Shared Services: Role Assignment
When I try to assign the privilege of "Server Access" from Shared Services to a user, clicking on
Essbase:servername:1 -> Essbase:servername:1 the tree does not open, but opens Default Application Group -> Essbase:servername:1.
If I add the privilege of "Server Access" by:
Default Application Group -> Essbase:servername:1 -> Administrator -> Create/Delete Application -> Server Access
user can't access to Essbase from Excel.
in addition Essbase can not see the users created through Shared Services. Only the admin user is displayed.
I faced the same issue with the server access role. If I provision an Essbase Application role , the User can access the particular application. However the user can access the application by just provisioning the Application Role anyway. Then why is there such a role called Server Access? I am using 11.1.2.0 version.
Similar Messages
-
Shared services- Access Assign issue for Essbase
Hi All,
I need to associate Filter with a group in Shared Services, but when I go to Application Groups, right click on the Application name and select "Assign access control", but in the list of Groups that come in the very first window, i dont see all the grousp listed there, has anyoen seen thsi issue before and knows teh fix for it?We dont have direct Role provisioning to teh groups. Here we actualy have a group AllUsers and have added all other grousp as "GRoup membere" to thsi group/ Now this AllUsers group has teh roel provisioned to it. So in such a case, to see the grousp listed under "Assign Access Control" do they need to eb provisioned individually as well at group level, or teh above scenario that I mentioned also works fine?
-
Communicaton error in Shared Services when assigning a filter
Hi,
one of my customers encountered the following problem:
when trying to assign a filter to a group or a user in Shared Services, this message is displayed: "There was some communication error. Response is: http://12.238.204.24/interop/hyperion/hub/cas/web/eas/app/Adf.jsp <!DOCTYPE HTML PUBLIC ... bla bla HTML ..."
I don't understand this message.
Note that there are 3 environments, the dev server works, all services (EAS, EIS, SSH, Essbase server) are on the same virtual machine. Both test and production servers encounter that problem. For those 2 servers, the services are distributed on different VM. I suppose this is a clue...
Thanks for you help.
CyrilHi, got the same error message. I have 3 environments, one works, but not the other two. Did you reloved that problem?
Thanks -
Need help with Shared Services Role
Hello,
I am trying to create a Native Directory group which will allow the users extract all the Application Elements, but restrict them from loading anything to the system. This group should only have the ability to view the objects and not edit them. It should also have the extract functionality.
By removing the role 'Load System', we can restrict the users from loading the artifacts, but once this role is removed, the users are not able to extract the Application Elements (Security, Memberlists and Rules file).
Can you please let me know if there is any other way/setup that would allow the users to perform the required functinalities with out the 'Load System' role?
Any help would be appreciated.
Thanks,Sorry but I have the same issue and I cannot do anything...
We have to ask from the admin team to extract and send us the metadata....
Regards,
Thanos -
MaxL and Shared Services Roles
Does anyone know what the minimum level of security has to be to still be allowed to use create and execute MaxL code via EAS?
What do you want to do in the maxl.
If you have the role of "server access" then you can log into an essbase server with Maxl.
Then you need roles against apps depending on what you want to do.
Cheers
John
http://john-goodwin.blogspot.com/ -
MSAD Configuration with Shared Services
Hi,
I have just sucessfully configured MSAD to the HFM SS but 1 concern is that anyone with the domain suer login is able to login to shared service although limited function are available. Is there anyway to control other users except my users to login?
I do not want to use Native to create user as it will means another set of password to rememberr for the users, would prefer they use their normal domain accoutn to login.
ThanksIn addition to other comments, users can only make changes in Shared Services if they have Shared services roles assigned. Also, we use MSAD with both local and AD groups, and as long as you know the effective rights, it works out fine either way. The Shared services roles are listed below (Security Administrator's Guide pp 135-136):
Administrator: Provides control over all products that integrate with Shared Services. It enables more
control over security than any other Hyperion product roles and should therefore be
assigned sparingly. Administrators can perform all administrative tasks in User
Management Console and can provision themselves.
This role grants broad access to all applications registered with Shared Services. The
Administrator role is, by default, assigned to the admin Native Directory user, which is
the only user available after you deploy Shared Services.
Directory Manager: Creates and manages users and groups within Native Directory.
Do not assign to Directory Managers the Provisioning Manager role because combining
these roles allows Directory Managers to provision themselves.
The recommended practice is to grant one user the Directory Manager role and another
user the Provisioning Manager role.
LCM Manager: Runs the Artifact Life-Cycle Management utility to promote artifacts or data across product environments and operating systems
Project Manager: Creates and manages projects within Shared Services
Create Integrations: Creates Shared Services data integrations (the process of moving data between
applications) using a wizard.
For Oracle's Enterprise Performance Management Architect, creates and executes data
synchronizations.
Run Integrations: Views and runs Shared Services data integrations.
For Performance Management Architect, executes data synchronizations.
Dimension Editor ( includes Dimension Viewer and Interactive Editor):
Creates and manages import profiles for dimension creation. Also, creates and manages
dimensions manually within the Performance Management Architect user interface or the
Classic Application Administration option.
Required to access Classic Application Administration options for Financial Management
and Planning using Web navigation.
Dimension Viewer can read or view dimensions. This role automatically maps to the
Dimension Reader access on dimensions.
Interactive Editor can modify members within a dimension, and grants dimension writer
access to all dimensions. Does not allow users to delete dimensions.
Note: Dimension Viewer and Interactive Editor roles are reserved for future use.
Application Creator (includes Analytic Services Application Creator, Financial Management Application Creator, Planning Application Creator, External Application Creator): Creates and deploys Performance Management Architect applications. Users with this
role can create applications, but can change only the dimensions to which they have
access permissions.
Required, in addition to the Dimension Editor role, for Financial Management and
Planning users to be able to navigate to their product’s Classic Application Administration
options.
When a user with Application Creator role deploys an application from Performance
Management Architect, that user automatically becomes the application administrator
and provisioning manager for that application.
The Application Creator can create all applications.
The Analytic Services Application Creator can create Generic applications.
The Financial Management Application Creator can create Consolidation applications
and Performance Management Architect Generic applications. To create applications,
the user must also be a member of the Application Creators group specified in Financial
Management Configuration Utility.
The Planning Application Creator can create Planning applications and Performance
Management Architect Generic applications.
The External Application Creator can create external views and export application views
but cannot export the library.
Note: External Application Creator role is reserved for future use. -
IC WebClient Shared Services Business Roles
Dear All
I have a question regarding the some of the IC Webclient Shared Services roles provided by SAP.
I know that as of CRM 7.0 EHP 1.0 SAP provides separate roles for Accounting Interaction Center, Employee Interaction center and ITDS- IT HelpDesk Role along with a Shared Services Agent Role.
I want to know that is it recommended to combine the Accounting Interaction Center, Employee Interaction Center and IT HelDesk role into one role or the opporsite way of using separte roles for separate functions.
Thanks
TarangHello
Well...it depends.
If you want your agents to handle all types of calls and you don't have a big-big company with many employees and a big support desk, the best option (due to maintenance reasons) is keeping everything in a single business role with a multi account identification profile.
On the other hand, if you have agents with separate and independent account, IT and employee tasks and your business processes are different depending on who is on the phone, you need three different business roles.
So, to summarize, it depends on your project needs and your company size.
Regards
Joaquin -
Unable to use the Assign Access Control feature in shared services
Hi,
When I try to right click on the essbase applicaiton in Shared Services to assign access control( to assign a new filter) I keep getting the following error
" Internet cannot display the webpage" message with the following
This problem can be caused by a variety of issues, including:
Internet connectivity has been lost.
The website is temporarily unavailable.
The Domain Name Server (DNS) is not reachable.
The Domain Name Server (DNS) does not have a listing for the website's domain.
There might be a typing error in the address.
If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section
All the services are running file and I can create new users/ groups and also perform appication migration.
I'm using Hyperion 11.1.3.24 on windows 2003 r2.
Any help is appreciated. Thanks.
Regardsvs wrote:
John,
I tried the refresh button and nothing appears. I have created a group and gave it filter access. Now I'm trying to attach that filter to the group.
Appreciate your help.Can we replace backup .sec file for shared services?
For example: In planning if the .sec file corrupted then we replaced with old .sec file...rite...the same way can we do it in shared services?
I know if we replace the old sec in planning...it will take old securities only...
Edited by: Prabhas on Feb 12, 2013 9:27 PM -
Shared Services Delegated Admin
Hi,
I am trying to create a delegated administrator role in Shared Services for HFM. I have created the delegated list in Shared Services and assigned a manager to the group. However when I log-in as that user I am only able to view the groups I have assigned to the delegated list, I am not able to provision users to those groups.
Any ideas on what needs to be done so that group manager can provision users to the groups?You want to look at the Hyperion Security Administration Guide to understand Shared Service, Provisioning and External Authentication.
http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/hyp_security_guide.pdf
Brian Chow -
Hi all:
Essbase has been activated the security of users using shared services, but do not want to use more, according to documentation that is not possible.
how to do it? , or should be reinstalled essbase to cancel the utility?
thanksSo the first error is because the user can't be migrated -- this sort of makes sense.
Have you tried creating a dummy user, like TestUser1, in Shared Services, and then provision him to Essbase server access, and maybe read access to Sample.Basic? Does that work? I would leave out all group membership just to prove that you can do that.
If that works, have you tried creating a simple group (groups can have multiple levels of inheritance which can be really powerful but can get SNAFU'd as you are seeing) in Shared Services and assigned it to Sample.Basic? If that works, create another native user like TestUser2 and assign him to that group.
I guess I'm getting at an incremenatlist approach to see what breaks. If nothing works, then I would go for the scorched earth policy and try again with Essbase.sec -- you won't have much to lose.
Regards,
Cameron Lackpour -
Regarding Associating Company access directory to shared services
Hi All,
I have a requirement to associate active directory of company to shared services and assign those user ids to Essbase login ( i mean your NT login has to be Essbase login) If any one have any idea please let me know.
Thanks,
Ramesh.Hi,
Configuring Shared Services to use external directories is all documented here .
Cheers
John
http://john-goodwin.blogspot.com/ -
Administration Users from Shared Services...
Dear Experts,
Am using OEPM 11.1.1.2
I have one basic question on Shared Services Users...As we are using the default login of Essbase administration services after installation and configuration to
login to the server and this is already changed to Shared Services Security during Configuration..
My question is can we be able to create user related to EAS from Shared Services or still we need to use the same default 'admin'? If so,
In any case if i want to provide one user with only "create/delete applications" for Essbase....i will go and do it in Shared Services.....
but if i want to modify something in Essbase...i still need to use EAS for modifying the application/Database information
How can i create multiple users in EAS?
One More, i don't see any project for Essbase Administration Services like Essbase, APS created in Shared Services after the applications have moved to Shared Services Security Mode...Is this correct? Please clarify
Moreover, in my case userid "admin" is used for all the Application groups in Shared Services...So if i change the password for this "ID", will it reflect to all the application groups who are privileged to...
ThanksMy question is can we be able to create user related to EAS from Shared Services or still we need to use the same default 'admin'? If so,
In any case if i want to provide one user with only "create/delete applications" for Essbase....i will go and do it in Shared Services.....
but if i want to modify something in Essbase...i still need to use EAS for modifying the application/Database information
How can i create multiple users in EAS?
One More, i don't see any project for Essbase Administration Services like Essbase, APS created in Shared Services after the applications have moved to Shared Services Security Mode...Is this correct? Please clarify
Moreover, in my case userid "admin" is used for all the Application groups in Shared Services...So if i change the password for this "ID", will it reflect to all the application groups who are privileged to...
Firstly, Shared services is a centralized User management console for all hyperion applications. Once you externalize your security to shared services, You can create as many users as you want in shared services and assign him access to Essbase. How ever, You will have to go to EAS and do a "refresh security from shared services" for changes made to users in shared services to reflect in Essbase.
For projects to appear under shared services project list, you will have to register each product with the shared services.
If the same admin ID is used for all applications, Yes, the password change will reflect to all applications he has access to.
-Nra -
Task List Access Manager Role in Shared Services
Hi
The documentation says this role "Assigns task lists and tasks to other users". I have assigned this role to a group (in Shared Services), I have given that group Manage and Assign access to the Task List (in Planning), and have even done a security Refresh.
Yet, when I go in as a user who is in that group, I do not see the Assign Access button in Manage Task Lists.
Is this a bug or have I missed a step?
We are on 11.1.2.1
Thanks!Hi,
Have you tried generating a provisioning report in Shared Services, have a read of :- http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_cas_help/provrep.htm
If that doesn't suit your requirements then you could always have a look at using CSSImportExportUtility to export provisioning to a csv file. The utility is located in hyperion\common\utilities and has a pdf on instructions how to use it.
Cheers
John
http://john-goodwin.blogspot.com/ -
Assign Analytic Servers under Projects folder in Shared Services
Hello experts,
The problem is that: we are migrating dev environment to a new test environment. All is done, but when I try to assign "Administrator" role for Essbase server to an especific user, I can't see "Analytic Servers" option under Projects folder in Shared Services (where is Essbase server in dev environment).
How can I assign that role if I can't see Essbase server in Shared Services? Can I assign it? How?
Thanks for your time!
Best Regards
Edited by: user1654709 on 31-ago-2012 10:37Hi,
You can do the following:
1. Launch the MaxL Prompt and connect to Essbase Server using the Administrative user
2. Execute the following:
alter system resync sss;
alter application all reregister;
If the Essbase security is externalized, the above commands will execute successfully. If Essbase is not registered to Shared Services, then you execute the following command:
MAXL> display system security mode;
+.....If it is 1 then run the alter command:+
MAXL> alter system set sss_mode <ENFORCE-PWD-SPEC>;
Please read http://docs.oracle.com/cd/E17236_01/epm.1112/esb_tech_ref.pdf page 671 regarding <ENFORCE-PWD-SPEC> option to decide (depending on number of users on the system) what "password option" is best for you.
After successful, externalization of security, then execute again the following:
MAXL>alter system resync sss;
MAXL>alter application all reregister;
Hope it helps....
KosuruS
Edited by: KosuruS on Sep 6, 2012 12:02 PM
Edited by: KosuruS on Sep 6, 2012 12:03 PM -
Role Assignment Discovery Issue for Files and Folders through Sharepoint REST services
To preface, I am a decided Sharepoint newbie in every sense. I am trying to use the Sharepoint REST services (Sharepoint 2013) to walk the folder and file structure of my Sharepoint server and, determine as I go, the Role Assignments (and subsequently
Permissions) on those folders and files. I'm using an Administrator credentials and I'm actually able to successfully do it but I've run into some caveats. All the caveats begin with this; when I'm examining a folder, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/ListItemAllFields
I receive either an empty list or an error response doc when following the link supplied for ListItemAllFields. When following that kind of link for folders, I either get:
<d:ListItemAllFields
m:null="true"
/>
or an error response document that says "The object specified does not belong to a list." When I hit the /ListItemAllFields endpoint for files, I receive a response with a link for Role Assignments which subsequently also works and I get the
info I need. So, is this a bug? Why does the link returned from Sharepoint work for files and not folders? So, google, google, google, and I discover that there is another possible way to get at the Role Assignments (and that the object does, indeed, belong
to a list!).
If I know the Title (or the guid) of the folder in question, I can use the following endpoint:
/_api/Web/Lists/GetByTitle('Development')
If I use that endpoint, I get the information I would have expected to get from following /ListItemAllFields and the subsequent Role Assignments links all work and I get what I need. If there's a bug and this is how I have to work around it, that's fine
but I have yet to discover how to dynamically determine the Title of a given folder nor am I sure if all Titles are supposed to be unique within a given Sharepoint server. I'm assuming that the folder name as represented in the server relative URL and the
Title may be different and this is where my newbishness may start to shine if I'm misunderstanding what a "List" is supposed to be in Sharepoint. Anyway, I did find that I could use the Properties endpoint to perhaps get the Title, for example:
/_api/Web/GetFolderByServerRelativeUrl('/sites/cmisdev/Development')/Properties
gives me:
<d:vti_x005f_listtitle>Development</d:vti_x005f_listtitle>
whose value I assume I could then supply to the /GetByTitle endpoint and be golden. However, "vti_x005f_listtitle" just sounds a little too deep to be something I should be relying on but maybe that's kosher. That's part of what I'm trying to
find out. Also, if there is a way to use the Sharepoint REST API to discover the guid of a given object, then I could look it up in that way.
So, in summary:
1. Am I going about getting folder Role Assignment information in the wrong way? Based on the CSOM examples I've seen, I believe I'm doing it correctly and that the answer to #2 below is a resounding "Yes!" :)
2. Is it a bug if I'm not able to use /ListItemAllFields on folders using the server relative url?
3. If I'm supposed to use GetByTitle as a workaround, am I discovering that Title correctly through /Properties? Seems quite circuitous and awkward. Are Titles required to be unique throughout a given Sharepoint server?
4. If I'm supposed to use the guid, how can I use the REST interface to discover an object's guid? Once we get down to the Role Assignments and other links, the guid appears in those links but I don't know how to discover it independently if that's the
path I should use to get the data I described above.Upon further research, I'll answer my own question for the benefit of some other potential future newbie. The answer to question number 1 above is "Not exactly.". The server relative URLs I was using corresponded to lists (which are
returned as a collection through /_api/web/lists). I was treating them mentally like regular folders. That, coupled with the fact that accessing their data as I showed above returns a ListItemAllFields link, made me think that was the way to get
the Role Assignments just as I would for files and, as it turns out, "real" folders and sub-folders created under these lists. That was the other problem with thinking of these lists as regular folders. So, ListItemAllFields works on
all files and folders in a list. However, if you want Role Assignments for the lists themselves, you can keep track of the Titles and\or Guids from the /_api/web/lists that you're interested in (in my case, all non-hidden "document library"
type lists) and then access those Role Assignments as I discussed in questions 3 and 4 above. For example, from the /_api/web/lists collection from my test server, the "Development" document library Role Assignments are accessable via /_api/Web/Lists(guid'cd242eeb-aafa-4efa-aecc-9bbdf8e3d459')/RoleAssignments
or /_api/Web/Lists/GetByTitle('Development')/RoleAssignments.
Maybe you are looking for
-
I contacted Sony, who spent 90 minutes trying to help me fix this, to be told it is a problem with the program, not the computer. I have deleted every trace of the program then reloaded it, three times, with the same results every time. This all star
-
Hello! We have Solaris 10 box with latest patches connected to Storedge 6130 by FC. Storedge disks configured as RAID5 Our Oracle 10g (10.2.0.4) DB performance is terrible. Write speed reported by "zpool iostat" about 5 MB/s and "iostat" showing 100%
-
How can I display Account description text from country-specific CoA ?
The below quote is from the description of Country Chart of Accounts in OBY6. "The essential programs in General Ledger can output either the unique worldwide number or the country-specific number and the corresponding text." I am not able to figure
-
Network Time Server Specification
How do I specify a client computer to use a certain network time server if I have the service enabled on OS X Server?
-
Quicktime errors after effects cc2014
i've been getting quicktime errors in after effects cc14, windows 8.1, update 1. when importing a quicktime file that opens and plays in vlc, and quicktime player, i'm getting the error "After Effects error: file 'xxx.mov" cannot be imported this .mo