Essbase security implementation


Published on

Download 100s of documents and videos from our site

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Essbase security implementation

  1. 1. Document: “Implementing Security in Oracle Hyperion Essbase using Shared Service”Description:This document provides an overview of security model of Hyperion Essbaseusing Shared Service. It also focuses on cell level security using Essbase filtersand common administrative activities associated to user/groupadministrations.History:Version Description Author Publish Date Change0.1 Initial Draft Gaurav Shrivastava 30-Mar-20110.1 Review I Amit Sharma 1st April ©Business Intelligence Solution Providers | 1
  2. 2. .Table of contents 1) Introduction 2) Launching Shared Service 3) Converting Security Mode 4) Benefits of externalizing the security: 5) Working with Shared Service a) Creating Group b) Creating User 6) Add new Role 7) How to create user through maxl? 8) Refresh Security from Shared Services 9) Apply Provision 10) Creating Filter a) Read Write Filter b) Read Filter c) Meta Data Read Filter d) Read and No_access Filter e) Read Write and No_access f) Metadata Read and write filter g) Filter on member Combination h) Filter on member Combination Separately 11) Administration Option 12) Configuring User Directories 13) Recover Native Directory 14) Configure Auditing 15) Assign Access Control 16) Understanding Roles a) Shared Service Roles b) Essbase Roles. ©Business Intelligence Solution Providers | 2
  3. 3. Introduction Shared service is a common system for managing user and group access to all oracle Hyperionproducts, including Essbase. The database organization, application organization and managingmetadata can perform through shared services. Shared service has folder structure for Hyperionproducts, all application, database, artifacts and user directory information. Folder views enable theadministrator to migrate an entire folder structure or a portion of a folder structure easily using SharedServices. You can perform migration through shared service.Launching Shared ServiceYou can launch shared services through below URL.http://<server>:28080/interop/Click Launch ApplicationPass the credential …. This is the shared service console by you can manage all Hyperion products. You can perform alladministration tasks through this console such as user creation, user deletion, assigning roles managing ©Business Intelligence Solution Providers | 3
  4. 4. groups etc. All application manages through folder structure and allow administrator to migrate anentire folder structure or a portion of a folder structure easily using Shared Services.Shared Services integrates the products to provide these functionalities: 1. User provisioning 2. External authentication definition 3. Task flow managementThe Shared Services server components: 1. Databases (relational and OpenLDAP) 2. Web application server 3. User Management ConsoleConverting Security Mode: The default Essbase security mode is internal security model. In thismodel, we see Essbase creating users, managing their passwords, and their access all within the Essbaseproduct. Essbase uses Essbase.sec file to store security information locally in Essbase. It is thereforepossible to have an Essbase server not manage roles and access via Shared Services, but that option isbecoming increasingly uncommon. Its main use is for legacy Essbase servers to migrate users fromtheir legacy versions into the System 11 world of Shared Services.Alternatively we can externalize the security and let Shared Service manage the security for Essbase.Benefits of externalizing the security: 1) Backup/Restore Security: Provisioning information from Shared Services can be easily exported to XML using the utility that is packaged with Shared Services. This file contains all information about the LDAP users, groups, and provisioning. This same file could be used to import the provisioning in the event of a disaster recovery, file corruption or server upgrade 2) Automatic Refresh / Synchronization: SHAREDSERVICESREFRESHINTERVAL setting in the Essbase.cfg file can establish an interval for periodic refreshes from Shared Services to Essbase. This setting is in number of minutes. To refresh every 30 minutes, the setting would be SHAREDSERVICESREFRESHINTERVAL 30 3) Limited Admin Activities: Essbase Administration tasks confined to creation of Filters, Calculations, Load Rules, and Substitution Variables continue to be performed in the Essbase. ©Business Intelligence Solution Providers | 4
  5. 5. 4) Reduced Administration: User/Group administration can be pushed to LDAP from Essbase ‘internal security’ Thus, when a new user is to be added he or she will automatically get the proper Essbase security simply through the corporate security administrator establishing the users id in the appropriate LDAP group.Right click on security and select externalize users.Click for conformationDon’t change default conversion settings click ok.Success message of convert security mode ©Business Intelligence Solution Providers | 5
  6. 6. Working with Shared ServiceCreating GroupRight click on “Groups” and select “New”Give group name and insert description about group then click next.Select group members……Assign group member….click next….. ©Business Intelligence Solution Providers | 6
  7. 7. Assign user members for this new group……Click finishSuccess messageFor validating new group go to the group native directory……Creating UserOpen shared service expend user directories then native directory.Right click on user and click newInsert user information and click next ©Business Intelligence Solution Providers | 7
  8. 8. Assign user to the group. Click finishSuccess messageUser created successfully, open user native directory for validation.Add new RoleThese are the available roles in shared services. You also can add new role through shared services.Right click and click new role. ©Business Intelligence Solution Providers | 8
  9. 9. How to create user through Maxl?You can create new user through Maxl script by following command.Provide access rights to new user by following command. Verify that access rights correctly assign to the user. When you login with the same user it will showonly “Bisp” application. ©Business Intelligence Solution Providers | 9
  10. 10. Refresh Security from Shared ServicesWhen you make changes in to shared service you have to refresh shared service security. Open EssbaseRight click on security select “Refresh security from shared services”.If you made changes for current user select current user else select refresh security for all users.Click ok… ©Business Intelligence Solution Providers | 10
  11. 11. Conform and click yes…Success massageApply ProvisionThrough shared service you can apply provision to particular user. Right click on userSelect desired roles from the available roles and save the changes.[List of roles are given in appendix]You can validate that “ram1” can access only “Bisp” and “Sample” application. ©Business Intelligence Solution Providers | 11
  12. 12. 1) Create user “Tom” through shared services Right click on user and assign the role to “Tom”.Now log off from the existing user and login through new user “Tom”.You can verify through right click on “Bisp” application and find that “Tom” is not administrator so thatsome options are disable. ©Business Intelligence Solution Providers | 12
  13. 13. Open users you can view the existing users but when you click on “Tom” or any other user only thoserights will enable for which “Tom” has access rights.Creating Filter [Cell Level Security] You create filter through Maxl script and assign access right to any user. You can also create filter forthe specific condition. The task flow will be first create filter, assign access rights to the user then loginwith the user and check filter is working.1.Read Write FilterOpen Maxl script and write script for creating filter for give Read Write access.Click ok…. ©Business Intelligence Solution Providers | 13
  14. 14. Press enter…Command for granting access right to the user “ORG”.Click on Execute button……..You can verify that user “ORG” has access rights to write on “Budget” through lock and send method. ©Business Intelligence Solution Providers | 14
  15. 15. Data is loaded successfully.Again load data in actual field through lock and send method.When you update data in actual field and then try to lock it Essbase throw the below error. ©Business Intelligence Solution Providers | 15
  16. 16. 2. Read FilterRead only filter for the specify area. This filter is to restrict user for write in to database but user canread “New York”. You have to write Maxl script to create filter and grant filter to the user.Connect to “BispBD” database and try to update or write on “New York” data through lock and sendmethod. Essbase will throw the below message. 3. Meta Data Read FilterThis filter is to restrict user to access all cube data. User can access data for which he has access rights.Through Maxl Script you can apply filter for metadata read only. Create new maxl script write commandfor metadata read shown below then grant filter to any user. ©Business Intelligence Solution Providers | 16
  17. 17. Login by user “ORG”You can verify that “ORG” user should not access data other then “New York”.3. Read and No_access FilterFilter on user define attributes. ©Business Intelligence Solution Providers | 17
  18. 18. UDAs in outline of cubeExecute the Maxl script and see the impact on excel login through the user. 4. Read Write and No_accessCreate filter for providing read, write and no_access to the user “ORG”. ©Business Intelligence Solution Providers | 18
  19. 19. Verification of read accessVerification of write accessDatabase is modified. ©Business Intelligence Solution Providers | 19
  20. 20. Verification of no_access5. Metadata Read and write filterFilter for assign metadata. ©Business Intelligence Solution Providers | 20
  21. 21. Assigning filter to the user through console Double click on user “ORG”…..This is the user information select “App/Db Access” tab.Open application databases then assign filter to the user and click apply. ©Business Intelligence Solution Providers | 21
  22. 22. Login with ORG user and then try to access market. Only “East” data is visual to the user.User also has update write, So update any value through lock and send method.To verify that data get updated or not “Retrieve” and check updated cell. ©Business Intelligence Solution Providers | 22
  23. 23. 6. Filter on member Combination You can also create filters on various combination of members. This is the filter for giving read access tothe user only for combination of product “100-10” and “New York”.Below Maxl script for creating filter and assign to the user.You can see in to outline the alias for “100-10” is cola. ©Business Intelligence Solution Providers | 23
  24. 24. Login with “ORG” user and see the impact of filter on cube.7. Filter on member Combination SeparatelyYou can also write filer on the separate bases as shown in below Maxl script.You can access complete data which has either “Cola” or “New York”. ©Business Intelligence Solution Providers | 24
  25. 25. Administration Option ©Business Intelligence Solution Providers | 25
  26. 26. ©Business Intelligence Solution Providers | 26
  27. 27. Configuring User DirectoriesYou can configure user directory if it is required. ©Business Intelligence Solution Providers | 27
  28. 28. Native directory is already configure though there is option to edit provider configuration.Make changes and click finish.Recover Native DirectoryYou also can recover native directory if something goes wrong. ©Business Intelligence Solution Providers | 28
  29. 29. Click on start recoveryNative directory recovered successfully.This is the Log information of native dirctory.You can change or configure native directory password.Panel for changing password. ©Business Intelligence Solution Providers | 29
  30. 30. Configure Auditing ©Business Intelligence Solution Providers | 30
  31. 31. ©Business Intelligence Solution Providers | 31
  32. 32. Assign Access Control to Essbase CubeOpen shared service expend application group expend essbase server node Right click on applicationand select “Assign Access Control”.Select user from the available user then click next.Select database ©Business Intelligence Solution Providers | 32
  33. 33. Apply filter and calculation scriptSelect at least one user and click on Right check mark to validate settings.Save the changes ©Business Intelligence Solution Providers | 33
  34. 34. Understanding RolesShared Services RolesAdministrator: is the power user. He can invoke shared services and perform administration tasks for allHyperion products. Shared service components areAdministrator Provides control over all products that integrate with Shared Services. It enables morecontrol over security than any other Hyperion product roles. Administrators can perform alladministrative tasks in User Management Console and can provision themselves. This role grants broadaccess to all applications registered with Shared Services. The Administrator role is, by default, assignedto the admin Native Directory user, which is the only user available after you deploy Shared Services.Directory Manager: Creates and manages users and groups within Native Directory.Do not assign to Directory Managers the Provisioning Manager role because combining these rolesallows Directory Managers to provision themselves. The recommended practice is to grant one user theDirectory Manager role and another user the Provisioning Manager role.LCM Manager Runs the Artifact Life-Cycle Management utility to promote artifacts or data acrossproduct environments and operating systems. LCM utility also use for migrate application on the sameenvironment or different environment.Project Manager Users who are assigned the Project Manager role can create and manage projectswithin Shared Services ©Business Intelligence Solution Providers | 34
  35. 35. Create Integrations Creates Shared Services data integrations (the process of moving data betweenapplications) using a wizard. For Oracles Enterprise Performance Management Architect, creates andexecutes data synchronizations.Run Integrations Views and runs Shared Services data integrations. For Performance ManagementArchitect, executes data synchronizations.Dimension Editor Creates and manages import profiles for dimension creation. Also, creates andmanages dimensions manually within the Performance Management Architect user interface or theClassic Application Administration option. Required to access Classic Application Administration optionsfor Financial Management and Planning using Web navigation.Application Creator Creates and deploys Performance Management Architect applications. Users withthis role can create applications, but can change only the dimensions to which they have accesspermissions. Required, in addition to the Dimension Editor role, for Financial Management and planningusers to be able to Navigate to their product’s Classic Application Administration options. When a userwith Application Creator role deploys an application from Performance Management Architect, thatuser automatically becomes the application administrator and provisioning manager for thatapplication. The Application Creator can create all applications.Analytic Services Application Creator: The Analytic Services Application Creator can create GenericPerformance Management Architect applications.Financial Management Application Creator: The Financial Management Application Creator can createConsolidation applications and Performance Management Architect Generic applications. To createapplications, the user must also be a member of the Application Creators group specified in FinancialManagement Configuration Utility.Planning Application Creator: The Planning Application Creator can create Planning applications andPerformance Management Architect Generic applications.Essbase RolesPower RolesAdministrator Grants full access to administer the server, applications and databasesApplication Manager Creates deletes and modifies databases, and application settings within theassigned application. Includes Database Manager Permissions for the databases within the assignedapplicationCreate/Delete Application Creates and deletes applications and databases within applications. IncludesManager Permissions for the applications and databases created by this userDatabase Manager Manages the databases, database objects, locks and sessions within the assignedapplication Load/Unload Application Start and stops an application or databases.Interactive RolesCalc: - Calculates, updates and reads data values based on the assigned scope, using any assignedcalculations and filterWrite: -Updates and reads data values based on the assigned scope, using any assigned filterFilter: - Accesses specific data and meta data according to the restrictions of a filterView RolesRead: - Read data valuesServer Access: - Accesses any database that has a default access other than none ©Business Intelligence Solution Providers | 35
  36. 36. ©Business Intelligence Solution Providers | 36