user manual
granting users and groups specific access permissions to Hyperion resources is called
provisioning.
Native Directory and configured user directories are sources for user and group information for
the provisioning (authorization) process. You can browse and provision users and groups from
all configured user directories from User Management Console. Provisioning data is stored in
Native Directory. You can also use application-specific aggregated roles created in Native
Directory in the provisioning process.
This illustration depicts a broad overview of the authorization process:
1. After a user is authenticated, Hyperion product queries the user directories to determine
the user's groups.
2. Hyperion product uses the group and user information to retrieve the user's provisioning
data from Shared Services. The product uses this data to determine resources that a user can
access.
Product-specific provisioning tasks, such as setting product-specific access control, are
completed from each product. This data is combined with provisioning data to determine
the product access for users.
Role-based provisioning of Hyperion products uses these concepts.
Roles
A role is a construct (similar to access control list) that defines the access permissions granted
to users and groups to perform functions on Hyperion resources. It is a combination of resource
or resource types (what users can access; for example, a report) and actions that users can perform
on the resource (for example, view and edit).
Access to Hyperion application resources is restricted; users can access them only after a role
that provides access is assigned to the user or to the group to which the user belongs. Access
restrictions based on roles enable administrators to control and manage application access.
Provisioning (Role-Based Authorization)
15










