Task List Access Manager Role in Shared Services

Similar Messages

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.

• Unable to access applications in workspace,shared services

  Hi ,
  I am Unable to access applications in workspace and shared services on EPM 11.1.1.3. It happened after normal shutdown/startup scripts were run.
  But when I reconfigure the Weblogic web server and run the services again I can access the applications.This is happening frequently now.
  Is this anything related to user profiles on the server as we are migrating these to other server.
  Can any one help me with this .
  Please find the Shared services log below:
  <22-Oct-2010 10:25:19 o'clock BST> <Notice> <WebLogicServer> <BEA-000395> <Following extensions directory contents added to the end of the classpath:
  D:\bea\weblogic92\platform\lib\p13n\p13n-schemas.jar;D:\bea\weblogic92\platform\lib\p13n\p13n_common.jar;D:\bea\weblogic92\platform\lib\p13n\p13n_system.jar;D:\bea\weblogic92\platform\lib\wlp\netuix_common.jar;D:\bea\weblogic92\platform\lib\wlp\netuix_schemas.jar;D:\bea\weblogic92\platform\lib\wlp\netuix_system.jar;D:\bea\weblogic92\platform\lib\wlp\wsrp-common.jar>
  <22-Oct-2010 10:25:21 o'clock BST> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with BEA JRockit(R) Version R27.4.0-90_CR358515-94243-1.5.0_12-20080118-1154-windows-ia32 from BEA Systems, Inc.>
  <22-Oct-2010 10:25:25 o'clock BST> <Info> <Management> <BEA-141107> <Version: WebLogic Server 9.2 MP3 Mon Mar 10 08:28:41 EDT 2008 1096261 >
  <22-Oct-2010 10:25:29 o'clock BST> <Emergency> <Management> <BEA-141151> <The admin server could not be reached at http://localhost:7001.>
  <22-Oct-2010 10:25:29 o'clock BST> <Info> <Configuration Management> <BEA-150018> <This server is being started in managed server independence mode in the absence of the admin server.>
  <22-Oct-2010 10:25:29 o'clock BST> <Info> <WebLogicServer> <BEA-000215> <Loaded License : D:\bea\license.bea>
  <22-Oct-2010 10:25:29 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
  <22-Oct-2010 10:25:29 o'clock BST> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
  <22-Oct-2010 10:25:30 o'clock BST> <Notice> <Log Management> <BEA-170019> <The server log file D:\Hyperion\deployments\WebLogic9\servers\SharedServices9\logs\SharedServices9.log is opened. All server side log events will be written to this file.>
  <22-Oct-2010 10:25:47 o'clock BST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
  <22-Oct-2010 10:25:57 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STANDBY>
  <22-Oct-2010 10:25:57 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
  log dir isD:\Hyperion\logs\SharedServices9
  urlManifest zip:D:/Hyperion/deployments/temp/servers/SharedServices9/tmp/_WL_user/interop/tthmcu/war/WEB-INF/lib/interop-mmc.jar!/META-INF/MANIFEST.MF
  Shared Services Version: 11.1.1.3.24
  Shared Services Drop Number: 6
  Attempting to verify the database configuration
  Attempting to verify the database configuration
  Database configuration test passed.
  22 Oct 2010 10:26:38 - org.apache.slide.common.Domain - INFO - Auto-Initializing Domain
  22 Oct 2010 10:26:38 - org.apache.slide.common.Domain - INFO - Configuration found in classpath
  22 Oct 2010 10:26:38 - org.apache.slide.common.Domain - INFO - Domain configuration : {org.apache.slide.lock=true, org.apache.slide.versioncontrol=true, org.apache.slide.debug=false, org.apache.slide.search=true, org.apache.slide.security=true, org.apache.slide.urlEncoding=UTF-8, org.apache.slide.domain=D:/Hyperion/deployments/WebLogic9/SharedServices9/config/Domain.xml}
  configURL: file:///D:/Hyperion/deployments/WebLogic9/SharedServices9/config/CSS.xml
  Done initialize: com.hyperion.css.CSSAPIImpl@283baf
  connection pool registered:dbcpPool-org.apache.commons.pool.impl.GenericObjectPool@27efaa
  connection pool registered:dbcpPool-org.apache.commons.pool.impl.GenericObjectPool@454a3b
  CMSOfflineServlet Initialized
  Adding audit listener
  Shared Services Initialized Successfully
  <22-Oct-2010 10:26:56 o'clock BST> <Warning> <Log Management> <BEA-170011> <The LogBroadcaster on this server failed to broadcast log messages to the admin server. The Admin server may not be running. Message broadcasts to the admin server will be disabled.>
  <22-Oct-2010 10:26:56 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to ADMIN>
  <22-Oct-2010 10:26:56 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RESUMING>
  <22-Oct-2010 10:26:57 o'clock BST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias hyperion from the jks keystore file D:\hyperion_SSL_Repository\hyperion.jks.>
  <22-Oct-2010 10:26:58 o'clock BST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file D:\bea\JROCKI~1\jre\lib\security\cacerts.>
  <22-Oct-2010 10:26:58 o'clock BST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.86.57.43:28443 for protocols iiops, t3s, ldaps, https.>
  <22-Oct-2010 10:26:58 o'clock BST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on 10.87.248.108:28443 for protocols iiops, t3s, ldaps, https.>
  <22-Oct-2010 10:26:58 o'clock BST> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[2]" is now listening on 127.0.0.1:28443 for protocols iiops, t3s, ldaps, https.>
  <22-Oct-2010 10:26:58 o'clock BST> <Warning> <Server> <BEA-002611> <Hostname "127.0.0.1", maps to multiple IP addresses: 10.86.57.43, 10.87.248.108, 127.0.0.1>
  <22-Oct-2010 10:26:58 o'clock BST> <Warning> <Server> <BEA-002611> <Hostname "LGWHYPWEB.uk.baa.com", maps to multiple IP addresses: 10.86.57.43, 10.87.248.108, 127.0.0.1>
  <22-Oct-2010 10:26:58 o'clock BST> <Notice> <WebLogicServer> <BEA-000358> <Started WebLogic Independent Managed Server "SharedServices9" for domain "WebLogic9" running in Production Mode>
  <22-Oct-2010 10:26:58 o'clock BST> <Warning> <Server> <BEA-002611> <Hostname "LGWWEB026.uk.baa.com", maps to multiple IP addresses: 10.86.57.43, 10.87.248.108, 127.0.0.1>
  <22-Oct-2010 10:26:58 o'clock BST> <Warning> <JMX> <BEA-149510> <Unable to establish JMX Connectivity with the Adminstration Server AdminServer at <JMXServiceURL:null>.>
  <22-Oct-2010 10:26:58 o'clock BST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
  <22-Oct-2010 10:26:58 o'clock BST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <22-Oct-2010 10:27:08 o'clock BST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer LGWHYPWEB.uk.baa.com - 10.86.57.43 instead of an SSL handshake.>
  <22-Oct-2010 10:28:36 o'clock BST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer lgwdbs026.uk.baa.com - 10.86.41.33 instead of an SSL handshake.>
  22-Oct-2010 10:28:38, /files, HEAD, 401 "Unauthorized", 125 ms, %v
  22-Oct-2010 10:28:38, /files, HEAD, 200 "OK", 266 ms, %v
  22-Oct-2010 10:28:40, /files, HEAD, 401 "Unauthorized", 16 ms, %v
  22-Oct-2010 10:28:41, /files, HEAD, 200 "OK", 94 ms, %v
  22-Oct-2010 10:28:42, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:28:42, /files, HEAD, 200 "OK", 93 ms, %v
  22-Oct-2010 10:28:43, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:28:43, /files, HEAD, 200 "OK", 94 ms, %v
  22-Oct-2010 10:28:44, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:28:44, /files, HEAD, 200 "OK", 78 ms, %v
  22-Oct-2010 10:28:45, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:28:45, /files, HEAD, 200 "OK", 93 ms, %v
  22-Oct-2010 10:28:47, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:28:47, /files, HEAD, 200 "OK", 78 ms, %v
  22-Oct-2010 10:28:48, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:28:48, /files, HEAD, 200 "OK", 78 ms, %v
  <22-Oct-2010 10:29:40 o'clock BST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer lgwapp026.uk.baa.com - 10.86.51.104 instead of an SSL handshake.>
  <22-Oct-2010 10:30:16 o'clock BST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer lgwapp026.uk.baa.com - 10.86.51.104 instead of an SSL handshake.>
  <22-Oct-2010 10:32:25 o'clock BST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer LGWHYPWEB.uk.baa.com - 10.86.57.43 instead of an SSL handshake.>
  22-Oct-2010 10:32:43, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:32:43, /files, HEAD, 200 "OK", 78 ms, %v
  22-Oct-2010 10:32:44, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:32:44, /files, HEAD, 200 "OK", 63 ms, %v
  22-Oct-2010 10:32:45, /files, HEAD, 401 "Unauthorized", 0 ms, %v
  22-Oct-2010 10:32:45, /files, HEAD, 200 "OK", 63 ms, %v
  <22-Oct-2010 10:32:46 o'clock BST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer LGWHYPWEB.uk.baa.com - 10.86.57.43 instead of an SSL handshake.>
  <22-Oct-2010 10:34:00 o'clock BST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer LGWHYPWEB.uk.baa.com - 10.86.57.43 instead of an SSL handshake.>
  <22-Oct-2010 10:35:28 o'clock BST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer LGWHYPWEB.uk.baa.com - 10.86.57.43 instead of an SSL handshake.>
  log dir isD:\Hyperion\logs\SharedServices9
  urlManifest zip:D:/Hyperion/deployments/temp/servers/SharedServices9/tmp/_WL_user/interop/tthmcu/war/WEB-INF/lib/interop-mmc.jar!/META-INF/MANIFEST.MF
  Shared Services Version: 11.1.1.3.24
  Shared Services Drop Number: 6
  Populating Application Info
  Getting LCM callback info from Registry for product: HUB
  LCM Callback: https://LGWWEB026.uk.baa.com:28443/interop/framework/lcm/HSSMigration
  Populating Product Info
  Thanks in advance
  Edited by: 790426 on 25-Oct-2010 06:17

  You must first check if you have configured the web server to include the hfm/planning products.
  Then you can refer to the thread below:
  Not able to see Consolidation Administration
  The latter definitely applies to version 9.3.1, but it could be helpful.

• Missing roles in Shared Services 9.3.1

  We are going through an install of 9.3.1 at a clients site. Planning is working correctly with shared services, but Financial Reporting is throwing this error found in SharedServices_security.log:
  2008-05-02 11:53:50,718 [ExecuteThread: '13' for queue: 'weblogic.kernel.Default'] WARN com.hyperion.css.spi.impl.nv.NativeProvider.getHierarchicalRoleTree(Ljava.util.Map;Ljava.lang.String;Lcom.hyperion.css.common.CSSRoleNode;Ljava.lang.String;Lcom.hyperion.css.spi.util.jndi.CSSDirContext;Ljava.util.Locale;Ljava.util.ResourceBundle;)V(Optimized Method) - Exception getting Child Roles in hierarchy due to Illegal or invalid id.dflt passed in. Please check the argument.
  When attempting to connect from Financial Reporting Studio or Workspace we get an error stating:
  "You are not authorized to use this functionality. Contact your administrator."
  We are running WebLogic 8.1 service pack 4 on Windows Enterprise server 2003 sp1.
  If anyone has seen or worked through this error, please respond.

  Got resolution on the error. Look for css-9_3_1.dll in HYPERION_HOME\common\css\9.3.1\bin on the server where Financial Reporting is installed. This dll enables FR to communicate with NTLM. Oracle support stated that "This dll is not included in the PATH by default because nobody uses NTLM anymore." When I asked them why it was not documented despite the fact that NTLM continues to be listed prominently as a supported authentication repository, they had no reply. Watch for this one to bite you!!!

• Essbase Application Doesn't show up in Selected Roles in shared services

  Hello all,
  I have few essbase applications which donot show up in the"Selected roles" column in Shared services though the user has been provisioned with the application. Infact the provisioned users can access the application based on the provisioning, but just that I as an administrator donot see it there in the selected roles department. Again this is only in "Selected roles" column meaning I can see it in the "Available roles" column. The application has been registered in EAS and I have also refreshed the security in EAS. We are on 11.1.1.4. Any ideas anyone?
  Thanks,
  Ted.
  Edited by: Teddd on Jan 10, 2013 9:43 AM

  Working with Oracle on it, they think it is a bug.

• Unable to use the Assign Access Control feature in shared services

  Hi,
  When I try to right click on the essbase applicaiton in Shared Services to assign access control( to assign a new filter) I keep getting the following error
  " Internet cannot display the webpage" message with the following
  This problem can be caused by a variety of issues, including:
  Internet connectivity has been lost.
  The website is temporarily unavailable.
  The Domain Name Server (DNS) is not reachable.
  The Domain Name Server (DNS) does not have a listing for the website's domain.
  There might be a typing error in the address.
  If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section
  All the services are running file and I can create new users/ groups and also perform appication migration.
  I'm using Hyperion 11.1.3.24 on windows 2003 r2.
  Any help is appreciated. Thanks.
  Regards

  vs wrote:
  John,
  I tried the refresh button and nothing appears. I have created a group and gave it filter access. Now I'm trying to attach that filter to the group.
  Appreciate your help.Can we replace backup .sec file for shared services?
  For example: In planning if the .sec file corrupted then we replaced with old .sec file...rite...the same way can we do it in shared services?
  I know if we replace the old sec in planning...it will take old securities only...
  Edited by: Prabhas on Feb 12, 2013 9:27 PM

• Access Manager 6 2005Q1 naming service behind load balancer

  Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
  Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
  All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
  The load balancer VIP is setup in active/failover mode so all requests go to one server. We implemented it this way because our load balancers do not support SSL with cookies.
  The data returned to the agent from a call to the naming service contains the host name of our AM hosts instead of the load balancer VIP. Subsequent calls from the agent to AM bypass the load balancer and go directly to one of the AM hosts.
  We are looking to upgrade our load balancers to a version that supports cookies with ssl in order to take advantage of the second AM host.
  How do we configure AM so the values returned by the naming service contain the load balancer VIP instead of the actual AM host names?

  Bernhard,
  We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
  Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
  AMAgent.properties
  com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
  com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
  AMConfig.properties
  com.iplanet.am.server.protocol=https
  com.iplanet.am.server.host=am.mydomain.com
  com.iplanet.am.server.port=443
  com.iplanet.am.console.protocol=https
  com.iplanet.am.console.host=lb-mydomain.com
  com.iplanet.am.console.port=443
  com.iplanet.am.profile.host=lb-mydomain.com
  com.iplanet.am.profile.port=443
  com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
  com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
  tionservice
  If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
  Thanks,
  Craig

• Using IBM Tivoli Access Manager to Secure Tuxedo Services

  Wondering if anybody has any experience using 'IBM Tivoli Access Manager for e-business' to perform tuxedo service authorization ?
  Is there an out-of-the-box integrated solution available or does one have to basically build a security service that use the Tivoli Access Manager APIs to determine if the user is authorized to invoke service?
  Thanks,

  Hi,
  I followed the steps of establishing SSO using TAM for OBIEE application.
  Below is the piece of code that i had inserted in the "instanceconfig.xml" to enable SSO:
  <Listener>
  <!-- other settings ... -->
  </Listener>
  <CredentialStore>
  <CredentialStorage type="file" path="<OracleBIData>/web/config/credentialstore.xml" passphrase="another"/> </CredentialStore>
  <!-- other settings ... -->
  <Auth>
  <SSO enabled="true">
  <ParamList>
  <!--IMPERSONATE param is used to get the authenticated user's username and is re quired -->
  <Param name="IMPERSONATE"
  source="httpHeader" nameInSource="iv-user"/>
  </ParamList> <!--Optional. Replace the URLs with actual logoff/logon URL-->
  <LogonUrl>http://pkmslogin</LogonUrl>
  <LogoffUrl>http://pkmslogout</LogoffUrl>
  </SSO>
  </Auth>
  My credential store file look Like on below
  <sawcs:credential type="usernamePassword" alias="impersonation">
  <sawcs:username>USER</sawcs:username>
  <sawcs:password>password</sawcs:password>
  </sawcs:credential>
  In the above code i am trying to get the userID of a User through the header of the application's URL, who has been already been authenticated by Windows desktop Authentication mechanism .
  but then i try creating a junction using TAM and access the application through the junction i still get the logon page of OBIEE application...
  Can any one help me out in this issue..
  Thanks in Advance...

• Assign Access Manager roles to end users?

  Hello,
  I am looking for information on how to assign an AM role to an end-user that is provisioned from IDM 7 to AM 7.1 using the AM resource adapter.
  We are modeling our IDM to AM provisioning based on this BigAdmin guide:
  http://www.sun.com/bigadmin/features/articles/id_access_integration.pdf
  However, in that document, it appears that the end user role is manually assigned to the user after provisioning to AM. We wish to do this role assignment in IDM, and have IDM push the assignment to AM (and by extension, the LDAP directory).
  Is this possible when using the AM resource adapter?
  Regards,
  Dillon

  Certainly.
  My role definitions look like this in the RoleAttributes section (you can configure this through the GUI in Roles > [rolename] > Set Attribute Values)
  <RoleAttribute name='RoleName:#ID#SunAccessManagerResource:roleMemberships'>
  <AttributeName>roleMemberships</AttributeName>
  <AttributeValueString>
  <List>
  <String>AMRoleName</String>
  </List>
  </AttributeValueString>
  <Requirement>Authoritative merge with value, clear existing</Requirement>
  <ResourceRef>
  <ObjectRef type='Resource' id='#ID#SunAccessManagerResource' name='SunAccessManagerRealm'/>
  </ResourceRef>
  </RoleAttribute>
  What this will do is set the nsRoleDN attribute (renamed as 'roleMemberships' by the adapter) in the assigned resource account for the user; the requirement field I've set to auth-merge-with-value, but you may want to play about with other settings.

• HFM roles in shared services

  We have several users that need to be able to consolidate and translate without all other admin functions.  Have tried to create a group and individually provision users with consolidate all but does not give consolidation ability unless given app admin.
  How do we give them only the ability to consolidate and translate?

  Try the FM Forum - https://forums.oracle.com/community/developer/english/business_intelligence/performance_management_applications/financial_consolidation
  FM HSS Roles - http://docs.oracle.com/cd/E40248_01/epm.1112/hss_security_user_role/frameset.htm?apas05.html
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Shared Services 11.1.2 + Provisioned Roles for Business Rules not reflectin

  Hi,
  I have provisioned users to have 'Basic' role in shared services for Business rules. We are using Calc manager + classic planning app. However users are unable to see the business rules associated with the forms due to which the rules dont run on save. Is there a intermediary step which I am overlooking?
  Regards,
  N

  Please ignore this question. I guess i posted in the wrong place. Not sure how to remove the thread

• Shared services Access

  dear All,
  I have given access to user in Shared services as administrator for Planning application but he is still able to see calculation manager and is able to open EAS console as well.
  Please suggest me , I want to give access to Only Planning application full access not to EAS or calc manager.
  Thanks,
  KK

  He'll be able to see only Planning application in EAS. If not you've to go back and check his provisioning.
  Regards
  Celvin
  http://www.orahyplabs.com

• Problem with Business Rules access from Shared Services

  Hello,
  When trying to access Business Rules from Shared Services (expand Business Rules and click on the application) I get the "Refer to the Security Guide to configure security permissions for this application" message, but the user is fully provisioned for Business Rules. It happens even logged on as admin. Access from Administration Services works fine. The version Hyperion system 9 (9.3.0.1). What is wrong? Help, please.
  Thanks,
  Timur

  You can't access Business Rules from Shared Services. This is no different from any other application - Planning, Essbase, etc. You can provision users to the application roles, but you can't actually do anything with the application, other than security, in Shared Services. You use Admin Services to maintain Business Rules.

• Network Access Manager - Service (Secure Mobility Client)

  We are currently working on Deploying the Secure Mobility Client.
  1. We are looking at the ability to stop the Network Acess Manager without Admin rights, According to the Cisco Documentation on this:
  "Stopping and Starting the Network Access Manager"
  Users with local administrator privileges can start and stop the Network  Access Manager. Users without local administrator privileges cannot  start and stop the Network Access Manager without using the service  password defined in the Authentication panel of the profile editor.
  Question: I am unable to find the said option in the Authentication panel in the profile editor
  2. Since we will be using NAM for all of our computers, and since some users will not be using the VPN, we will need to push out profiles to the users (This is easy however we are concerned about updates and getting those pushed). A collegue shared that he head at Cisco Live2011 that there is an option in NAM to update it's profiles by connecting to the VPN-Headend without actually authenticating and logging into the VPN.
  I know if a user connects to the VPN Headend we can update the profiles on NAM/VPN etc... however without them connecting I'm not sure if there is any way to do so?

  Hi Alwin,
  There is nothing to be done with your anyconnnect client.... if needed changes needs to ne done at VPN FW/Router where your anyconnect connection is established..... here i guess your corporate office is having this VPN server.....
  They have configured it as tunnel all mode... means all traffic will be taken through VPN... see from your output preferred default route is pointed to 192.168.0.101, which is a vpn gateway....
  If needed anyconnect vpn configuration needs to be changed from tunnel all to split-tunnel....
  Active Routes:
  Network Destination Netmask Gateway Interface Metric
  0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.101 20
  0.0.0.0 0.0.0.0 146.236.12.1 146.236.12.73 2
  Regards
  Karthik

• MSAD Configuration with Shared Services

  Hi,
  I have just sucessfully configured MSAD to the HFM SS but 1 concern is that anyone with the domain suer login is able to login to shared service although limited function are available. Is there anyway to control other users except my users to login?
  I do not want to use Native to create user as it will means another set of password to rememberr for the users, would prefer they use their normal domain accoutn to login.
  Thanks

  In addition to other comments, users can only make changes in Shared Services if they have Shared services roles assigned. Also, we use MSAD with both local and AD groups, and as long as you know the effective rights, it works out fine either way. The Shared services roles are listed below (Security Administrator's Guide pp 135-136):
  Administrator: Provides control over all products that integrate with Shared Services. It enables more
  control over security than any other Hyperion product roles and should therefore be
  assigned sparingly. Administrators can perform all administrative tasks in User
  Management Console and can provision themselves.
  This role grants broad access to all applications registered with Shared Services. The
  Administrator role is, by default, assigned to the admin Native Directory user, which is
  the only user available after you deploy Shared Services.
  Directory Manager: Creates and manages users and groups within Native Directory.
  Do not assign to Directory Managers the Provisioning Manager role because combining
  these roles allows Directory Managers to provision themselves.
  The recommended practice is to grant one user the Directory Manager role and another
  user the Provisioning Manager role.
  LCM Manager: Runs the Artifact Life-Cycle Management utility to promote artifacts or data across product environments and operating systems
  Project Manager: Creates and manages projects within Shared Services
  Create Integrations: Creates Shared Services data integrations (the process of moving data between
  applications) using a wizard.
  For Oracle's Enterprise Performance Management Architect, creates and executes data
  synchronizations.
  Run Integrations: Views and runs Shared Services data integrations.
  For Performance Management Architect, executes data synchronizations.
  Dimension Editor ( includes Dimension Viewer and Interactive Editor):
  Creates and manages import profiles for dimension creation. Also, creates and manages
  dimensions manually within the Performance Management Architect user interface or the
  Classic Application Administration option.
  Required to access Classic Application Administration options for Financial Management
  and Planning using Web navigation.
  Dimension Viewer can read or view dimensions. This role automatically maps to the
  Dimension Reader access on dimensions.
  Interactive Editor can modify members within a dimension, and grants dimension writer
  access to all dimensions. Does not allow users to delete dimensions.
  Note: Dimension Viewer and Interactive Editor roles are reserved for future use.
  Application Creator (includes Analytic Services Application Creator, Financial Management Application Creator, Planning Application Creator,  External Application Creator): Creates and deploys Performance Management Architect applications. Users with this
  role can create applications, but can change only the dimensions to which they have
  access permissions.
  Required, in addition to the Dimension Editor role, for Financial Management and
  Planning users to be able to navigate to their product’s Classic Application Administration
  options.
  When a user with Application Creator role deploys an application from Performance
  Management Architect, that user automatically becomes the application administrator
  and provisioning manager for that application.
  The Application Creator can create all applications.
  The Analytic Services Application Creator can create Generic applications.
  The Financial Management Application Creator can create Consolidation applications
  and Performance Management Architect Generic applications. To create applications,
  the user must also be a member of the Application Creators group specified in Financial
  Management Configuration Utility.
  The Planning Application Creator can create Planning applications and Performance
  Management Architect Generic applications.
  The External Application Creator can create external views and export application views
  but cannot export the library.
  Note: External Application Creator role is reserved for future use.