Shared Services External Authentication using LDAP in 9.3.1

I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
Any feedback would be much appreciated.

Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.

Similar Messages

  • Shared Services External Authentication

    Hi All,
    In Shared Services, under Defined User Directories, When click on Add I am able to see "Relational Database(Oracle, DB2, SQL Server)"; means we can configure Oracle db as (Oracle Apps) as external authantication?
    We are using Hyperion system 9.3.1.
    Thanks in Advance,

    User and Group information can be derived from Oracles system schema tables, read more about it at :-

  • Hyperion Shared Services -- External user containers getting missed out .

    Hi All ,
    In my hyperion enviornment user authentication is done through native directory and also through External directories configured to LDAP - OIDM . Frequently the external containers are getting disappeared from the shared services console. But when i restart the services its getting back some time. Some times it take some time to reflect back. I dont understand why this is happening.Quick hep is appreciated.

    It was network problem

  • Sync Shared Services External users & Provisioning for Essbase Applications

    Hi Experts !!
    i have externalised user authentication in Shared services . I provisioned all users for Essbase and refresh the security from Essbase ,So all users are working fine
    and can login in Essbase and "Excel add-in" as well..
    but there is one user who is still not working for "Excel Add in"..
    Error is "Login failed due to invalid login credentials"
    Please suugest me the solutions
    Thank you.

    Hi John !
    Yes, User can login in EAS .
    Also User is available under Users in EAS ,But no applications are displaying in Analytic Server , While I have given Administration Privileges for Essbase app.
    But still error while login in Excel add in ..
    Error : Login failed due to invalid login Credentials.
    Also ,After Provisioning , How Can we Sync all all Externalized users from Shared Services itself for All hyperion Projects ???
    Thank you

  • External authentication using Headervariable

    Hi SAP Experts
    We have configured External authentication for WEM using Headervariable.We are using BI Java 7.0
    External authentication is working fine using Headervariable Login module for URL http://<WEb Server hostname>/irj which redirect to http://<J2EE hostname>:<port #>/irj
    As you all know that we also use http://<J2EE hostname>:<port #> for Administation point of view where many options available like user management, SLD, Webdynpro, NetWeaver Administation etc.We have not configured this URL for External Authentication  and also do not want to configure but when tyring to access any administration option on this, portal prompts default logon page and after entering Portal UserID/Password we get message like " No Loginmodules configured for Header"
    I do not know why system display this message
    Please help me if anyone has experience to resolve this issue, as we want to use URL http://<J2EE hostname:<port #>, which should prompts Portal Logon screen and after entering Portal userid/password we should access the administration screen without afftecting our External Authentication configuration for URL http://<WEb Server host>/irj
    Thanks in Advance
    Thanks with Regards
    Deelip Kumar

    Hi Deelip,
    my earlier post referred to an additional authscheme that you may have created. If you have done so, please remove it. If you have checked this, there still is a predelivered authscheme called header, wich references a login stack called header. This login stack template does not exist as a default.
    In this case, you may have assigned this authscheme (header) to some component, like an iview. How this works is explained in the docs <a href="">here</a> and<a href="">here</a> for example.
    If you have done so, this reference to the authscheme header may trigger the lookup of the login stack template called header, which does not exist and thus leads to the error.
    For detailed error analysis, I would recommend to search the security log and the portal logs for indications where the source of this error might be.

  • External Authentication with LDAP

    Has anyone integrated external authentication of Essbase with LDAP? I've searched discussion groups, websites with no luck, and of course, Essbase documentation doesn't help either. Any additional documentation will help.Thanks in advance!

    Thanks for the info. Is this sample code part of the default implementation that comes installed with the product (essldap.dll)? Or is this something completely different.Also, has anyone done anything similar in visual basic? We have a shortage of v c++ skills around here.Thanks again!

  • Cisco ISE Admin Authentication using LDAP

    I have configured the LDAP and able to retrive our LDAP directory structure. Now, I am trying to point the 'Admin Access' authentication to "External Identity" Source which is the new LDAP IS I created. But I couldn't find an option to authenticate locally if for any reason the LDAP configuration doesn't work. I learnt that ISE can automatically revert to local auth provided the External Idenitity sources are unreachable. How can I test the LDAP authentication with out breaking our Admin Access? I thought of opening two parallel sessions, one with Super Admin Local Account and the other with Domain account. But I noticed that ISE communication is smart enough to logoff/login any other sessions in different browsers so basically I can't open two parallel sessions from same machine to do the tests. Suggestions? or Am I missing something here?
    Many thanks in advance.

    Hi Srinivas,
    Even if you set up LDAP as an External Identity source for admin access, you can still fallback to Internal without getting locked out. As per the ISE user guide :
    During operation, Cisco ISE is designed to "fall  back" and attempt to perform authentication from the internal identity  database, if communication with the external identity store has not been  established or if it fails. In addition, whenever an administrator for  whom you have set up external authentication launches a browser and  initiates a login session, the administrator still has the option to  request authentication via the Cisco ISE local database by choosing  "Internal" from the Identity Store drop-down selector in the login dialog.
    Please refer to the attached screenshot from my lab ISE:
    I have configured admin authentication against AD, but I still see both "Internal" and "AD" at the time of login.
    Hope this helps.

  • External authentication using MSAD

    how do you setup the user configuration?

    What do you mean with server portion, the MSAD or the Shared Services?
    You have to configure the MSAD for the use with Shared Services, after that you can provide the users from the MSAD right for the applications registered in shared services. You can do this via Web-Interface
    Here you can set the User-URL and Group-URL which are the ou from the MSAD.
    If youve already done that, can you see the users from MSAD in your Shared Services?

  • External authetication using LDAP

    <p>we have implemented ldap authentication.i am trying to write anxml that would check if the user is member of a group, then andonly then authenticates the users.</p><p> </p><p>Note: My code works fine for just authenticating users with outthe group check part</p><p> </p><p>tried using the group part of xml some how doesnt seem towork.</p><p> </p><p><group> <url>ou=Groups</url></p><p><nameAttribute><b>cn</b></nameAttribute></p><p><objectclass></p><p><entry><b>groupofuniquenames?uniquemember</b></entry></p><p><entry><b>groupOfNames?member</b></entry></p><p></objectclass> </group></p><p> </p><p>Any advises</p><p> </p><p> </p><p> </p>

    I believe Essbase does not support authenticating groups in LDAP<BR>

  • Reg: Hyperion Upgradation from 7.1.x to 9.3.x and Shared Services...

    Hi Everybody,
    New to this forum and i want to know about upgrading the essbase from 7.1.x to 9.3.x...As i gone through PDF, it is mentioning as upgrading of 9.3.x from earlier versions prior to release 9.2.x cannot be done directly...Here comes with the migration/upgradation topic wherein... Can we go ahead and install essbase 9.3.x on new box and migrate app's / db's from 7.1.x old box?
    One more thing is like...if we are using External authentication using LDAP in 7.1.x version for security....will it be mandatory to implement shared services separately in system 9 or continue with native security mode without installing shared services...I have only essbase and no other tools implemented...
    Hope u guys understand my queries!...If any body can explain on these two aspects...will be of great help to me...
    Thanks for the help in advance!!

    You will have to migrate the Essbase server from 7.1.2 to 9.3.1
    The steps you will follow are as below: --
    1. Configure Essbase on new environment, 9.3.1 by using the same user as on 7.1.2 [THIS IS AN IMPORTANT STEP, TO MIGRATE SECURITY]
    1. Take data exports of all application/databases in old environment
    2. Take backups of all Essbase objects, including essbase.sec in old environment. Take security file backup after stopping Essbase 7.1.2
    3. Create the applications/databases with same name in new environment 9.3.1
    4. Copy the outlines and open outline in EAS in 9.3.1 and save them again.
    5. Copy all objects, rules, reports, calc for all applications.
    6. Stop essbase, Eas in new environment and copy security file from old environment to new environment Take backup of Essbase.sec on new environment
    7. Start Essbase 9.3.1
    8. Validate all databases using Esscmd "validate" command
    9. Reimport all data and run default calc on all applications.
    10. Now, you have the security in new Essbase server, as in old environment
    11. Externalize the security in EAS.
    Caution: When you migrate to Shared Services, Essbase users and groups are converted to equivalent roles
    in Shared Services. Shared Services creates a superuser with the user ID named “admin,” which
    is read-only. If Essbase contains a user ID named “admin”, that user ID cannot be migrated to
    Shared Services. Before migrating, change the “admin” user ID (for example, from “admin” to
    It is not compulsory to use shared services with Essbase 9.3.1, if you have Essbase only.
    but since it the way to go, you will have to migrate your essbase security to shared services.
    Let me know if it helps, by defining the reply as answered, Helpful or correct.

  • Using LDAP in 9.3.1, I can got the user list but can not use their password

    Hey guys, I need your help.
    I am using msad for Shared Services External Authentication.
    I configurate the msad successfully.
    And I could find the user in local domain. But I can not use their password in workspace.
    That mean's I could find the user in local domain and do the provision job.
    But I can not use their password in localdomain to login on workspace.
    Is there any thing I missed when configurate the Shared Services?
    Need your help.

    you may have trouble -
    if password use NATIONAL character, such letters like (я ч ъ ю )
    if user, who's have access from SS to AD under "NATIONAL" folder
    p.s. my settings for AD
    Name: NTLM Domain NAME
    Hostname: x.x.x.x
    Port: 389
    Base DN: DC=NAME,DC=domain suffix
    User DN: CN=user_name, CN=Users Catalog
    Login: sAMAccountName
    Email: mail

  • How to extract external directory users from a shared services group from shared services RDBMS repository

    I have a security group in shared services, which has external directory users. I want to extract the list of users from shared services RDBMS repository using a SQL query. Please let me know if this is possible and from which table(s) I can query such list.

    You need to use CSS_Groups, CSS_GROUP_MEMBERS and CSS_USERS tables in your Foundation DB. Something like below will give you these details:
    select b.Name  ,a.Name  from HYPFOUND.CSS_GROUPS b ,
    GROUP BY (b.Name,

  • Essbase login failed & Cluster not available in Shared Services

    I have installed & configured the EPM in compact deployment mode i.e. deployed to Embedded weblogic server. Shared Services, Essbase, Planning & Reporting are installed successfully.
    I am able to login to Shared Services, Workspace & EAS console with my admin account. But I am unable to login to Essbase from EAS console, MAXL & ESSCMD.
    When I am logging with MAXL or EAS console, I am getting login failed error.
    Even EssbaseCluster-1 is not available under Application Groups in Shared Services. Only Reporting & Foundation are there.
    Please help me what went wrong.
    Edited by: Naveen Suram on Nov 6, 2012 3:25 AM

    2012-11-06T14:40:41.071+05:30] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20001] [oracle.EPMCSS.CSS] [tid: 10] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.registry.RegistryManager] [SRC_METHOD: RegistryManager] Successfully initialized EPM System Registry access. This is a status messages. No action required.
    [2012-11-06T14:40:41.180+05:30] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20002] [oracle.EPMCSS.CSS] [tid: 10] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.EPMSystem] [SRC_METHOD: getInstance] Initializing Shared Services security instance using EPM System Registry. This is a status messages. No action required.
    [Tue Nov 06 14:40:25 2012]Local/ESSBASE0///776/Info(1051283)
    Retrieving License Information Please Wait...
    [Tue Nov 06 14:40:25 2012]Local/ESSBASE0///776/Info(1051286)
    License information retrieved.
    [Tue Nov 06 14:40:25 2012]Local/ESSBASE0///776/Info(1311019)
    Classpath during JVM initialization: [;C:\Oracle\Middleware\EPMSystem11R1\common\jlib\\epm_j2se.jar;C:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseServer\java\essbase.jar;C:\Oracle\Middleware\EPMSystem11R1\products\Essbase\EssbaseServer\java\essbaseRegistry.jar]
    [Tue Nov 06 14:40:52 2012]Local/ESSBASE0///776/Info(1051199)
    Single Sign-On Initialization Succeeded !
    [Tue Nov 06 14:40:52 2012]Local/ESSBASE0///776/Info(1056815)
    Essbase 64-bit - Release 11.1.2 (ESB11.
    [Tue Nov 06 14:40:52 2012]Local/ESSBASE0///776/Info(1051232)
    Using [email protected] as the Essbase Locale
    [Tue Nov 06 14:40:54 2012]Local/ESSBASE0///776/Info(1056797)
    Incremental security backup started by SYSTEM. The file created is [C:\Oracle\Middleware\user_projects\epmsystem1\EssbaseServer\essbaseserver1\bin\ESSBASETS_1352193054.BAK]
    [Tue Nov 06 14:40:55 2012]Local/ESSBASE0///776/Info(1051134)
    External Authentication Module: [Single Sign-On] enabled
    [Tue Nov 06 14:40:55 2012]Local/ESSBASE0///776/Info(1051051)
    Essbase Server - started
    I am getting the following error in validation report:
    Validating Essbase Server connection to NAVEEN
    Error: Cannot connect to olap service. Cannot connect to Essbase Server. Error:Essbase Error(1051012): User native://DN=cn=911,ou=People,dc=css,dc=hyperion,dc=com?USER does not exist
    Recommended Action: Check Essbase Server is started.

  • Re: OBIEE integration with Hyperion shared services

    I am working on OBIEE authentication using hyperion shared services. To achieve this I did the following steps,
    1) Registered the shared services in Answers using 'Manage EPM workspace'
    2)Modified config.xml to enable HSSauthenticator
    3)Modified instanceconfig.xml by adding external auth tags
    4)In rpd created a init block using custom authenticator.
    When I login into Answers using a username and password from hyperion shared services, it is saying invalid username/password.
    Log file says ' xxxxxx authentication failed in repository star, Odbc driver returned an error (SQLDriverConnectW)'
    Can some one explain me if I am missing anything here?? Is there anyone who has successfully implemented this before.

    I am fairly certain that this integration actually works in the other direction.
    That is from the Oracle Hyperion Workspace portal you need to log in and once you are in Workspace from the file menu an option for "Oracle Interactive Dashboards" should be available if all is configured correctly with the integration. That link will open up OBIEE and take the user directly into the dashboards without having to get prompted by the OBIEE login screen.
    If you have the BIC2Go image (Dan Vlamis' team, for Oracle BI 10g you can see this integration's configuration and see it working correctly.
    I hope that helps

  • Shared services trouble shooting

    I installed the 9.3.1 on my machine...mistakenly my machine was shutdown and openLDAP service was corrupted , I do have back-up of shared services folder so I replace the regular SS folderr with that. Now the problem was I am unable to see the Hyperion planning , Reports, Business rules to provision . I do have only shared serrvices>glodal rules, So I again registered planning ,reports ,EAS with shared services using config utility..but I am not succeed..Is there any way to view all of them in the provision list.So that I can provision to different users.I I didn't configure again (after ldap corruption)anything under shared services of config utility.but the funny thing I am able to login in to planning as admin, but I am unable to see it in the shared services provision list... Can anyone tell me what exactly happend in the background of this.

    Have you tried running the sync option in shared services, this syncs shared services repository with open ldap.
    Administration > Sync Native Directory.
    I am not how succesful it will be now you have been registering and provisioning again but worth a try.

Maybe you are looking for

  • Turning a QS 933 into a Media Center...Suggestions?

    I recently purchased for waaaaay cheap a working Power Mac G4 Quicksilver 933 with 1.25GB of Ram, one 80GB HD and Stock Cd-RW and Graphics card (ADC and VGA). What I want to do with this is turn it into a media server for my den. It will mostly playb

  • Find A Point In number

    here is Query Select 23.25 from dual How can i Select only 23 from this number or 25 from this number .I mean to find the value after a point or before a point i number

  • CcBPM Correlation - Conversion Id

    Hello, so far, e.g. before SP12 I used the field "conversionid" in my ccBPM to connect two messages together. My scenario is that I receive data for an IDOC from a web service which I send via the IDOC adapter to R/3 and then I send an ALEAUD back to

  • System only loading the first column from csv

    Trying to load data from Excel saved as csv, but the preview and PSA shows data loaded only for the first column from the csv file. All other columns are not loaded from the csv. Changed the lengths of the fields from the datasource to match the ones

  • MPB Rendering option greyed out - Win7 k5000

    System: Win 7/64; CPU E5-2690 X 2; 64Gb RAM; PP CS6 6.0.5; Quadro K5000 GPU. Project - Project Settings - General - rendering option greyed out. I've carefully seached the forums, tried various suggestions, but still cannot get to select the drop dow