Alter User

Add or remove a user to or from a group. Rename a user. Change the comment that describes a user. Enable or disable a user account. Change a user's password, or specify whether it should expire. Control user application access to application domains. Permission required: create_user.

When Essbase runs in Shared Services mode, the Essbase create_user permission becomes obsolete. You must be an Essbase administrator to manage users, and you must additionally be a Shared Services administrator to manage users from Shared Services.

Syntax

PASSWORD ENFORCEMENT SPECIFICATION

 

Notes

The following statements, used to synchronize all users or groups with Shared Services security, are deprecated with Release 9.2.0.3:

Instead, please perform a complete synchronization, using the following statement:

alter system resync sss;

Examples

alter user Fiona add to group Newhires;

Assigns Fiona to a group called Newhires.

alter user Fiona enable;

Enables user Fiona to log in again.

alter user Fiona set password_reset_days immediate;

Requires Fiona to change password at the next login.

alter user 'Autumn Smith' set type external;

Specifies that Autumn Smith is externally authenticated in a supported authentication repository (LDAP, Microsoft Active Directory, or Windows NT LAN Manager).

alter user ASmith rename to 'Autumn Smith';
alter user 'Autumn Smith' set type external;

Renames native Essbase user Asmith to Autumn Smith, because that is the name stored in the authentication repository. Specifies that Autumn Smith is externally authenticated in a supported authentication repository (LDAP, Microsoft Active Directory, or Windows NT LAN Manager)

alter user Fred set type external with protocol 'LDAP' identified by 'cn=Engineers, ou=Groups, dc=yahoo, dc=com@server2';

Specifies that Fred is externally authenticated with the Lightweight Directory Access Protocol. This authentication module is not supported by Shared Services; it is a custom Essbase .dll, retained for backward compatibility.

alter user Fiona remove application_access_type Essbase;

Removes Essbase application access from user Fiona. If user Fiona has permission to access Hyperion Planning, that permission remains intact.

Descriptions

Use alter user to change user information in the following ways:

Key Phrase Explanation
add [to group] Add the user to a group.

In Shared Services mode, this action automatically causes a user/group synchronization between Essbase and Shared Services. It is advisable to use Shared Services to manage users and groups instead.

add application_access_type Add an application access type. An application access type controls what domains a user can access based on the named user license. To view a list of the user's allowed application access types, use display user. MaxL can be used only to add or remove Essbase access.
remove [from group] Remove the user from a group.

In Shared Services mode, this action automatically causes a user/group synchronization between Essbase and Shared Services. It is advisable to use Shared Services to manage users and groups instead.

Note: If you deprovision a group in Shared Services that was provisioned to Essbase, users in the group remain in the Essbase security file after performing a single group synchronization. To deprovision a group and its users, perform a full system refresh.

remove application_access_type Remove an application access type. MaxL can be used only to add or remove Essbase access.
rename to Rename the user.
enable Reactivate the user if the user's permission to log in has been terminated.
disable Disable the user's permission to log in to Essbase.
set password Change the user's password.
set password_reset_days INTEGER days Specify the number of days before a password expires. This setting only has meaning if the system-level password_reset_days value (shown in the password_reset_days field of display system) is not zero or "none". The value of this setting must be between 1 and 65535. The maximum effective date for user-level password expiration is Jan 19, 2038.
set password_reset_days none Remove any user-level password expiration setting created by alter user set password_reset_days INTEGER, and revert the password reset days value back to the system-level value (shown in the password_reset_days field of display system).
set password_reset_days immediate Force the user to change password at the next login.
set password_reset_days exact Undo the 'immediate' setting above. The reason for this is as follows: If the administrator chooses 'immediate' and then attempts to revert back to allowing a set number of days, it will not work because 'immediate' takes a high priority. Using 'exact' is the only way to reverse 'immediate.'
set type external Skipping the protocol and parameters, specify that this user must log in to Essbase using the Hyperion security platform. In order for the user to be able to log in successfully, the AUTHENTICATIONMODULE parameter must be set to CSS in the essbase.cfg file, and the user name must match a valid user name in the external authentication repository.
set type external with protocol... Specify that the user must log in using a custom Essbase external-authentication method, such as LDAP, instead of the standard Essbase login security. Not applicable for the Hyperion security platform.
set sss_mode Migrate the user to Shared Services security mode. This might be useful if the user migration failed using alter system. Minimum permission required: Administrator.

Password Enforcement Grammar

enforce username_as_password Create passwords that are the same as user names for users being migrated to Shared Services.
Note: the passwords are created as lower-case, even if there are upper-case letters in the user name. For example, if a user name KSmith is migrated with this option, the password will be ksmith.
enforce auto_password Automatically generate new passwords for the users being migrated to Shared Services. To discover the generated passwords, use display user all in shared_services_native with auto_password;

Optionally save the generated passwords to a non-default file location. If specifying a file name that already exists, use the force keyword to overwrite the file.

If no file name and location are specified, the passwords are saved by default to $ARBORPATH\bin\MigratedUsersPassword.txt.

enforce password <PASSWORD> Generate the specified password for users being migrated to Shared Services.
For more information, see the Hyperion Essbase - System 9 Database Administrator's Guide chapter entitled "User Management and Security."
comment Create a description of the user.
reset Remove obstructions to logging in for the specified user account.
  • The user account is re-enabled if it was disabled.
  • Any requirement to change password immediately is removed.
  • If the password has expired, the expiration is cleared.
  • The count of unsuccessful user logins is reset to 0.
sync security with all application Applies in Shared Services security mode only. Force the user to be synchronized with security information for applications, so that it matches the status of Shared Services security.
all set sss_mode Same as set sss_mode, but for all users.