application
project_name     application_name     role_id     product_type     user_id     user_provider     group_id     group_provider
HyperionPlanning     Testapp     Planner     HP-9.3.1               Test.30.7202     Native Directory
Like the above, is there any syntax to provide access to Essbase "Server Access" (Minimum access to access to Essbase) and Business Rules?
Thanks in Advance,

Mapping to Equivalent in Output Schema

Hi
I have a output schema which includes a <Equivalent> element with several possible options, e.g.
 <Product>
 <Equivalent>
<Desktops>
<Laptops>
etc.
The XSD looks like this
<xs:element name="VendorCatalog">
 <xs:complexType>
 <xs:sequence maxOccurs="unbounded">
 <xs:element ref="tns:Product" />
 etc .....
<xs:element block="substitution" name="Product" type="tns:VendorProduct">
etc .....
<xs:complexType name="VendorProduct" abstract="true">
 <xs:sequence>
 <xs:element minOccurs="0" maxOccurs="1" name="PriceInformation">
 <xs:complexType>
 etc .....
<xs:complexType name="Laptops">
 <xs:annotation>
 <xs:documentation>Laptops</xs:documentation>
 </xs:annotation>
 <xs:complexContent mixed="false">
 <xs:extension base="VendorProduct">
 <xs:sequence>
1. I need to generate XML which starts like this with a xsi:type dependant on a value in the imput XML.
<Product xsi:type="Laptops" ProductCode="PROD123456">
 <PriceInformation>
 <Price Currency="GBP" UnitOfMeasure="Quantity" Value="9.99"/>
 </PriceInformation>
If I deceide that I want to generate a "Laptop", using the BizTalk Mapper - how do I assign a value to Product xsi:type ??
2. The structure Laptops has extension base="VendorProduct"
If I deceide that I want to generate a "Laptop" and I want to generate a field in the VendorProduct structure (eg price), do link to the field Price in the VendorProduct data structure or the Price field in the Laptops data structure?
Or is there an Idiot's guide to mapping to <Equivalent>
Thanks

If your schema contains information like..
<xs:element name="VendorCatalog">
<xs:complexType>
<xs:sequence maxOccurs="unbounded">
<xs:element ref="tns:Product" />
and..
<xs:complexType name="VendorProduct" abstract="true">
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="1" name="PriceInformation">
<xs:complexType>
if you want to map the "xsi:type" attribute with name
of the node/element like..
<Product xsi:type="Laptops" ProductCode="PROD123456">
rather than the mapped node/element's value, then change the link's "Soruce Links" property value from its defualt "Copy text value" to "Copy name". So link the Laptop element from the soruce to the xsi:type attribute to the
destination schema using a standard link. Then select the link, go to its property and change the above mentioned property.
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

Mapping LDAP Groups to SAP Roles

Hi there,
i am trying to build up a synchron usermanagement with a LDAP-Server between EP, Web AS Java and Web AS ABAP.
My thought is to administrate the users in the LDAP-Directory. The users will be assigned to groups.
In EP and Web AS Java its no problem to assign these groups to roles and then just change the Users in the LDAP-Group and reach a synchron usermanagement.
In Web AS ABAP it seems impossible to assign roles to groups.
The question is, is it possible to map ldap groups with the ldap connector of the web AS ABAP to Roles in an ABAP System?
Or is there another way to administrate users in different systems?
Thanks alot for your answers,
stefan

Hi
in this case u have to use the concept of central user administration. use the following links
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/asug-biti-03/cua with sap webas, ldap and third party software
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/events/sap-teched-04/user management and authorizations overview.pdf
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/nw/dotnet/integration of sap central user administration into microsoft active directory.pdf
hope this helps u to get fair bit of idea
don,t forget to give points
With regards
subrato kundu

Mapping AD groups to built in user groups

Hi.
I'm in the process of configuring AD authentication for OBIEE 11g. I've managed to connect to AD and pull users and groups. However, i don't understand how i can map AD groups to built-in access groups such as "BIAuthors" and "BIConsumers". When i open "Membership" tab in the list of available groups i can only see built-in groups.

Hi,
You can use dsquery and dsget commands to get all users from the groups from a specific OU in your AD as shown below,
dsquery group "ou=testou,dc=domain,dc=com" | dsget group -members
To export the above user information to a CSV file use the below command,
dsquery group "ou=testou,dc=domain,dc=com" | dsget group -members > c:\Grpmem_testou.csv
Regards,
Gopi
JiJi
Technologies

Security Settings for two admin groups with shared service

Hi all,
I use Essbase Administration Services 11.1.2 and Hyperion Shared Services Console 11.1.2.0.73 (Drop 17)
Access Rights are granted via Groups in Hyperion Shared Service Console.
We have two admin groups.
AccessGroup 1: admin rights on some cubes (A) and read rights on all others (B).
AccessGroup 2: admin rights on (B) and read rights on (A).
If someone of AccessGroup 1 copies a cube of (A) – Fin_rep for example – wether AccessGroup 1 nor AccessGroup 2 can even see the cube (and i dont even mention admin rights) execpt the one who copied it.
Settings in Shared Services Console:
- Both groups have role "Create/delete application" and "AccessManager" (or something like that - german word is "Zugriffsberechtigungsmanager") on Essbase Cluster (our essbase server).
- AccessGroup 1 has role "ApplicationManager" and "AccessManager" for all cubes which they should administrate (A)
and role "Read" for all cubes with read only (B)
- AccessGroup 2 has role "ApplicationManager" and "AccessManager" for all cubes which they should administrate (B)
and role "Read" for all cubes with read only (A)
I hope i can get some help with this topic.
Thank you in advance,
Best regards
Bernd
Edited by: 907705 on 07.02.2012 02:52

Security will not copy over when you create new cube from old cube. You have to grant security to required groups using shared services or Maxl.

Import Groups in shared services

Hi All, I used to import groups into planning application using thefollowing code in planning version 3.5. IMPORT_GROUP,Group Name <MEMBERS> membername1,2,1 membername2,2,1 membername3,2,1 </MEMBERS> how can I import groups in shared services. thanks in advance.

There are docs in Hyperion\common\utilities\CSSImportExportUtility\importexport\doc that explains how to do this

Not able provision a new native group in shared services

Hi,
I am trying to add a new native group in shared services and trying to provision the group. But I am getting the following error:
90:7019:Failed to process the request
Is there any solution for it. Can anyone suggest me how to proceed further.
Thanks,
Hima

Can determine if the provisioning is failing for a particular application? Try to pick something confined to shared services like "application creator" in shared services and see if you can provision just that role. This will tell you if it is an issue with metadata from a product outside of shared services.
Do you have any applications with the same name or registered more than once in your application groups in shared services?
If it fails for everything you try have you restarted shared services and checked your jvm heap settings?
Also, in the logs Shared Services directory there are many log files , can you check them for any related error messages?
Thanks
Nick

Can Enterprise users have more than 1 Shared Schema ?

Hi Everyone,
I just want to know whether is it possible for
Enterprise Users ( Schema-Independant users) able to access different shared schemas using the same user credentials.
A typical example is :
User1, User2 & User3 were Enterprise users who works for same project has been assigned to a shared schema (project1) which works fine with the enterprise user security by assigning them Project1 schema as default schema.
But User2 also works for another project ( Project2) and should be logged into schema project2 using his user credentials . Is this possible ???
Thanks
Venu

Oracle object privileges are generally best managed via the use of ROLES.
One way to have multiple end users access one schema might be to use the PROXY connection feature.
Both subjects are convered in the official documentation.
HTH -- Mark D Powell --

How to extract external directory users from a shared services group from shared services RDBMS repository

Hi,
I have a security group in shared services, which has external directory users. I want to extract the list of users from shared services RDBMS repository using a SQL query. Please let me know if this is possible and from which table(s) I can query such list.
Thanks...

You need to use CSS_Groups, CSS_GROUP_MEMBERS and CSS_USERS tables in your Foundation DB. Something like below will give you these details:
select b.Name ,a.Name from HYPFOUND.CSS_GROUPS b ,
HYPFOUND.CSS_USERS a ,
HYPFOUND.CSS_GROUP_MEMBERS c
WHERE c.MEMBER_IDENTITY = a.IDENTITY_ID and
c.GROUP_IDENTITY = b.IDENTITY_ID
GROUP BY (b.Name,a.name)

Can Enterprise Users have more than One Shared Schemas ???

Hi Everyone,
I just want to know whether is it possible for Enterprise Users ( Schema-Independant users) able to access different shared schemas using the same user credentials.
A typical example is :
User1, User2 & User3 were Enterprise users who works for same project has been assigned to a shared schema (project1)
which works fine with the enterprise user security by assigning them Project1 schema as default schema.
But User2 also works for another project ( Project2) and should be logged into schema project2 using his user credentials . Is this possible ???
Thanks
Venu

Oracle object privileges are generally best managed via the use of ROLES.
One way to have multiple end users access one schema might be to use the PROXY connection feature.
Both subjects are convered in the official documentation.
HTH -- Mark D Powell --

Shared Schemas Enterprise User Security.

Hello,
I currently have externally authenticated users setup. With each user having his own schema.
My enviromnent does not need users to have seperate schemas. There will be a Prod, Train and Test environments. My question is what is the best way to implement database access. Should I stick with my current environment and grant privledges to allow users to access the same schema. Should I create a global schema and create Enterprise users and map those users to that schema. Should I create the different environments as global schemas in one database or create three separate databases. Any Suggestions. The documentation does not give real world solutions.
Thanks in advance!!!

If you're not using DB 10.2 this is the "expected" behavior for the DB. See also metalink note 351170.1 "Enterprise Users Can Connect to a Database when the OID Account is Disabled"
regards,
--Olaf

User mapping for groups doesn't work

Hi,
I have a problem with the user mapping for groups. When I select "User Mapping for System Access" I get the error message "There are no systems available for user mapping for the selected principal." There are some hints, what the reason could be, but I think I checked them all. For the single users in the group, the User mapping works without problems. Does anybody know what the reason for this problem could be? We are running SAP EP 7.0.
Kind regards,
Dominik

Hi,
It seems that the system you are pointing to is a delta link linking to "nowhere" and the source system has been deleted.
The main reason for the problem is that the delta link system refers to a system that (no longer) exists.
Try recreating the delta link's base system with the same location in the PCD and correct attributes.
Hope this helps.
Regards
Srinivasan T

Is it possible dynamcially mapping AD groups ?

boxi31 sp2 > 2003 sql server > tomcat 5.5
Is it possible to map AD accts as only an authentication point and not manually map the winAD groups manually withi the CMC.
I have only done the typical config;
Mapped AD Member Groups
Add AD Group (Domain\Group): "manually add group"
secWinAD:CN=XXX OU=XXX,OU=XXX,DC=XXX,DC=XXX
etc...
I was told cognos can do this, so I'm assuming BO can also, but I have no idea how?
Thoughts?

Hi Michael,
I moved to the correct forum: Admin and Auth.
I don't know if I understand correctly the question. I assume that you want to add AD user accounts directly. The answer is we can only map AD groups. You can decide when the account is added:
- When you update the AD plugin: all the account in that group are created
- When the users log in: only users that log in to BOE will create their account.
Regards,
Julian

Mapping over more than 1 schema

Hi,
I have to do the following mapping:
Workspace user: user_ws
Transfer data from user send_user.table1 to get_user.table2
Whe I create 2 locations (localtion_send_user and location_get_user the 2 owners of the 2 tables) I can see the 2 tables (1 in each schema/location)
How can I create a mapping as user_ws using both tables and locations?
Please help me
Siegwin

You may have NULL values in those columns:
test@ORA10G>
test@ORA10G> --
test@ORA10G> with t as (
2    select 100 id, 1 a, 10 b from dual union all
3    select 100,    2,    20    from dual union all
4    select 100,    3,    null from dual union all
5    select 100,    null, 40    from dual union all
6    select 100,    null, null from dual)
7 --
8 SELECT SUM(a + b) AS c
9    FROM t
10   GROUP BY ID;
         C
        33
1 row selected.
test@ORA10G>You probably want to see 76 here. So -
test@ORA10G>
test@ORA10G> --
test@ORA10G> with t as (
2    select 100 id, 1 a, 10 b from dual union all
3    select 100,    2,    20    from dual union all
4    select 100,    3,    null from dual union all
5    select 100,    null, 40    from dual union all
6    select 100,    null, null from dual)
7 --
8 SELECT SUM(NVL(a,0) + NVL(b,0)) AS c
9    FROM t
10   GROUP BY ID;
         C
        76
1 row selected.
test@ORA10G>
test@ORA10G>If you simply get a NULL, I'll bet you have NULLs for all records in both those columns.
test@ORA10G>
test@ORA10G> --
test@ORA10G> with t as (
2    select 100 id, null a, null b from dual union all
3    select 100,    null,    null    from dual union all
4    select 100,    null,    null from dual union all
5    select 100,    null, null    from dual union all
6    select 100,    null, null from dual)
7 --
8 SELECT SUM(a + b) AS c
9    FROM t
10   GROUP BY ID;
         C
1 row selected.
test@ORA10G>Use NVL. Make life easy.
isotope

Mapping EUS groups to shared schema

Similar Messages

Maybe you are looking for