HYPERION RELEASE 9.3.
Hyperion Security Administration Guide, 9.3.1 Copyright © 2005-2007, Oracle and/or its affiliates. All rights reserved. Authors: James Chacko The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws.
Contents Chapter 1. About Hyperion Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Security Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Authentication Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the SiteMinder Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Configuring the SiteMinder Web Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Enabling SiteMinder Authentication in Shared Services . . . . . . . . . . . . . . . . . . . . . . . 27 Other Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Using NTLM to Support SSO . . . . . . . . . . . . . . . . . . . . . . .
Using Special Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Chapter 5. Working with Applications and Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Working with Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Modifying User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Deactivating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Activating Inactive User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Deleting User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Managing Native Directory Groups . . . . . . . . . .
Preparing the Property File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Product Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Considerations for Setting Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Prerequisites for Running Import/Export Utility from a Remote Host . . . . . . . . . . . 113 Running the Utility . . . . . . . . . . . . . . . . . . . . . . . .
Strategic Finance Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Data Integration Management Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Essbase Provider Services Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Appendix B. Shared Services Roles and Permitted Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Appendix C.
Write Access to Data in Essbase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Roles Between Planning and Business Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Access Permissions Between Planning and Essbase . . . . . . . . . . . . . . . . . . . . . . . . . 170 About Connection Types and Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Migrating Users to Shared Services . . . . . . . . . . . . . . . . . . . . . .
x Contents
About Hyperion Security 1 In This Chapter Security Components ..............................................................................................................11 User Authentication................................................................................................................11 Provisioning (Role-Based Authorization).........................................................................................
Security API The Security Application Programming Interface (Security API) is the main interface to validate users and interpret user access to Hyperion products. It is a Java API that enables Hyperion products to authenticate users against user directories configured in Oracle's Hyperion® Shared Services. It also allows integration with a security agents such as Netegrity SiteMinder, and retrieval of users and groups based on names and identities.
1. Using a browser, users access the Hyperion product login screen. They enter user names and passwords. The Security API implemented on the Hyperion product queries the configured user directories (including Native Directory) to verify user credentials. A search order is used to establish the search sequence. On finding a matching user account in a user directory, the search is terminated and the user's information is returned to the Hyperion product.
1. Using a browser, users access the login screen of a web identity management solution (for example, SiteMinder) or SAP Enterprise Portal. They enter user names and passwords, which are validated against configured user directories to verify user authenticity. Hyperion products are also configured to work with these user directories. When users navigate to a Hyperion product, information about the authenticated user is passed to Hyperion product, which accepts the information as valid.
granting users and groups specific access permissions to Hyperion resources is called provisioning. Native Directory and configured user directories are sources for user and group information for the provisioning (authorization) process. You can browse and provision users and groups from all configured user directories from User Management Console. Provisioning data is stored in Native Directory. You can also use application-specific aggregated roles created in Native Directory in the provisioning process.
Global Roles Global roles are Shared Services roles that enable users to perform certain tasks within the User Management Console. See Appendix B, “Shared Services Roles and Permitted Tasks” for a complete list of Shared Services global roles. Administrator The Administrator role provides control over all products that integrate with Shared Services. It enables more control over security than any other Hyperion product roles and should therefore be assigned sparingly.
Predefined Roles Predefined roles are built-in roles in Hyperion products. You cannot delete these roles from the product. Predefined roles are registered with Shared Services during the application registration process. Aggregated Roles Aggregated roles are custom roles that aggregate multiple product roles within a Hyperion product. An aggregated role consists of multiple roles, including other aggregated roles.
About Hyperion Security
Setting Up Authentication 2 In This Chapter Setting Up Direct Authentication to Hyperion Products ........................................................................19 Setting Up SSO with SAP Enterprise Portal......................................................................................21 Setting Up SSO from SiteMinder .................................................................................................25 Using NTLM to Support SSO ..................................................
Creating Groups User accounts on user directories can be granted membership to groups based on common characteristics such as the user function and geographical location. For example, users can be categorized into groups such as Staff, Managers, Sales, and Western_Sales based on their function within the organization. A user can belong to one or more groups on the user directory, which is an important consideration in facilitating the provisioning process.
● “Configuring an SAP Provider” on page 46 ● “Configuring an NTLM User Directory” on page 49 Setting Up SSO with SAP Enterprise Portal Hyperion products handle SSO to SAP Enterprise Portal by issuing an SAP logon ticket. This action enables users who log in to Hyperion products to navigate seamlessly to SAP applications. The illustrated concept: 1.
1. When a user logs in to SAP Enterprise Portal, SAP authenticates the user against the SAP provider and issues an SAP logon ticket. SSO to SAP is enabled at this time. 2. The user navigates to a Hyperion product. The SAP logon ticket is passed to the Hyperion product, which decrypts the SAP logon ticket using a SAP certificate stored on the Shared Services server machine to retrieve the user name. 3.
Inheritance Policy for Nested Groups If you use nested groups from Native Directory to mimic nested SAP groups for provisioning, the component groups inherit the roles assigned to the nested group. The illustrated concept: In addition to the roles assigned directly to it, each component role (for example, Group2) inherits all the roles assigned to the nested group (Role8 and Role9 in the illustration). For example, the role assignment of Group1 in the illustration is Role1, Role8, and Role9.
● Copy or download the SAP JCo archives (.jar files) into /common/ SAP/lib directory. For example: /vol1/Hyperion/common/SAP/lib (UNIX) C:\Hyperion\common\SAP\lib (Windows) These binaries are available in your SAP distribution. Registered SAP users may also download them from the SAP Web site https://service.sap.com/connectors. ● Copy or download the following SAP libraries into /common/SAP/ lib directory.
Setting Up SSO from SiteMinder Hyperion products can be integrated with Web access management solutions such as Netegrity SiteMinder to provide SSO to Hyperion products. Where SSO from SiteMinder is accepted, Hyperion products trust the authentication information sent by SiteMinder regarding the protected resources on the user directory. The illustrated concept: 1. When a user logs in to SiteMinder to access Hyperion products, SiteMinder presents a login screen.
The following SiteMinder security agents are tested and supported for SSO with Hyperion products: ● SiteMinder Policy Server 5.5 SP 2 ● SiteMinder Web Agent 5.5 SP 2 Note: The corporate user directories configured with Shared Services must be trusted when SSO from SiteMinder is enabled. This is because Shared Services does not store a password in the token when a security agent is used. Special Considerations SiteMinder is a Web only solution.
Configuring the SiteMinder Policy Server A SiteMinder administrator must configure the policy server to enable SSO to Hyperion products. The configuration process: ● Setting up protection for the Web resources of Hyperion products. ● Configuring a response that adds a custom HTTP header to make the user login name available to Hyperion applications. The header must include the parameter HYPLOGIN and must contain the login name of the authenticated user.
/vol1/Hyperion/deployments/WebLogic9/SharedServices9/config (UNIX) ➤ To enable SiteMinder authentication: 1 In Shared Services, configure the user directories that SiteMinder use to authenticate users.
NTLM with UNIX Application Environments The following illustration depicts how the Hyperion Remote Authentication Module enables communication between NTLM and Shared Services running in a UNIX environment. The Shared Services configuration file (CSS.xml) resides on the application server, as do the Hyperion application binaries. For NTLM connectivity, you also need NTLM support library file (css-9_3_0.dll) on the machine that hosts Hyperion Remote Authentication Module in the NTLM domain.
Without the Hyperion Remote Authentication Module, the only way to use multiple NTLM domains for Hyperion products is to establish trust relationships between the Shared Services host machine's domain and the NTLM domains where user accounts are available.
Each NTLM domain is configured separately on Shared Services as a user provider. See “Configuring an NTLM User Directory” on page 49 for detailed procedures.
Setting Up Authentication
User Management Console 3 In This Chapter Launching User Management Console...........................................................................................33 Overview of User Management Console .........................................................................................34 Navigating in User Management Console .......................................................................................34 Searching for Users, Groups, Roles, and Delegated Lists..............................
If you receive Java Virtual Machine (JVM) errors in User Management Console while using Microsoft Internet Explorer, ensure that your Internet Explorer installation includes Microsoft XML parser (MSXML) version 4. MSXML is bundled with Internet Explorer 6.0. To verify that you have the correct MSXML, check that the following file exists: c:\winnt\system32\msxml4.dll If this file is missing, install Internet Explorer 6.0 or later.
When searching for users in Native Directory, you can search for all users, active users, or inactive users. Search boxes that are displayed on the Browse tab reflect the search context based on the selection in the Object Palette. ➤ To search for users, groups, roles or delegated lists: 1 In the Object Palette, expand User Directories. 2 Expand the user directory to search. Roles are available only in Native Directory. 3 To search for users: a. Right-click Users. b.
User Management Console
Configuring User Directories 4 In This Chapter Operations Related to User Directory Configuration ............................................................................37 Using the Unique Identity Attribute to Handle Inter-OU Moves in LDAP-Enabled User Directories.........................38 Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User Directories...................................40 Configuring an SAP Provider ..............................................................
● “Deleting User Directory Configurations” on page 54 ● “Managing User Directory Search Order” on page 54 ● “Setting Global Parameters” on page 57 Using the Unique Identity Attribute to Handle Inter-OU Moves in LDAP-Enabled User Directories Native Directory, the default user directory for Hyperion products, maintains a link to provisioned users and groups defined in external user directories.
Back Up Native Directory and Hyperion Product Repositories After migrating users and groups to use the new identity attribute, you cannot revert to the previously used identity attribute. Before starting the migration, create backups of Native Directory database and the Hyperion product databases that store user and group information.
directories other than MSAD (SunONE, IBM Directory Server, Novell eDirectory, and custom user directories) must be updated to the new identity attribute before Shared Services can migrate users and groups from these user directories to the new attribute. For example, assume that three MSAD user directories are configured on Shared Services. Two are configured to use the new identity attribute ObjectGUID, and the third is configured to use the old identity attribute (DN).
● Lightweight Directory Access Protocol (LDAP) to configure an LDAP-enabled user directory other than MSAD. ● Microsoft Active Directory (MSAD) to configure MSAD. 5 Click Next. The Connection Information screen for the selected user directory type opens. 6 Enter the required parameters. Table 1 Connection Information Screen Label Description Directory Server The user directory product you are using. Select Other if you are using an LDAP Version 2 (or later) product other than those listed.
Label Description Port The server port number where the user directory is running. Example: 389 Base DN The distinguished name (DN) of the container in the user directory hierarchy where the search for users and groups should begin. You can also use the Fetch DNs button to list available Base DNs and then select the appropriate Base DN from the list. See “Using Special Characters” on page 61 for restrictions on the use of special characters.
Label Description Append Base DN The check box for appending the base DN (the distinguished name of the node where the search for users and groups could begin) to the specified value. Do not append Base DN to the Directory Manager account. This check box is disabled if the Anonymous bind option is selected. Password Password of the account specified in the User DN box. This box is disabled if the Anonymous bind option is selected. Example: UserDNpassword 7 Click Next.
The user identifier must be expressed in the format =; for example, uid=jdoe. Attributes of the user are displayed in the User Configuration area. If you are configuring Oracle Internet Directory as a user directory, you cannot automatically configure the filter because the root DSE of Oracle Internet Directory does not contain entries in the Naming Contexts attribute. See Oracle documentation for detailed information.
The Group Configuration screen for the selected user directory type opens. Shared Services uses the properties set in this screen to create a filter to search for groups in the user directory. Using this filter speeds the search. 10 Clear Support Groups if you do not plan to provision groups or if users are not categorized into groups on the user directory. Deselecting this option disables the fields on this screen.
Table 3 Group Configuration Screen Label Description Group RDN The Relative DN of the group. Each component of a DN is called an RDN and represents a branch in the directory tree. This value, which is relative to the Base DN, is used as the group URL. Specify a Group RDN that identifies the lowest user directory node where all the groups that you plan to provision are available. The Group RDN has a significant impact on login and search performance.
By default, the timeout for resolving SAP keystore file is set to 10 seconds. After configuring an SAP provider, you can manually edit the CSS.xml file to set a different timeout. See “Setting Timeout to Resolve SAP Keystore File” on page 59 for details. ➤ To configure an SAP provider: 1 Launch User Management Console. See “Launching User Management Console” on page 33. 2 Select Administration > Configure User Directories.
Label Description SAP Server Name The host name (or the IP address) of the computer where the SAP Server is running, or the SAP router address. Example: myserver Client Number The client number of the SAP system to which you want to connect. Example: 001 System Number The system number of the SAP System to which you want to connect. Example: 00 User ID The user name that Shared Services should use to access SAP.
7 Test the SAP provider configuration. See “Testing User Directory Connections” on page 53. 8 Add the SAP provider to the search order used by Shared Services. See “Adding a User Directory to the Search Order” on page 55 for details. 9 Specify global settings if needed. See “Setting Global Parameters” on page 57 for details. Configuring an NTLM User Directory Before starting these procedures, meet all the prerequisites in “Using NTLM to Support SSO” on page 28.
Label Description Domain The name of the NTLM domain. You may use the Fetch Domain button to retrieve the domain name. If the domain is not specified, Shared Services, at run time, detects and uses all visible domains. This may affect performance. The search order is: local computer, domain of local computer, and trusted domains visible to the local computer.
Note: Shared Services can retrieve only active database users for provisioning. Inactive and locked database user accounts are ignored. ➤ To configure database providers: 1 Launch User Management Console. See “Launching User Management Console” on page 33. 2 Select Administration > Configure User Directories. The Defined User Directories screen, which lists all configured user directories, including Native Directory, opens. 3 Click Add.
Label Description Port The port where the database server is available to accept requests. Example: 1521 Service/SID (Oracle only) The system identifier (default is orcl). Example: orcl Database (SQL Server and DB2 only) The database to which Shared Services should connect. Example: master User Name The user name that Shared Services should use to access the database. This user must have access privileges to database system tables.
Testing User Directory Connections After configuring a user directory, test the connection to ensure that Shared Services can successfully connect to the user directory using the current settings. Note: Establishing a successful test connection does not mean that Shared Services will use the directory. Shared Services uses only the directories that have been assigned a search order.
For explanation of the parameters you can edit, see the following tables: ● MSAD and other LDAP-enabled user directories: ❍ Table 1, “ Connection Information Screen,” on page 41 ❍ Table 2, “ User Configuration Screen,” on page 44 ❍ Table 3, “ Group Configuration Screen,” on page 46 ● SAP providers: Table 4, “ SAP Connection Information Screen,” on page 47 ● NTLM user directories: Table 5, “NTLM Connection Information Screen,” on page 49 ● Database providers: Table 6, “ DB Connection Information
Note: Shared Services terminates the search for the user or group when it first encounters the specified user account. If a user has multiple accounts across user directories, Shared Services retrieves the account from the user directory that is listed first in the search order. By default, Native Directory is set as the first directory in the search order. Additional user directories are given the next available sequence number in the search order.
Changing the Search Order The default search order assigned to each user directory, including Native Directory, is based on the sequence in which the directory was added to the search order. ➤ To change the search order: 1 Launch the User Management Console, as explained in “Launching User Management Console” on page 33. 2 Select Administration > Configure User Directories. 3 From Defined User Directories screen, select the directory whose search order you want to change.
Shared Services displays a message indicating that the search order was updated. 6 Click OK to return to the Defined User Directories screen, which lists the status of the user directory as Not Used. Setting Global Parameters These global parameters are applicable to all user directories included in the search order. ● Token timeout–Specifies the time, in minutes, after which the SSO token issued by Hyperion products or the security agent will expire. Users are forced to log in again after this period.
Parameter Description Logging level Level at which user directory related issues are recorded in the Shared Services security log files. Example: WARN Support for Security Agent for Single Sign-on Option enabling support for SSO from security agents such as SiteMinder. Enable Delegated User Management Mode Option enabling delegated user management of Hyperion products. See Chapter 6, “Delegated User Management.” 4 Click OK.
Setting Timeout to Resolve SAP Keystore File By default, Shared Services uses 10 seconds as the timeout for resolving the SAP keystore file. You can override this value in the Shared Services configuration file. ➤ To change the timeout for resolving the SAP keystore file: 1 Using a text editor, open CSS.xml. This file is in /config. For example, C:\Hyperion\deployments\WebLogic9 \SharedServices9\config (WebLogic 9.
90000 60 120 false See Table 8 for an explanation of these attributes. A sample CSS.
3 Verify that each user directory configuration contains a connection pool definition. 4 Optional: Define socket connection timeout for user directories by including the parameter in the Native Directory user directory definition. For example, the following setting specifies a socket timeout of 5 seconds. 60000 Note: Socket timeout set for Native Directory applies to all configured user directories.
Table 9 Supported Special Characters Character Name or Meaning Character Name or Meaning ( open parenthesis $ dollar ) close parenthesis + plus “ quotation mark / slash ' single quotation mark \ backslash , comma ^ caret & ampersand ; semicolon = equal to # pound < less than @ at > greater than Table 10 Character Name or Meaning Character Name or Meaning , comma ; semicolon < less than + plus > greater than = equal to & ampersand Table 11 62 Speci
Space is not supported as a special character in Base DN. ● Table 12 Characters that Need not Be Escaped Character Name or Meaning Character Name or Meaning ( open parenthesis ' single quote ) close parenthesis ^ caret $ dollar @ at These characters must be escaped if you use them in user directory settings (user names, group names, user URLs, group URLs and User DN).
Configuring User Directories
5 Working with Applications and Projects In This Chapter Overview ............................................................................................................................65 Working with Projects ..............................................................................................................65 Managing Applications ............................................................................................................
● “Creating Projects ” on page 66 ● “Modifying Project Properties” on page 67 ● “Deleting Projects ” on page 67 Note: You must be a Shared Services Administrator or Project Manager to create and manage projects. Shared Services Administrators can work with all registered applications but a Project Manager can work only with the application for which that person is the project manager. Creating Projects During the project creation process, you can also assign applications to the new project.
Modifying Project Properties You can modify all properties and settings of an existing project, including application assignments. Note: You can also add applications to projects by moving them from another project or from the Unassigned Applications node. Refer to “Moving Applications ” on page 69. ➤ To modify a project: 1 Launch the User Management Console, as explained in “Launching User Management Console” on page 33. 2 Select Projects from the Object Palette.
be provisioned against the roles belonging to those applications. Applications that have been assigned to a project are listed under the Project node of User Management Console.
Moving Applications You can move assigned applications from one project to another and from unassigned applications to existing projects. Moving an application removes the association between the application and the project but does not affect provisioning assignments for the application. ➤ To move an application: 1 Launch User Management Console, as explained in “Launching User Management Console” on page 33. 2 Right-click the application and select Move To.
➤ To delete an application: 1 Launch User Management Console, as explained in “Launching User Management Console” on page 33. 2 From existing projects or from unassigned applications, locate the application to delete. 3 Right-click the application and select Delete. 4 Click OK in the confirmation dialog box.
Delegated User Management 6 In This Chapter About Delegated User Management .............................................................................................71 Hierarchy of Administrators .......................................................................................................71 Enabling Delegated User Management Mode...................................................................................72 Creating Delegated Administrators .............................................
You can create Shared Services Administrator accounts by provisioning users and groups with the Shared Services Administrator role, which provides unfettered access to all Shared Services functions. Delegated Administrators In contrast to Shared Services Administrators, Delegated Administrators have limited administrator-level access to Shared Services and Hyperion products.
● “Creating Delegated Lists” on page 73 ● “Viewing Delegated Reports” on page 77 Planning Steps User Accounts for Delegated Administrators Shared Services Administrators create Delegated Administrators from existing user accounts in the user directories configured on Shared Services. Unlike in the provisioning process, delegated administration capabilities cannot be assigned to groups.
Note: Shared Services displays the Delegated List node only if the current user is assigned to manage delegated lists. The users and groups that a Delegated Administrator creates are not automatically assigned to the administrator who created them. A Shared Services Administrator must add these users and groups to delegated lists before Delegated Administrators can access them. Delegated Administrators, however, can assign these users and groups to the delegated lists that they create.
d. From Available Users, select one or more users. e. Click Add. The selected users are listed in Assigned Users. f. Optional: To unassign a user, from Assigned Users, select a user and click Remove. To unassign all users, click Reset. Note: The Delegated Administrator of the list is automatically added as a user. 7 Optional: To assign Delegated Administrators for this list, click Next. The Managed By tab opens. a.
The Delegated List Properties screen opens. 5 Optional: On General, modify the list name and description. 6 Optional: To add groups, click Group Members. a. In Search for Groups, enter the name of the group to assign to the list. Leave this field empty to retrieve all groups. Use * as the wildcard for pattern searches. If you are a Delegated Administrator, only groups assigned to you are displayed. b. In Directory, select the user directory from which groups are to be displayed. c. Click Go. d.
f. Optional: To unassign a user, from Assigned Users list, select the user and click Remove. To unassign all users, click Reset. Note: The user who creates the list is automatically added as a Delegated Administrator of the list. 9 Click Save. Deleting Delegated Lists ➤ To delete delegated lists: 1 Launch User Management Console, as explained in “Launching User Management Console” on page 33. 2 In the Native Directory node in the Object Palette, select Delegated Lists.
a. Click Print to print the report. b. Click Close to close the View Report window.
Managing Native Directory 7 In This Chapter About Native Directory.............................................................................................................79 Managing Native Directory Users .................................................................................................81 Managing Native Directory Groups ...............................................................................................84 Managing Roles ......................................................
● /vol1/Hyperion/SharedServices/9.3.1/openLDAP (UNIX) The install location of Native Directory is referred to as throughout this document. Native Directory data is stored in /var/openldap-data, and utilities are stored in /bdb/bin. By default, Native Directory is deployed to port 58089 as a process (UNIX) or a service (Windows). Default Users and Groups Native Directory, by default, contains one user account (admin, with password as the default password).
Stopping Native Directory On Windows, you can stop Native Directory by stopping Hyperion S9 OpenLDAP service from the Services window, or by executing stopService.bat. On UNIX systems, run /stopOpenLDAP script to stop the Native Directory process.
Label Description Last Name Last name of the user (optional) Description Description of the user (optional) Email Address Email address of the user (optional) Password The password for this user account. Passwords are case-sensitive and can contain any combination of characters. Confirm Password The entry in the Password text box 4 Optional: To add the user to one or more groups, click Next. a.
See Table 14 for descriptions of the properties that you can modify. 6 Optional: Modify the user's associations with Native Directory groups. a. In Search for Groups box on the Member Of tab, type the name of the group to assign to this user (type * to list all available groups), and click Go. b. From Available Groups, select one or more groups to assign to the user, and click Add. The selected groups are listed in Assigned Groups.
Activating Inactive User Accounts Activating inactive user accounts reinstates all associations that existed before the accounts were deactivated. If a group of which the inactive user account was a member was deleted, the roles granted through the deleted group are not reinstated. ➤ To activate deactivated user accounts: 1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
● “Creating Groups” on page 85 ● “Modifying Groups” on page 86 ● “Deleting Groups” on page 88 ● “Provisioning Users and Groups” on page 101 ● “Deprovisioning Users and Groups” on page 102 ● “Generating Provisioning Reports” on page 102 Note: Groups on external user directories cannot be managed from User Management Console. Creating Groups Native Directory groups can contain users and groups from any user directories configured on Shared Services, including Native Directory.
d. From Available Groups, select the groups to nest within the new group. e. Click Add. The selected groups are listed under Assigned Groups list. To remove an assigned group, from Assigned Groups, select the group to remove and click Remove. To remove all assigned groups, click Reset. f. Optional: To retrieve and assign groups from other user directories, repeat Steps a-e. 7 To create the group without adding users, click Finish. To add uses to the group, click Next.
2 In the Native Directory node of the Object Palette, select Groups. 3 Search for a group. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34. A list of groups that meet the search criterion is displayed on the Browse tab. 4 Right-click a group, and select Properties. The Group Properties screen is displayed. Note: The Group Properties screen displays the Managed By tab if Shared Services is deployed in Delegated Administration mode.
To remove an assigned user, from Assigned Users, select the user and click Remove. To undo all your actions in this tab, click Reset. ● b. Optional: To retrieve and assign users from other user directories, repeat this procedure. To remove users from the group: ● From Assigned Users, select one or more users. ● Click Remove. 8 To view the delegated administrators assigned to the group, open the Managed By tab, which is available only if Shared Services is deployed in Delegated Administration mode.
refresh interval is set to 60 minutes, which can be modified. See “Overriding Cache Refresh Interval for MSAD and other LDAP-Enabled User Directories” on page 58. Creating Aggregated Roles To facilitate administration and provisioning, Shared Services Administrators can create aggregated roles that associate multiple product-specific roles with a custom Shared Services role.
Modifying Aggregated Roles You can modify only aggregated roles; default application-specific roles cannot be modified from Shared Services. You may change all role properties except the product name. ➤ To modify aggregated roles: 1 Launch User Management Console, as explained in “Launching User Management Console” on page 33. 2 In the Object Palette, select Roles. 3 Retrieve an aggregated role. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34.
A list of roles that meet the search criterion is displayed on the Browse tab. 4 Right-click a role, and select Delete. 5 In the confirmation dialog box, click OK. Changing Native Directory root User Password Shared Services Administrators can change the password of the Native Directory root user account, which provides complete control over Native Directory. The default root password is hard-coded in a file and is not visible to users.
● Schedule hot backups when database usage is at its lowest. ● Back up the Shared Services repository and Native Directory database at the same time so that backup is in sync. ● Store backup for disaster recovery. ● Test backup and recovery procedures to ensure that the process works. Hot Backup Regular incremental backups of the Native Directory database can be performed without shutting down Native Directory. Known as hot backups, they do not interfere with the availability of Shared Services.
Note: Data in the Native Directory database is synchronized with the data available in the Shared Services repository. Hyperion recommends that you back up the Shared Services repository along with the Native Directory database. ➤ To back up Native Directory database: 1 Stop Native Directory service or process. 2 Copy into a secure location.
➤ To recover provisioning data after a Native Directory crash: 1 Verify that the Native Directory service (Windows) or process (UNIX) is not running. 2 Open a command prompt (Windows) or console (UNIX) window. 3 Navigate to \bdb\bin.
2 On the server machines, stop the Hyperion S9 OpenLDAP service or process. 3 On the master server (for example, machine1), create a directory (for example, C:\OpenLDAP\logs in Windows or /apps/OpenLDAP/logs in UNIX) to store the replication log files. 4 On the master server, update the \slapd.conf file with the following directives. ● replica directive.
You should include the following slave definition immediately after the declaration: ldap://:58089 failover Where is the name of the slave server machine and 58089 is the Native Directory port. 8 On the master server and then on the slave server, start the Hyperion S9 OpenLDAP service or process.
Note: Native Directory in the standby environment handles all calls until the primary environment is brought back online and the load balancer is configured to route calls to the primary environment. ➤ To deploy Native Directory for failover in cold standby mode: 1 Install Shared Services in the primary and standby environments. Refer to the Hyperion Shared Services Installation Guide for instructions. 2 Configure and deploy Shared Services in the primary environment.
The load balancer must host a monitoring application capable of checking if Native Directory is running in the primary environment. This can be achieved by using the LDAP ping mechanism or by using corporate process monitoring tools (for example, Tivoli and UniCenter). a. Configure the monitoring application to perform these tasks: ● Use the following directive (embedded in a batch or shell file) to look for an active Native Directory instance in the primary environment. ldapsearch –H ldapurl cn=*.
Note: Native Directory in the standby environment handles all calls until the primary environment is brought back online and the load balancer is configured to route calls to the primary environment. ➤ To deploy Native Directory for failover in hot standby mode: 1 Install Shared Services in the primary and standby environments. Refer to the Hyperion Shared Services Installation Guide for instructions. 2 Configure and deploy Shared Services in the primary environment.
details. Migration is the process of copying an application instance from one operating environment to another; for example, from development to testing or from testing to production. You use the Import/Export utility to migrate Native Directory. ➤ To migrate Native Directory: 1 On the computer that hosts the source Shared Services server, perform the following actions: a. Install the Import/Export utility. See “Installing the Import/Export Utility” on page 106. b. Create the importexport.
Managing Provisioning 8 In This Chapter Provisioning Users and Groups ................................................................................................. 101 Deprovisioning Users and Groups .............................................................................................. 102 Generating Provisioning Reports................................................................................................ 102 Importing and Exporting Native Directory Data..............................
5 Select one or more roles, and click Add. The selected roles appear in Selected Roles. 6 Click Save. A dialog box, which indicates that the provisioning process is successful, is displayed. 7 Click OK. Deprovisioning Users and Groups Deprovisioning removes all the roles the user or group is assigned from an application. Shared Services administrators can deprovision roles from one or more applications. Provisioning managers of applications can deprovision roles from their applications.
2 In the Object Palette, select a user, group, or role. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34. 3 Select Administration > View Report. 4 Enter report generation parameters. Table 15 View Report Screen Label Description Find All Select the object type (user, group, or role) for which the report is to be generated. For User or For Role The label of this changes depending on what is selected in Find All.
● “Product Codes” on page 111 ● “Considerations for Setting Filters” on page 112 ● “Sequence of Operations” on page 107 ● “Preparing the Property File” on page 107 ● “Considerations for Setting Filters” on page 112 ● “Prerequisites for Running Import/Export Utility from a Remote Host” on page 113 ● “Running the Utility” on page 113 ● “Import File format” on page 114 ❍ “XML File Format” on page 114 ❍ “CSV File Format” on page 118 Overview The Import/Export utility, a standalone, command-li
Use Scenarios ● “Move Provisioning Data Across Environments” on page 105 ● “Manage Users and Groups in Native Directory” on page 105 ● “Bulk Provision Users and Groups” on page 105 Move Provisioning Data Across Environments Shared Services Administrators can use Import/Export utility to move users, groups and provisioning data across environments, for example from a development environment to a production environment.
Installing the Import/Export Utility An archive containing the utility is installed into in this discussion.
import.operation=update import.failed.operations.file=c:/failed.xml import.maxerrors=0 Sequence of Operations ● “Preparing the Property File” on page 107 ● Exporting the data into an export file. “Running the Utility” on page 113. ● (Optional): Modifying the data in the export file. See “XML File Format” on page 114 and “CSV File Format” on page 118. ● Validating the import file. See “Running the Utility” on page 113. ● Importing the data.
Table 16 Properties for Import–Export Operations Property Description import export operations importexport.css The URI where the Shared Services configuration file is stored. For import operations, use the configuration file of the Shared Services instance that manages the Native Directory instance into which data is to be imported. For export operation, use the configuration file of the Shared Services instance that manages the Native Directory instance from which data is to be exported.
Property Description Note: Import/Export utility does not create the error log if you do not specify a file name. Example: impExerror.log importexport.locale Locale (two-letter language code) to use for the operation. Supported locales are en, fr, it, de, es, pt_BR, nl, ja, ko, zh_CN, zh_TW, ru, tr. The utility attempts to retrieve only data in the specified locale.
Property Description Example: true export.provisioning.all Indicates whether to export all provisioning data. Set this property to false to export a subset of the provisioning data by using these properties in tandem: ● export.projectnames ● export.applicationnames Alternatively, you can select a subset by setting export.provisioning.apps. Note: The values of these properties are ignored if export.provisioning.all is set to true. Example: true export.delegated.
Property Description import.file Location of the file to import or validate. You can import data from XML or CSV files, created through an export operations. If you manually create the file, be sure to format it correctly. Use the sample CSV and XML files available in /samples as reference. Example: C:/hyperion/common/utilities/ CSSImportExportUtility/importexport/ import.xml import.operation The option for the import operation.
Product Code Product Name HFM Financial Management HP Planning HPS Oracle's Hyperion® Performance Scorecard – System 9 HSF Oracle's Hyperion® Strategic Finance HTM Oracle's Hyperion® Translation Manager HUB Shared Services Considerations for Setting Filters The Import/Export utility uses the settings specified in importexport.properties to identify the components (Shared Services, Native Directory, and other user directories) to use for the import or export operation.
The trace log file can be voluminous. Generate a trace file only if you need to debug the import or export operation. Use the information in the error log to identify failed transactions in the trace file. Note: Generating trace information will impact the performance of the Import/Export utility Prerequisites for Running Import/Export Utility from a Remote Host If the Import/Export utility is being run from a remote host that does not host Shared Services server: ● Verify that Sun JDK 1.
● To validate data, run CSSValidate.bat importexport.properties (Windows) or CSSvalidatealidate.sh importexport.properties(UNIX) Note: If the importexport.properties file is not in the directory from which the command is being executed, be sure to use the appropriate path in the commands. Summary information about the operations is displayed in the console. If transactions fail, review the error log and trace log to determine the cause of the problem and make necessary corrections.
Administrator Have unrestricted access PAGE 116Element Attribute Description and Example first_name First name of the user Example: Paul last_name Last name of the user Example: Turner description User description Example: Administrative User email Email address of the user. Example: pturner@example.com internal_id The auto-generated internal identity of the Native Directory user. Example: 911 password Encrypted password of the user.
Element Attribute Description and Example product_type Product type to which the role belongs (specified as -) Example: HAVA-9.3.1 name Unique role name Example: Basic User description Role description Example: Launch and view business rules and objects. A container for attributes of aggregated roles.
Element Attribute Description and Example manager Users and groups who manage the list. Each manager definition may contain user and group definitions. The provider identified must be the user directory that contains the manager's account. CSV File Format The CSV file format is a tabular data format that contains fields separated by commas and enclosed in double quotation marks. The Import/Export utility supports only Excel-compliant CSV files.
● Role members are processed with multiple data lines under one header and one parent role. ● User provisioning is processed with multiple data lines under one header and one group or user. Error handling is based on the process boundaries. One error is counted for each failure in a process boundary.
● Table 23, “Role_Children Entity Attributes,” on page 122 ● Table 24, “Provisioning Entity Attributes,” on page 123 ● Table 25 on page 123 The following user delineation in an import CSV file can be used to create the user Test_1 in a Native Directory with the login name Test_1,first name New1, last name User1, description Test User, e-mail id Test1@example.
The following group delineation in an import CSV file can be used to create the WORLD in a Native Directory with the group id WORLD, description Contains all users, and internal id 611: id,provider,name,description, internal_id WORLD,,WORLD,Contains all users,611, Table 20 Group Entity Attributes Attribute Description and Example id Group identifier Example: testgroup provider Source user directory for the group Example: LDAP-West Group name name Example: testgroup description (Optional.
The following child group delineation in an import CSV file can be used to create the nested group childGp1 with group id childGp1. User member of this group is Test1.
role id is Administrator, which belongs to product type HUB-9.0.0. User Test1 and group Group1 defined in Native Directory are provisioned with this role. project_name,application_name,role_id,product_type,user_id,user_provider,gr oup_id,group_provider HUB,Global Roles,Administrator,HUB-9.0.
Attribute Description and Example Example: admin manager_provider The user directory that stores the manager's account. Example: Native Directory user_id Unique identifier of a user member of the list. Each member must be identified in a separate definition. Example: pturner manager_provider The user directory that stores the user member's account. Example: Native Directory group_id Unique identifier of a group that is a member of the list. Each member must be identified in a separate definition.
Using the Update Native Directory Utility to Clean Stale Native Directory Data 9 In This Chapter About the Update Native Directory Utility...................................................................................... 125 Installing the Update Native Directory Utility .................................................................................. 126 Running the Update Native Directory Utility ...................................................................................
● Deletes user accounts derived from the external user directory if the user directory is removed from the Shared Services search order ● Updates Native Directory if the user or group in the external user directory is moved from one OU to another (the OU to which the user or group is moved must be configured in Shared Services) Update Native Directory Utility does not update Native Directory if the external user directory cannot be reached because of configuration or connection problems.
Where identifies the directory or application server location where the CSS.xml configuration file is stored.
Option Description Example: updateNativeDir -cssLocation D:\CSS.xml –noprompt updates Native Directory in silent mode. -noupdate Optional: Use this option if you only want to generate CSSMigrationUpdate_.log that lists the users and groups that needs to be updated in Native Directory. User and group information in Native Directory is not updated if you use this option. Example: updateNativeDir -cssLocation D:\CSS.xml —noupdate creates CSSMigration-Update_.log.
● “Reporting and Analysis” on page 131 ● “Strategic Finance ” on page 132 The following Hyperion products do not need to perform any migration procedures: ● Performance Scorecard ● Hyperion System 9 Analytic High Availability Services ● Oracle's Essbase® Integration Services ● Oracle's Hyperion® Provider Services ● Analytic Deployment Services Essbase Caution! Hyperion recommends that you back up Essbase security file and the data in Native Directory before starting the migration process.
revert, restore user and group data in Native Directory and Planning repository from the backups. Note: After upgrading your system, migrate users and groups to the new identity attribute before performing any other operation such as loading security or changing existing security settings. Such changes may be lost during the migration. Planning stores information about provisioned users and groups in the Planning repository.
Migrating Financial Management users is a one-time operation that must be completed before starting Financial Management after upgrading to Release 9.3.1. Reporting and Analysis Caution! Hyperion recommends that you back up the user and group data in Native Directory and Reporting and Analysis before starting the migration process. After migrating users and groups to use the new identity attribute, you cannot revert to the previously used identity attribute.
Strategic Finance Strategic Finance automatically migrates users to the unique identity attribute used by Shared Services to resolve issues where domain name or organizational unit changes might result in the loss of provisioning and object access information.
10 Troubleshooting In This Chapter Shared Services Log Files ....................................................................................................... 133 User Directory Error Codes ...................................................................................................... 134 Troubleshooting Tools and Utilities .............................................................................................
All Shared Services log files are located in \logs\SharedServices9. User Directory Error Codes Most LDAP-enabled user directories use a standard set of error codes. These error codes and their description are available at the following Web site: http://www.directory-info.com/LDAP/LDAPErrorCodes.html. Error codes specific to MSAD are explained at the following Web site: http:// msdn.microsoft.com/library/en-us/debug/base/system_error_codes.
A Hyperion Product Roles In This Appendix Shared Services Roles........................................................................................................... 135 Essbase Roles.................................................................................................................... 137 Reporting and Analysis Roles ................................................................................................... 137 Financial Management Roles .........................................
Role Name Description LCM Manager Runs the Artifact Life-Cycle Management utility to promote artifacts or data across product environments and operating systems Project Manager Creates and manages projects within Shared Services Create Integrations Creates Shared Services data integrations (the process of moving data between applications) using a wizard. For Oracle's Enterprise Performance Management Architect, creates and executes data synchronizations.
Essbase Roles Additional Shared Services roles are required for Performance Management Architect. See “Shared Services Roles” on page 135. Role Description Power Roles Administrator Grants full access to administer the server, applications and databases Application Manager Creates, deletes and modifies databases, and application settings within the assigned application.
Role Description Applies to Financial Reporting, Interactive Reporting, SQR Production Reporting, and Web Analysis Content Manager Manages imported repository content and execute tasks, with implicit access to all resources (unless the file is locked by “no access”); contains the Data Source Publisher role Applies to Financial Reporting, Interactive Reporting, SQR Production Reporting, and Web Analysis Data Source Publisher Imports data source connectivity files Applies to Interactive Reporting and Web
Role Description Smart Form Publisher* Loads custom forms for programs (forms prompt job runners to enter information used to define jobs) Applies to SQR Production Reporting Note: You must have the Job Publisher role to leverage Smart Form Publisher functionality. View Roles Dynamic Viewer* Views, reprocesses, and prints Interactive Reporting documents.
Role Description Power Roles Application Administrator Performs all Financial Management tasks. Access to this role overrides any other access setting for the user Load System Loads rules, and member lists Inter-Company Transaction Admin Opens and closes periods, locks and unlocks entities, and manages reason codes.
Role Description Inter-Company Transaction User Created, edits, deletes, loads and extracts transactions. Runs matching report by account or ID, runs transaction report and drills through from modules.
Role Description Administrator Performs all application tasks except those reserved for the application owner and Mass Allocate role. Creates and manages applications, manages access permissions, initiates the budget process, designates the e-mail server for notifications. Application Owner Reassigns application ownership.
Role Description Basic User Launches business rules and sequences to which the user has access. Views variables and macros, business rules, and sequences to which the users has access. Edits business rules, sequences, macros, variables, and projects for which the user has editing permissions. Business Modeling Roles Role Description Power Roles Administrator Manages the users, security and databases for the application, both on the desktop and the Web.
Transaction Manager Roles Role Description Power Roles Administrator Administers all system resources Interactive Roles Basic User Views system resources Performance Scorecard Roles Role Description Power Roles Power Manager Power Manager role provides the administrative capability within an Performance Scorecard environment Interactive Roles Basic User Grants access to reports, scorecards, measures and initiatives with the additional role of result collection administration Interactive User Pr
Data Integration Management Roles Role Privileges Power Roles Oracle's Hyperion® Data Integration Management Administrator Operates workflows and uses Workflow Manager, uses designer, browses repository, and administers repository and server. Data Integration Management Designer Operates workflows uses designer, browses repository, and uses Workflow Manager. Data Integration Management Operator Operates workflows and browses repository.
Hyperion Product Roles
Shared Services Roles and Permitted Tasks B Table 28 Shared Services User Roles and Tasks Matrix Tasks Administrator Directory Manager Create users X X Modify user details X X Delete users X X Deactivate and Activate user accounts X X Create groups X X Modify group details X X Delete groups X X Create projects X X Modify project details X X Delete projects X X Provision users x X Deprovision users X X Provision groups Project Manager Provisioning Manager Create I
Directory Manager Project Manager Provisioning Manager Create Integrations Tasks Administrator Assign access to data integrations X X Create data integrations X X Edit data integrations Run Integrations X Copy data integrations X X Delete data integrations X X Create data integration groups X X View data integrations X X Run, or schedule to run, data integrations X X Run, or schedule to run, data integration groups X X 148 Shared Services Roles and Permitted Tasks X
Essbase User Provisioning C In This Appendix Launching User Management Console from Essbase ........................................................................ 149 Essbase Projects, Applications, and Databases in Shared Services........................................................ 150 Essbase Users and Groups in Shared Services ............................................................................... 151 Assigning Database Calculation and Filter Access .......................................
When you launchUser Management Console from a browser, you log in as whatever user is appropriate. For example, you must log in as a Shared Services Administrator in order to provision an Essbase Administrator with the Directory Manager role, so that he or she can create and delete users. ➤ To launch User Management Console: 1 From Enterprise View, find the appropriate Analytic Server. 2 Under the server node, select the Security node. 3 Right-click and select User Management from the pop-up menu.
● An application with the same name as the Shared Services project. This application allows you to specify security at the Analytic Server level, and is known as the global Analytic Server application. ● A Shared Services application for each Essbase application on the Analytic Server. In Shared Services, if an Essbase application contains multiple databases, the databases must have the same user security access levels.
role for the application, you may want to assign an Essbase filter to the user, or assign the user access to a specific calculation script. When you select an Essbase application from User Management Console, a screen is displayed that lists all users and groups who are provisioned to that application. On this screen, you select the users and groups to which you want to assign additional permissions.
The calculation list is populated with the calculation scripts that exist for the selected database on Analytic Server. 11 If you want to want to assign only calculation access, select No update from the Filter drop-down list. 12 If you want to want to assign only filter access, select No update from the Calc drop-down list. Note: If you have not yet clicked Save, you can click Reset to revert to the original settings (or to revert to the settings changed since the last save).
➤ To set application access type for users: 1 Launch User Management Console. See “Launching User Management Console from Essbase” on page 149. 2 Expand the Projects node, and select the global Essbase application. Note: An application with the same name as the Shared Services project is created within the project. This global application allows you to specify security at the Analytic Server level. 3 Right-click and select Assign Access Control.
Migrating Essbase Users to Shared Services Security Before you can use Shared Services to manage security, you must migrate Analytic Server and any existing Essbase users and groups to Shared Services. For detailed information on migrating users and groups to Shared Services, see the Hyperion Essbase - System 9 Database Administrator's Guide and the Hyperion Essbase - System 9 Administration Services Online Help.
Essbase User Provisioning
Reporting and Analysis User Provisioning D In This Appendix Launching User Management Console from Workspace ..................................................................... 157 Reporting and Analysis Roles ................................................................................................... 157 Reporting and Analysis Role Hierarchy......................................................................................... 157 Sample Role Combinations ......................................
Content Manager Branch 158 Reporting and Analysis User Provisioning
Scheduler Manager Branch Sample Role Combinations This table provides examples of the access and functionality achieved by assigning combinations of roles.
Combined Role Tasks Explorer + Analyst + Content Publisher ● Review interactive Web Analysis, Financial Reporting, and Interactive Reporting content in the Oracle's Hyperion® Workspace ● List and subscribe to repository content ● Review accessible interactive content in Web Analysis Studio ● Edit queries, re-query and arrange data ● Create Financial Reporting batches and books ● Import, modify and Save As dialog box ● Create and distribute new interactive Web Analysis, Financial Reporting, a
Financial Management User Provisioning E In This Appendix Assigning Users and Groups to Financial Management Applications ....................................................... 161 Assigning User Access to Security Classes .................................................................................... 162 Setting Up E-mail Alerting.......................................................................................................
Only a user assigned to the Provisioning Manager role can define users and groups for an application Only the users and groups provisioned for the application are available when you select users and groups. ➤ To select users and groups for an application: 1 From Select Users and Groups, select an option: ● Show All to show all users that are provisioned ● Users or Groups, and in Search Criteria, enter the search criteria, and click Search.
Note: A user assigned to the Application Administrator role for an application has access to all information in the application. ➤ To assign user access to security classes: 1 Select cells for which to assign access rights. Tip: Use the Shift and Ctrl keys to select multiple cells. Select a column or row by clicking in the column or row header. 2 From Access Rights, select the access level to assign. 3 Click Set to apply the level to the selected cells.
Process Management Alerting ➤ To set up process management e-mail alerts: 1 For the scenario in the process unit, set the SupportsProcessManagement meta data attribute to “A” to allow alerts. 2 Assign the user to the Receive E-mail Alerts for Process Management role. 3 Assign the user to Process Management notifiable roles as defined in Table 30. 4 Assign the user ALL or PROMOTE access to the security classes assigned to the scenario and entity in the process unit and add an alert for each security class.
role to receive alerts. The user that performed the action to the process unit is also notified with an e-mail confirmation log stating to whom e-mails were sent. Intercompany Transaction Alerting ➤ To set up intercompany transaction e-mail alerts: 1 Assign the user to the Receive E-mail Alerts for IC Transactions role. 2 Assign the user to the Inter-Company Transaction Admin or Inter-Company Transaction User role.
Migrating Financial Management Users to Shared Services Security For information on migrating users to Shared Services security, see “Using the Schema Upgrade Utility” in the Hyperion System 9 Financial Management Installation Guide.
Planning User Provisioning F In This Appendix Launching User Management Console From Planning ....................................................................... 167 Returning to Planning From User Management Console ..................................................................... 167 Updating Users and Groups in Planning ....................................................................................... 168 Roles in Planning ...................................................................
Updating Users and Groups in Planning Planning and Business Rules get the latest list of users, groups, and roles from User Management Console when: ● The application is refreshed with Security Filters selected. ● The ProvisionUsers utility is run. (See “Updating Users With a Utility” on page 169.) ● Someone logs into the application; Planning synchronizes that user with User Management Console.
Updating Users With a Utility The ProvisionUsers utility—run by administrators through a command line interface— synchronizes users maintained in User Management Console with a Planning application. ➤ To use the utility, launch the ProvisionUsers.
Roles in Planning Subject to the applicable license for the software and users, Planning supports the roles described in the Appendix A, “Hyperion Product Roles.” Write Access to Data in Essbase All administrators have write access to Planning data in Essbase. By default, security filters that Planning generates in Essbase for planners and interactive users are read-only.
Table 33 Access Permissions Between Planning and Essbase User Type for Connection View User Planner Interactive User Administrator Named User Filter Access Calculate Calculate Database Designer* *Not reflected in Application Manager. About Connection Types and Planning Planning establishes a connection to the Essbase database using the appropriate user type.
Planning User Provisioning
G Business Rules User Provisioning In This Appendix About Business Rules Security ................................................................................................. 173 Launching User Management Console......................................................................................... 174 Business Rules User Roles ...................................................................................................... 174 Migrating Business Rules Users to Shared Services Security........
Launching User Management Console ➤ To launch the Hyperion, from the Windows Start menu: 1 Select Programs > Hyperion > Foundation Services > User Management Console. 2 Create users and groups. See Chapter 7, “Managing Native Directory.” 3 Provision users and groups. See Chapter 8, “Managing Provisioning.” Business Rules User Roles Subject to the applicable license for the software and users, Oracle's Hyperion® Business Rules supports three pre-defined user roles.
❍ View all variables and macros ❍ Edit specific business rules, sequences, macros, variables, and projects for which the user was granted editing permissions Migrating Business Rules Users to Shared Services Security To migrate native Analytic Administration Services and Business Rules users to Shared Services, you need to run the Externalize Users utility in Analytic Administration Services.
Business Rules User Provisioning
H Performance Scorecard User Provisioning In This Appendix Launching User Management Console from Performance Scorecard ...................................................... 177 Creating and Provisioning Users and Groups over Shared Services......................................................... 178 Migrating Performance Scorecard Users and Groups to Shared Services Security ....................................... 182 You can provision users for Performance Scorecard using Shared Services.
From the Shared Services User Management Console, you can perform the following tasks: ● Add and provision new users ● Modify or delete existing users ● Perform bulk provisioning of multiple users For detailed instructions on using User Management Console, refer to Chapter 3, “User Management Console.” Managing Permissions in Performance Scorecard User provisioning through Shared Services requires configuration on both the Shared Services server and Performance Scorecard application.
The provisioning process requires you to have both the Shared Services server and Performance Scorecard configured and running. External authentication ensures that the applications can communicate seamlessly to provision users easily and accurately. To provision users to enable them to use Performance Scorecard, these main steps are required: 1. Register with Shared Services. 2. Create the users and groups. 3.
➤ To create and provision a new user from Performance Scorecard: 1 Ensure the Shared Services server is running. 2 Log on to Performance Scorecard as an Administrator. 3 From Performance Scorecard, select Administration > User Management. The Shared Services User Management Console is displayed. 4 From the Shared Services User Management Console, create and provision the users and groups as outlined in the Hyperion Security Administration Guide.
6 Optional: From Primary Domain on the Manage Properties tab, select a Primary Domain for the user. 7 Under Security Roles, select the Performance Scorecard security role that you want to assign to the user. For detailed information on Performance Scorecard security roles, refer to the Hyperion Performance Scorecard - System 9 Administrator's Guide. 8 Click Finish to complete the provisioning of the user for both Shared Services and Performance Scorecard.
● All user accounts that are no longer provisioned in Shared Services are listed for optional deletion. The list excludes the default admin, designer, and user accounts. When you synchronize groups: ● All active directly and indirectly provisioned groups are pulled from Shared Services. ● The Shared Services list is compared to the Performance Scorecard Group Account, matched by Group Name. ● Any missing group accounts are automatically created.
Before performing a migration, the following tasks must be performed: ● Ensure that the Performance Scorecard Administrator exists in Shared Services, and has been assigned the security role of Provisioning Manager. ● Ensure that the Performance Scorecard application has been registered and assigned to a project in Shared Services. ● Ensure that all employee e-mail addresses are in a valid and correct format, such as @.com.
8 For each user that you DO NOT WANT to include in the migration, click Edit. The Migration dialog box is displayed. 9 From Migration Action, select Do Not Migrate for the selected user, then click Save.
This user will not be included in the one-time migration. In future, if the user needs to be added to the Shared Services list, you must add the user individually, as outlined in “Creating and Provisioning Users and Groups over Shared Services” on page 178. Caution! Because the Migration option is only available once, Hyperion recommends that you include as many users in the migration as possible.
13 From Migration Action, select Do Not Migrate for the selected group, then click Save. This group will not be included in the one-time migration. In future, if the group needs to be added to the Shared Services list, you must add the group individually, as outlined in “Creating and Provisioning Users and Groups over Shared Services” on page 178. Caution! Because the Migration option is only available once, Hyperion recommends that you include as many users in the migration as possible.
16 Click Test migration. A confirmation is displayed when the test migration process has been successfully completed. Click OK to dismiss the message. If a problem is indicated in the migration status messages, correct any errors and try again. 17 Click Migrate to begin the migration process. The progress of the migration is indicated by the Migration status messages. A message is displayed to advise the migration has been successfully completed.
Performance Scorecard User Provisioning
Business Modeling Roles and Tasks I In This Appendix Administrator ..................................................................................................................... 189 Builder ............................................................................................................................ 190 End User ..........................................................................................................................
Builder The builder or model builder is the user who actually creates the original model or enterprise model by defining all elements of the model, such as boxes, links, variables and financial values, and attaching financial data.
Essbase Provider Services User Provisioning J In This Appendix Provisioning the Administrator Role in Shared Services...................................................................... 191 Migrating Analytic Provider Services Users to Shared Services.............................................................. 192 Provisioning the Administrator Role in Shared Services Use Shared Services to provide security for Provider Services, which is administered through Administration Services.
6 To select an existing user to provision: a. In the navigation pane, expand User Directories and a directory, such as Native Directory. b. Select Users, right-click, then select Show All. 7 To search for a particular user, enter the user ID in the User box, then click Search. 8 From the list, select a user ID and select Provision. 9 In Provision Users or Groups, expand APS 9.3.0 Servers and expand the name of Provider Services. 10 Select Administrator and select to select the role. 11 Click Save.
Data Integration Management User Provisioning K In This Appendix Authentication Methods ......................................................................................................... 193 Data Integration Management User Roles..................................................................................... 194 You can provision users for Data Integration Management using Shared Services User Management Console.
Note: You can use Shared Services authentication with Data Integration Management installations on Windows, AIX, Linux, or Solaris platforms but not on HP-UX platforms. For Shared Services authentication, you must register Data Integration Management with Shared Services and select the Use Hyperion Shared Services Authentication option when you configure Data Integration Management with Shared Services. Otherwise, Data Integration Management uses Informatica native authentication.
Glossary access permissions A set of operations that a user can perform on a Hyperion resource. aggregated role A custom role that aggregates multiple predefined roles within a Hyperion product. application (1) A software program designed to run a specific task or group of tasks such as a spreadsheet program or database management system. (2) A related set of dimensions and dimension members that are used to meet a specific set of analytical and/or reporting requirements.
load balancing Distribution of requests across a group of servers, which ensures optimal end user performance. managed server An application server process running in its own Java Virtual Machine (JVM). manual stage A stage that requires human intervention to complete the stage. model (1) In data mining, a collection of an algorithm's findings about examined data. A model can be used (applied) against a wider set of data to generate useful information about that data.
taskflow management system A system that defines, creates, and manages the execution of a taskflow. It enables the creation of taskflow definitions, interaction with taskflow participants (users or applications), and the launching of other applications during the execution of a business process. taskflow participant The resource that performs the task associated with the taskflow stage instance. The taskflow system requires a participant for both manual and automated stages.
Glossary
A B C D E F G H I J L M N O P R S T U V W X Index Symbols , 23 , 23 A access permissions, 68 Business Modeling, 143 Business Rules, 142 Data Integration Management, 145 Essbase, 137 Financial Management, 139 Performance Scorecard, 144 Planning, 141 Provider Services, 145 Reporting and Analysis, 137 Shared Services roles, 135 Strategic Finance, 143, 144 Transaction Manager, 144 activate user accounts, 84 add to search order, 55 Administrator role, 16 aggregate
A B C D E F G H relational database provider, 50 SAP Provider, 46 SiteMinder policy server, 27 SiteMinder Web agent, 27 user directories, 20 copying provisioning information, 69 creating aggregated roles, 89 delegated administrators, 72 delegated lists, 73 groups, 20, 85 projects, 66 provisioning reports, 102 users, 19, 81 CSSSpy, 134 CSV format Import/Export utility, 118 D Data Integration Management user roles, 194 Data Integration Management roles, 145 database recover Native Directory data, 93
A B C D E F G H I J L M G generate provisioning reports, 102 global parameters delegated user management mode, 57 logging level, 57 security agent support, 57 token timeout, 57 global roles Administrator, 16 Directory Manager, 16 LCM Manager, 16 Project Manager, 16 groups, 17 creating, 20, 85 delete, 88 deprovisioning, 102 manage Native Directory, 84 modify, 86 nested, 85 nested from SAP, 22, 23 provisioning, 101 rename, 86 H hierarchy delegated administration, 71 high availability of Native Di
A B C D E F G H I J MSAD configuring, 40 N naming guidelines groups, 85 roles, 89 users, 81 Native Directory, 12 activate deactivated accounts, 84 change root password, 91 cold standby failover, 96 create aggregated roles, 89 create users, 81 deactivate user accounts, 83 delete aggregated roles, 90 delete groups, 88 export, 103 failover, 94 groups, 84 high availability, 94 hot standby failover, 98 manage roles, 88 migrate , 99 modify groups, 86 modify user accounts, 82 out of the box failover, 94
A B C D E F G H I delegated administrators, 73 exporting data, 103 generating report on, 102 groups, 17, 101 importing data, 103 overview, 14 recover Native Directory data, 93 users, 17, 101 J L M N O P R S T U V W X Provider Services, 145, 191 remove assignment, 102 Reporting and Analysis, 137 Shared Services roles, 135 Strategic Finance, 143, 144 Transaction Manager, 144 update aggregated, 90 run Import/Export utility, 113 R S relational database provider configuring, 50 remove s
A B C D E F G H I J SharedServices_SyncOpenLDAP.log file, 133 SharedServices_Taskflow.log file, 133 SharedServices_Taskflow_CMDExecute.log file, 133 SharedServices_Taskflow_Optimize.
A B C D E F G H I J L M N O P R S T U V W X X XML format Import/Export utility, 114 Index 205
A 206 Index B C D E F G H I J L M N O P R S T U V W X