Migrating HSS MSAD group security

Similar Messages

• EPM 11.1.2.1 add a MSAD user to a HSS native group via MaxL command

  Hi there
  I want to take over MSAD user as EPM (Essbase) user in a HSS native group via MaxL command:
  This works fine as long as the user is already in at least one other group (with at least server access).
  If I want to do same for a "new" user it fails.
  Is there any trick to also make it work for this case?
  see here:
  alter user 'mynewuser' add to group 'ALL_SERVER_ACCESS_ ESS1';
  ERROR - 1051012 - User mynewuser does not exist.
  or even
  alter user 'mynewuser@domain' add to group 'ALL_SERVER_ACCESS_ ESS1';
  ERROR - 1051012 - User mynewuser@domain does not exist.
  Thanks in advance!
  Regards
  Andre

  You will probably need issue a create first for example
  create or replace user 'essuser' type external;
  alter user 'essuser' add to group essgroup;
  or
  create or replace user 'essuser@LDAPNAME' type external;
  alter user 'essuser@LDAPNAME' add to group essgroup;
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Shared Services Mixed Native-MSAD group nesting

  Is anyone doing this?
  I am trying to make an MSAD group a member of a native group using shared services and after adding the MSAD group, the console errors out for the group i just made whenever trying to view the group members. This is repeatable and happens before i have even provisioned the parent group when i am trying to view the group members.
  When i nest a native group inside another native group, it works fine.
  In the SharedServices_Security.log found in Oracle/Middleware/user_projects/domains/EPMSystem/servers/FoundationServices0/logs
  I see the following stack trace:
  [2010-12-14T09:09:22.156-06:00] [FoundationServices0] [ERROR] [EPMCSS-7019] [oracle.EPMCSS.CSS] [tid: 7] [userId: <anonymous>] [ecid: 0000In_RR_eDKeoLwUg8yW1D1Yoh00001G,0] [APP: SHARE
  DSERVICES#11.1.2.0] [SRC_METHOD: execute:129] [SRC_CLASS: com.hyperion.css.web.action.CSSStatefulAction] Failed to process the request.
  [2010-12-14T09:16:16.365-06:00] [FoundationServices0] [NOTIFICATION] [EPMCSS-17306] [oracle.EPMCSS.CSS] [tid: 7] [userId: <anonymous>] [ecid: 0000In_T0hhDKeoLwUg8yW1D1Yoh00001J,0] [AP
  P: SHAREDSERVICES#11.1.2.0] [SRC_METHOD: ] [SRC_CLASS: ] [arg: native://nvid=af1814bfd20d7272:58ecdd0:12ce020823f:-7f66?GROUP] x
  [2010-12-14T09:16:17.473-06:00] [FoundationServices0] [ERROR] [EPMCSS-37000] [oracle.EPMCSS.CSS] [tid: 8] [userId: <anonymous>] [ecid: 0000In_T0z1DKeoLwUg8yW1D1Yoh00001K,0] [APP: SHAR
  EDSERVICES#11.1.2.0] [SRC_METHOD: execute:128] [SRC_CLASS: com.hyperion.css.web.action.CSSStatefulAction] Error while processing the request.[[
  java.lang.NullPointerException
  at com.hyperion.css.web.util.DTOFactory.createGroupDTO(DTOFactory.java:49)
  at com.hyperion.css.web.util.DTOFactory.createGroupDTOEscDoubleQuote(DTOFactory.java:75)
  at com.hyperion.css.web.action.EditGroupAssignGroupsFormAction.executeAction(EditGroupAssignGroupsFormAction.java:109)
  at com.hyperion.css.web.action.CSSStatefulAction.execute(CSSStatefulAction.java:119)
  at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)
  at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:226)
  at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
  at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:415)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3594)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  I think its a bug and have opened an SR with oracle, but i'm curious what others out there are doing.
  Edited by: Javanator on Dec 14, 2010 10:25 AM

  Hi Dear
  Is this issue resolved? i too get the similar error in the log file . Please let me know if it is reolsved for you

• Issue with Migration of Users/groups in Essbase

  Hi,
  am trying to migrate the users specific to the application using Advanced option through Migration Wizard (EAS 716)..But i see the users with the application on old box and when i check it after migration, am not able to see the users related to that application..
  Moreover, i have copied the users specific to that application on old box into new box and after that tried of migrating the same application from old to new box...Even then am not able to see the users with application access..
  Is this the right approach which am following? or Kindly suggest me the best way of migrating users/groups...
  Thanks

  If you chose the advanced option, you should have no problem migrating users and groups along with the application. You probably may have omitted those groups or members from the list. When you migrate do not change anything except server, App and DB names.

• How do I migrate Cost Element Groups in a batch ?

  I want to migrate Cost Element Groups from 4.7 to ECC6. We've been exporting/importing them individually, but is there a faster way to grab multiple groups and move them to the new environment ?
  One thing of note is that the Chart of Accounts is changing between 4.7 and ECC6 and named differently.
  Edited by: Joe Malloy on Feb 19, 2008 9:35 PM

  Hi ,
  You can go on createing the
  Controlling -Cost Element AccountingCost Elements--
  Automatic Creation of Primary and Secondary Cost Elements--Make Default Settings
  Create Batch Input Session
  Execute Batch Input Session
  BY do this activite u can do the mass process of creating the cost elements.
  Hope this is clear know assign points
  With Regards
  Krishna Singareddy

• Implicit Fact and Group Security Filters

  Hi All,
  Can somebody confirm for me if the Group Security filter as specified under 'Hr Org-Based security' is supposed to be applied in answers when the only reference to the fact table is via its selection as the implicit fact within the presentation catalog.
  E.g User selects Dim1, Dim 2 and Fact Measure , the query is filtered correctly by users organisation, when the fact measure is removed, OBIEE keeps the same fact table within the generated SQL as it is the implicit fact used to join the two dimension tables together. The results this time are not filtered by organization and its possible to return dimension records for fact rows that are from a different Org - In this case the user can return absense start and end dates for employees outside of his org (Customer wants this prevented)
  Is this expected behaviour ?
  Thanks.

  Hi John
  Thanks for your suggestion
  I tried this and He still doesnt have write access
  He doesnt need to be able to lock and send values via essbase ... However when we are in planning, He cant submit data to the dimension members mentioned above.. i.e the cells are all green
  I have checked and doubled check the security on the dimension members (and form security) in the form that he cant edit
  Do you have any other suggestions?
  Thank you
  PD

• Migrate network object group members; risk

         We upgraded to new 5555 hardware and jumped from 8.2 to 9.1 last year. Our objects listing is now a bit messy. I have never run the "Migrate Network Object Group Members" menu option in asdm. I see what it is going to do, I am not sure it really helps me clean old objects, it seems low risk, but when I walk up to execution, there are a lot of changes it wants to make. We always save backup configurations but, if there are "gotchas" I don't want to put the company in that position. What has been the communities, Cisco's experience? Thanks for any feedback. jc

  John,
  if you feel that is risky, you can always go for plan B.
  - you can take closure look at the object groups and decide new object naming convention policy.
  - from ASDM or CSM, you can see overlapped or duplicate rules, so you can start with reducing them
  - you can see same services used in couple of rules with different service groups.
       - like object-group service WEB-PORTS tcp
                      port-object eq http
                      port-object eq https
               object-group service APPLICATION-PORTS tcp
                      port-object eq http
                      port-object eq https
                 object-group service APPS-PORT tcp
                      port-object eq www
                      port-object eq https
  - you can replace all these different object-group with one object group. like WEB-PORTS.
  - same way you can do excercise for network group as well.
  hope this helps.
  JD...

• How do I migrate the passwords from secured pdfs/their profiles to a new computer and new version of

  how do I migrate the passwords from secured pdfs/their profiles to a new computer and new version of acrobat?  I lost one computer that had standard 9, went to new computer, then upgraded to XI.  All my password profiles are not coming through.  How do I get them back?

  There is also a program called Senuti that I used when I had a PC crash with all my iTunes stuff on it:
  www.fadingred.com/Senuti

• Page & Page Group Security

  Looking for a fast way to check all the Page & Page Group Security? to see what they are all set to w/o having to go though everything manually.
  Thanks

  Did you ever find a solution to this?

• User and Group Security Provisioning

  Hi,
  I have a question regarding Group security in Planning. I am using EPM system 11. My basic question is, if I create a new Planning user (interactive user with no default access to dimensions), and assign that user to a Planning group, does the user automatically inherit all the dimension access assigned to that Group? From my experience, it seems that I must explicitly assign each User access to the dimensions they should be able to Read or Write, and that simply adding them to a group that has been given Write access to the Expense Account (for example) does not give a newly added user to that Group Write access.
  A quick note - when creating new Users, I first create and provision them in Shared Services. However, in order to be able to log in with them, I must recreate the user in EAS's User Directory. This seems redundant to make a user twice, but is the only way I am able to successful login with new users, otherwise the Planning login page says "failed to sync with user provisioning". I have not done this same procedure for the Groups I have created (i.e. I have made and provisioned the Groups in Shared Services, but not recreated them in EAS). Is it possible that this is why Users aren't inherittiing the access rights of the Group? I can provide more information if needed, any help or comments are appreciated. Thanks in advance.

  user3x3 wrote:
  1) EAS method is to open EAS, then open the Essbase Server Node, right-click on security, and click Externalize Users. When I do this there is no right-click option to externalize the users, and since it can only be done once and then not reversed I assume the previous administrator already did this. Since this is not availalbe, I must use the second method.
  If you log in with an administrator account you should see the "Externalize Users" option even if you have already externalized.
  I take it you did not configure your system, I take it was documented so you could have a look how it was configured.
  If essbase is on a different server than shared services then maybe the essbase server was not registered with the shared services registry when it was configured, that might the reason why you are getting the shared services error when you try to convert to shared services security, basically it doesn't know where shared services is. If that is the case then it will need to be configured again.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• User and group security

  Not sure if this fits here, but here goes...
  I have a subportal folder, with a community in side. Inside the community, I have groups. If I give one group the admin level authority, is it just for that community and all of its content, or is it the whole portal. The admin docs are very granular on user and group security throughout the various ways of applying it. WHat I am trying to do is give a group admin control over a singel community as well as full admin control of all groups in the communities admin folder. BUT just those things.
  thanks

  If I recall correctly, there is no inheritance of user and group rights in PT, at least not in 5.x. If you give some rights on a specific object/folder to a specific group, then it will be for that object only and none of its children.
  You do have a choice of propagating of user rights down the ownership tree however. I.e., if you select a community and set some rights for yourself, it will prompt you if you want to propagate the same permissions down the chain, to all of its children. If you say yes, it will replacepermissions on all its children by creating copies. If you say no, you'll have to go and apply different permissions on each child individually.
  Ruslan.

• Qaaws group security not migrated properly

  hi
  When migrating qaaws from dev to prod,
  unable to get the secuirty of Qaaws and some other objects
  accordingly,, not able to login to Qaaws client tool in prod env.
  Thanks in advance!

  848839 wrote:
  Does least restrictive permmission happens in case of membership of more than one group in OBIEE.Indeed it does. The most restrictive filters get applied if a user belongs to multiple groups that have filters at various levels of data because its always an AND clause in the where condition. This is the sort of behavior in various tools I have seen apart from OBIEE.
  Hope this helps.
  Regards,
  -Amith.

• Migrate the users, groups from essbase 7.1.6 to shared services

  Hi
  Our current production is essbase version 7.1.6 and we are planning to migrate to EPM 11.1.2 . We would like to move the security administration from Essbase to Shared Services (want to use Native Directory).
  can somebody please suggest
  1) An utility that Oracle provides with EPM 11.1.2 that helps to migrate the users and groups from 7.1.6 to shared services?
  2) After bringing the users groups from 7.1.6 to 11.1.2, do we need to externalize these users and groups or no need?
  Appreciate the help. Thanks,

  if you have LDAP/MSAD try to configure it first .That will get your users
  Now using maxl
  spool on to GROUP.txt
  display gruoup all;
  spool on to USER.txt
  display user in group all;
  for test purpose create a test group and a test user from the shared services.
  Now using GROUP.txt
  make up maxl statements to create groups(use any advanced text editor or MS excel to get your work done fast)
  create group 'groupname';
  now login into that shared services
  go to FOundation Application group->click sharedservices->drop down native directory ->Right click on Groups and select export for edit.THat will save you Groups.csv file.
  Now
  1.Open that Groups.csv file
  2.Using USER,txt ,paste the users in that file under their respective group.(Look for test group created that should give you an idea!!!)
  3.Paste user correctly and save it to the same file Groups.csv
  4.go to FOundation Application group->click sharedservices->drop down native directory ->Right click on Groups and select IMPORT for edit.
  5.that will get your users into the groups.
  ________filters_______
  Using maxl again
  spool on to FILTER.txt
  display filter row all;
  spool on to GRPRIVILEGE.txt
  display privilege group all;
  Now using FILTER.txt
  create maxl statements
  (use any advanced text editor or MS excel to get your work done fast)
  Ex: create filter app.database.filtername read/write/none/metaread on 'AREA ' ;
  Using GRPRIVILEGE.txt
  create maxl statements
  grant filter app.databse.filtername to 'groupname';
  that should get your filters created and assigned.
  else you can use Advanced Security Manger
  http://www.appliedolap.com/free-tools/advanced-security-manager
  hope that should give you an idea!!!!!!!

• Examples Of HSS User & Group Provisioning

  All,
  We are at the very beginning of a project to use a third-party security management application to push a file containing users to be included into HSS security groups using the HSS Import\Export utility.
  As such, I was wondering if someone could post examples of how to:
  1. Create a user into HSS;
  2. Put a user into one\more HSS security groups;
  3. Put one\more users into one\more HSS security groups;
  We had a look at the documentation but it's not very clear.
  Many thanks in advance,
  JB

  Can't have any more open questions

• Migration of Catalog Groups

  How can we migrate objects with the groups and privilieges intact across Catalogs in OBIEE 11g.

  In OBI groups manually created they cant be migrate, correct me if I'm wrong.
  If groups are available in target's catalog you need to archive and unarchive in online mode to get all security settings in target catalog as in source catalog.
  if helps mark