User Management and Security

In This Section:

About Using Shared Services with Essbase

Essbase User Roles for Shared Services

Essbase Projects, Applications, and Databases in Shared Services

Essbase Users and Groups in Shared Services

Assigning Access to Users in Shared Services

Synchronizing Security Information Between Shared Services and Essbase

Migrating Essbase to Shared Services

Continuing to Use Essbase in Native Security Mode

Understanding Native Security Mode in Essbase

Creating Users and Groups in Native Security Mode

Granting Permissions to Users and Groups in Native Security Mode

Managing Users and Groups in Native Security Mode

Using Shared Services Security for External Authentication in Native Security Mode

Managing Global Security for Applications and Databases in Native Security Mode

Managing User Activity on the Essbase Server in Native Security Mode

Understanding the essbase.sec Security File

The information in this chapter applies to block storage and aggregate storage databases.

Also see the Oracle Hyperion Enterprise Performance Management System Security Administration Guide.

About Using Shared Services with Essbase

Essbase user management and security is provided through Shared Services, which provides user management, user provisioning, and external authentication definition. Provisioning refers to the process of assigning roles and access permissions to users for Essbase applications.

Products that implement Shared Services functionality require access to a Shared Services server running Shared Services client and server software, and to a database dedicated to Shared Services.

By default, after installation, Essbase Administration Server and Essbase Server are in native security mode. You can continue to use Essbase in native security mode to manage security for Essbase applications, databases, and artifacts. There is no change in behavior for Essbase in native security mode, except when using native security mode with external authentication. See Continuing to Use Essbase in Native Security Mode.

To use Shared Services security, you must migrate any Essbase Server applications and any existing Essbase users and groups to Shared Services. See Migrating Essbase to Shared Services.

Essbase User Roles for Shared Services

Roles, which determine the tasks that users can perform, can be grouped in the following ways:

  • Product-specific roles

    Examples of Essbase roles are Administrator and Database Manager. All Essbase roles are specific to a Shared Services application (the permissions granted to the user by the role apply only to the specific application for which the role is assigned, and not to all applications).

  • Shared Services roles

    Examples of Shared Services roles are Project Manager or Provisioning Manager. Most Shared Services roles are global (the role applies to all Shared Services applications). An exception is the Provisioning Manager role, which is specific to an application. For information on Shared Services roles, see the Oracle Hyperion Enterprise Performance Management System Security Administration Guide.

The following Essbase roles provide different levels of authority to perform tasks in Essbase.

You can provision a user with the following roles for an Essbase Server:

  • Administrator

  • Create/Delete Application

  • Server Access

You can provision a user with the following roles for an application:

  • Application Manager

  • Database Manager

  • Calc

  • Write

  • Read

  • Filter

  • Start/Stop Application

In Shared Services Console, roles belonging to Essbase are grouped under the Essbase node; roles belonging to Essbase applications are grouped under the application nodes.

Note:

There is no concept of provisioning an Administration Services Administrator user role through Shared Services. When migrated, an Administration Services Administrator is assigned no roles in Shared Services.

Table 61 lists the user roles that are specific to Essbase and the Shared Services role of Provisioning Manager, which is application-specific. The table shows the corresponding tasks that each user can perform.

Table 61. Essbase and Shared Services User Roles and Tasks

User Role

Task Description

Project Manager

(A Shared Services role) Creates and manages projects within Shared Services.

Administrator (previously Supervisor)

Full access to administer the server, applications, and databases.

Note:

The Provisioning Manager role, which is a Shared Services application-specific role, is automatically assigned when you migrate Essbase Administrators (previously known as Supervisors). However, when you create an Essbase Administrator in Shared Services Console, you must manually assign the Provisioning Manager role. Users with the Provisioning Manager role can provision users and groups with roles for applications

Create/Delete Application

Ability to create and delete applications and databases within applications. Includes Application Manager and Database Manager permissions for the applications and databases created by this user.

Server Access

Ability to access any application or database that has a minimum access permission other than none.

Note:

When you assign security at the Essbase application level, you must also assign the user the Server Access role for the Essbase Server that contains the application (unless the user already has another Essbase Server level role, for example Create/Delete Application).

Application Manager (previously Application Designer)

Ability to create, delete, and modify databases and application settings within the particular application. Includes Database Manager permissions for databases within the application.

Note:

The Provisioning Manager role is automatically assigned when you migrate Essbase Application Managers. However, when you create an Essbase Application Manager in Shared Services Console, you must manually assign the Provisioning Manager role.

Database Manager (previously Database Designer)

Ability to manage databases (for example, to change the database properties or cache settings), database artifacts, locks, and sessions within the assigned application.

Calc

Ability to calculate, update, and read data values based on the assigned scope, using any assigned calculations and filter.

Write

Ability to update and read data values based on the assigned scope, using any assigned filter.

Read

Ability to read data values.

Filter

Ability to access specific data and metadata according to the restrictions of a filter.

Start/Stop Application

Ability to start and stop an application or database.

Essbase Projects, Applications, and Databases in Shared Services

Shared Services artifacts include projects, applications, user roles, users, and groups. When you assign access to a user or group in Shared Services, you provision the user or group with a role for an application. See the Oracle Hyperion Enterprise Performance Management System Security Administration Guide.

Shared Services and Essbase both use the term “application.” Essbase uses “application” to refer to a container for databases. Shared Services uses “application” to refer to an artifact for which you provision users. In this document, “application” refers to a Shared Services application, unless an Essbase application is specifically stated. In most cases, an Essbase application maps to a Shared Services application, so the distinction is unnecessary.

For Essbase, migration is done at the Essbase Server level. When you migrate an Essbase Server to Shared Services, a Shared Services project is created for the Essbase Server. The project is named Essbase Servers:machineName: EssbaseServer# where machineName is the Essbase Server computer name and EssbaseServer# is the sequence number. If you migrate multiple Essbase Servers on the same computer, each Essbase Server migrated gets a different sequence number (EssbaseServer#). Also, if you delete the security file and remigrate an Essbase Server, each successful migration creates a new server project with a new sequence number. You can delete unwanted projects in Shared Services Console.

Essbase automatically creates the following applications within the project and automatically registers the applications with Shared Services:

  • An application named Essbase Servers:machineName:EssbaseServer#, which is the same name as the Shared Services project. This application, which allows you to specify security at the Essbase Server level, is known as the global Essbase Server application. After migration, you can rename the Shared Services project; however, the global Essbase Server application name is not renamed.

  • A Shared Services application for each Essbase application on the Essbase Server. In Shared Services, if an Essbase application contains multiple databases, the databases must have the same user security access levels. (However, users can have different calculation script and database filters assigned for databases within the same application. See Assigning Database Calculation and Filter Access).

    Figure 145. Shared Services Essbase Server project (Essbase Servers: JWARD1:1) and global Essbase Server application (Essbase Servers: JWARD1:1).

Once you have migrated to Shared Services, when you create an application and database in Essbase, a corresponding Shared Services application is created within the Essbase Server project, and the application is automatically registered with Shared Services.

Essbase Users and Groups in Shared Services

When you migrate to Shared Services, all native Essbase users and groups that do not already exist in an external authentication directory are converted to native Shared Services users and groups in the native Shared Services user directory and are given equivalent roles. Externally authenticated users are registered with Shared Services but are still stored in their original authentication directory. See User and Group Migration.

After you have migrated to Shared Services, you must create and manage users and groups in Shared Services Console, or through the external user directory. See the Oracle Hyperion Enterprise Performance Management System Security Administration Guide.

When users and groups are stored in an external authentication directory from any supported authentication provider, you must be sure that identical names for users and groups are not used, even if the identically-named users or groups reside in different directories from the same authentication provider (for example, different directories from the same LDAP-based authentication provider) or in directories from different authentication providers (for example, an LDAP-based directory and an MSAD directory).

Shared Services supports aggregated groups, in which a parent group contains one or more subgroups. The subgroups inherit the roles of their parent group. For example, if a parent group is provisioned with the Essbase Administrator role, any subgroups (and users in the groups) inherit the Essbase Administrator role.

Note:

In Essbase, when you copy an application or database and the target Essbase Server is in Shared Services security mode, user and group security is not copied with the application. Use the copy provisioning functionality in Shared Services Console to copy security for an application.

Assigning Access to Users in Shared Services

Shared Services Console provides a centralized UI where you can perform user management tasks for Oracle Hyperion products. The Shared Services Console launches Essbase screens, which allow you to assign security access to database filters and calculation scripts. In Shared Services security mode, you use Shared Services Console, MaxL, or the API to manage security. (Some restrictions exist when managing security using MaxL or the API. See the Oracle Essbase Technical Reference and the Oracle Essbase API Reference.) In Administration Services Console you can only view security information.

For information on assigning access to users and groups and viewing a report of users, groups, and provisioned roles for each application, see the Oracle Hyperion Enterprise Performance Management System Security Administration Guide.

Launching and Logging In to Shared Services Console

To manage Essbase users in Shared Services Console, you must log in to the console as a user who is provisioned with the following Shared Services roles:

  • Provisioning Manager role for the appropriate Essbase Server or applications

  • Directory Manager role for the appropriate authentication directory

When you launch Shared Services Console from Administration Services, you automatically log in to Shared Services Console as the Essbase user that connects the Essbase Server that you are accessing.

Note:

In Shared Services security mode, you must use the same user to log in to Administration Services Console as you use to connect the Essbase Server.

When you launch Shared Services Console from a browser, you log in as whichever user is appropriate. For example, you must log in as a Shared Services Administrator to provision an Essbase Administrator with the Directory Manager role, so that he or she can create and delete users.

*  To launch Shared Services Console, see “Launching Shared Services Console” in the Oracle Essbase Administration Services Online Help.

    Assigning Server Access

    To specify security at the Essbase Server level in Shared Services security mode (for example, provisioning a user with the Provisioning Manager role for all Essbase applications on an Essbase Server), provision the user with the appropriate role for the global Essbase Server application; that is, the Shared Services application that represents the Essbase Server. See Essbase Projects, Applications, and Databases in Shared Services.

    Note:

    When you provision a user with the Essbase Administrator role, you must also manually provision the user with the Provisioning Manager role for the Essbase Server and for each Essbase application on the server. (When you migrate an Essbase Administrator, the Provisioning Manager role is automatically assigned.)

    Figure 146. Shared Services Console provisioning panel, displaying the roles available for the Essbase Server DTRIPATH-PC1 and the Demo application

    Assigning Application Access

    To specify security at the Essbase application level in Shared Services security mode (for example, provisioning a user with the Database Manager role for the Sample application) provision the user with the appropriate role for the application.

    Note:

    When you assign security at the Essbase application level, you must also assign the user the Server Access role for the Essbase Server that contains the application (unless the user already has another Essbase Server level role, for example Create/Delete Application).When you provision a user with the Application Manager role, you must also manually provision the user with the Provisioning Manager role for the appropriate application. (When you migrate an Essbase Application Manager, the Provisioning Manager role is automatically assigned).

    You can set minimum permissions for an application, for example, if you want all users to have at least write access to all databases in an application. The default setting is None, meaning that no minimum permission is set; all users can access the application according to their roles.

    *  To set the minimum permission for an application, see “Setting Minimum Permissions for Applications” in the Oracle Essbase Administration Services Online Help.

      Assigning Database Calculation and Filter Access

      After provisioning users for Essbase applications in Shared Services Console, you can assign more granular access permissions to users and groups for a specific Essbase application and database. For example, after assigning a user access to an application and assigning the user’s role for the application, you can assign an Essbase filter to the user, or assign the user access to a specific calculation script.

      When you select an Essbase application from Shared Services Console, a screen is displayed, listing the users and groups provisioned to that application. On this screen, you select the users and groups to which you want to assign additional permissions. After clicking Next, select the database you want to work with, and then use the drop-down lists to assign filter and calculation script access to selected users and groups. For descriptive information about these two screens, click the Help button on one of these screens to display a context-sensitive help topic.

      *  To specify access permissions in Shared Services, use a tool:

      Tool

      Topic

      Location

      Administration Services

      Assigning Database Calculation and Filter Access

      Oracle Essbase Administration Services Online Help

      MaxL

      grant

      Oracle Essbase Technical Reference

        When you assign database calculation and filter access, you automatically log in to Administration Services and Essbase as the Shared Services Console logged-in user. This user must be an Essbase Administrator, Application Manager, or Database Manager. The user must have the Provisioning Manager role for the appropriate application(s).

        You cannot assign database calculation or filter access to an Essbase Administrator or Application Manager.

        *  To refresh Essbase with database calculation and filter access security information for newly provisioned users, click Refresh.

          Although you can assign access to database filters and calculation scripts through Shared Services Console, you must create the filters and calculation scripts in Essbase. For information on creating database filters, see Controlling Access to Database Cells.

          Assigning Application Access Type

          Essbase and Planning have the concept of an “application access type” for Essbase and Planning users. For example, when an Essbase user is created using any Essbase administration tool, the user is automatically assigned the application access type “Essbase”; when a Planning user is created using the Planning interface, the user is automatically assigned the application access type “Planning.” A user’s application access type specifies whether the user has access to Essbase applications only, to Planning applications only, or to both.

          When you select a global Essbase Server application from Shared Services Console, a screen is displayed, listing the users and groups provisioned to that application. On this screen, you select the users and groups for which you want to assign application access type. After clicking Next, use the drop-down list to assign application access type to the selected users and groups. For descriptive information about these two screens, click the Help button on one of these screens to display a context-sensitive help topic.

          *  To specify application access types for users in Shared Services, use a tool:

          Tool

          Topic

          Location

          Administration Services

          Assigning Application Access Type for Users in Shared Services

          Oracle Essbase Administration Services Online Help

          MaxL

          create user

          Oracle Essbase Technical Reference

            When you assign database calculation and filter access, you automatically log in to Administration Services and Essbase as the Shared Services Console logged-in user. This user must be a valid Essbase Administrator and must have the Provisioning Manager role for the appropriate applications.

            *  To refresh Essbase with application access type information for newly provisioned users, click Refresh.

              Synchronizing Security Information Between Shared Services and Essbase

              This topic provides information on synchronizing Essbase security with Shared Services security. (When the security information is out of sync, the user, group, and application information displayed in Essbase may be different from that in Shared Services.)

              User synchronization refers to the process of ensuring that Essbase reflects the latest security information for a specific user and any related groups.

              Refresh refers to the process of ensuring that Essbase reflects the latest security information for all users, groups, and applications on an Essbase Server.

              Using the Essbase configuration settings CSSSYNCLEVEL and CSSREFRESHLEVEL in the essbase.cfg file, you can set user synchronization and refresh to happen in the following ways:

              • Automatically at sync points.

              • When an Administrator requests a refresh of the security information.

              • When a user selects a database (user synchronization only).

              User Synchronization Using CSSSYNCLEVEL

              The CSSSYNCLEVEL configuration setting controls how Shared Services synchronizes security information for a specific user and any related groups when the user logs in to Essbase or selects a database.

              • CSSSYNCLEVEL AUTO: Shared Services synchronizes security information for a specific user and any related groups when the user logs in to Essbase or selects a database.

                User e-mail ID and description are not synchronized at user login or when selecting a database. E-mail ID and description are synchronized only following a requested or periodic (using the SHAREDSERVICESREFRESHINTERVAL configuration setting in essbase.cfg) full refresh of security information.

              • CSSSYNCLEVEL NONE: User information is not synchronized when a user logs in to Essbase or selects a database. Shared Services synchronizes user information only when an Administrator, Application Manager, or Database Manager requests a refresh of security information.

                If NONE is specified, when you provision a user with an Essbase Server role, you must request a refresh of security information to enable the user to log in.

              • CSSSYNCLEVEL DBSELECT: User information is synchronized when a user selects a database but not when the user logs in to Essbase.

                If DBSELECT is specified, when you provision a user with an Essbase Server role, you must request a refresh of security information to enable the user to log in.

              User Refresh Using CSSREFRESHLEVEL

              The CSSREFRESHLEVEL configuration setting controls how Shared Services refreshes the status of all users, groups, and applications for an Essbase Server at Essbase Server startup.

              • CSSREFRESHLEVEL AUTO: Shared Services automatically refreshes the status of all users, groups, and applications for an Essbase Server at Essbase Server startup.

              • CSSREFRESHLEVEL MANUAL: Shared Services refreshes security information only when an Administrator requests a refresh of security information.

              *  To request a refresh of security information, use a tool:

              Tool

              Topic

              Location

              Administration Services

              Refreshing Security From Shared Services

              Oracle Essbase Administration Services Online Help

              MaxL

              alter system

              Oracle Essbase Technical Reference

              Note:

              The information in this topic does not apply to changes made to access permissions for database filters and calculation scripts, which are synchronized immediately.

                Role Requirements For Refreshing Security

                You must have the following roles to refresh security:

                • Refresh security for the Essbase Server: Essbase Administrator.

                • Refresh security for an application: Administrator, Application Manager, or Database Manager.

                • Refresh security for a user: Users can synchronize their own security. An Essbase Administrator can synchronize security for all users.

                Scheduling Security Refreshes

                You can specify periodic, automatic refreshes of Essbase security information from Shared Services. For example, you can specify that Essbase refresh security information from Shared Services every 60 minutes.

                *  To schedule information refreshes from Shared Services, see the SHAREDSERVICESREFRESHINTERVAL configuration setting in the Oracle Essbase Technical Reference.

                Note:

                The CSSREFRESHLEVEL setting does not affect the SHAREDSERVICESREFRESHINTERVAL setting.

                  Migrating Essbase to Shared Services

                  After installation, Essbase and Administration Services are in native security mode. To use Shared Services, you must migrate to Shared Services security mode. For Essbase, migration is done at the Essbase Server level. Once you have converted to Shared Services security mode, you cannot convert back to native security mode.

                  Essbase Administration Server can run in Shared Services security mode with Essbase Server running in native security mode. However, if any Essbase Server that you administer from Administration Services Console runs in Shared Services security mode, Essbase Administration Server must also.

                  *  To migrate Essbase Server, Essbase Administration Server, and users and groups to Shared Services, use a tool:

                  Tool

                  Topic

                  Location

                  Administration Services

                  Converting Essbase Server and Migrating Users to Shared Services

                  Oracle Essbase Administration Services Online Help

                  MaxL

                  alter system

                  Oracle Essbase Technical Reference

                    You must be an Essbase Administrator to run a migration.

                    For Essbase Administration Server, if you ran Oracle's Hyperion Enterprise Performance Management System Configurator after installation and specified a Shared Services server and login, at that point, Essbase Administration Server is converted to Shared Services security mode. You can view the Shared Services configuration information in the Essbase Administration Server properties window (Configuration tab). You can then choose to migrate Administration Services users to Shared Services.

                    *  To migrate Administration Services users or to remigrate any Essbase users and groups that failed migration, use a tool:

                    Tool

                    Topic

                    Location

                    Administration Services

                    Migrating Users to Shared Services

                    Oracle Essbase Administration Services Online Help

                    MaxL

                    display user

                    display group

                    alter user

                    alter group

                    Oracle Essbase Technical Reference

                      You must be an Administration Services Administrator to migrate Administration Services users.

                      Note:

                      Before migrating users, groups, and applications to Shared Services, ensure that the NETDELAY and NETRETRYCOUNT configuration settings are high enough to allow the migration to complete. Set NETDELAY to at least 3 hours, possibly more, depending on the size of the security file. Return the settings to their original values once the migration is complete. Specify these settings in the client essbase.cfg file, which you place in the ESSBASEPATH/bin folder of the client computer from which you launch the migration. For example, if you use Administration Services Console to launch the migration, the client essbase.cfg file must be in the ESSBASEPATH/bin folder on the computer on which Essbase Administration Server is installed.

                      Essbase automatically creates a backup of the security file before and after migration (essbase.bak_preUPM and essbase.bak_postUPM). Oracle suggests that you manually back up these files to a safe location.

                      The Administration Services Essbase Server Properties window displays information on whether the server is in Shared Services security mode.

                      Application and Database Migration

                      After you have migrated to Shared Services, a project is created for each Essbase Server that you migrate. The project contains a Shared Services application for each Essbase application on the migrated server. See Essbase Projects, Applications, and Databases in Shared Services.

                      User and Group Migration

                      When you migrate to Shared Services, all native Essbase users and groups that do not already exist in an external authentication directory are converted to native Shared Services users and groups in the native Shared Services user directory and are given equivalent roles. For example, a native Essbase Administrator (previously known as Supervisor) becomes a Shared Services user with the Essbase Administrator and the Provisioning Manager roles assigned, and a native Essbase user with Calc privileges on a database becomes a Shared Services user with the Calc role assigned on the application that contains the database. During migration, Administrators and Application Managers are automatically given the Provisioning Manager role for the appropriate applications.

                      Note:

                      When Essbase runs in Shared Services mode, the Essbase create/delete user privilege becomes obsolete. You must be an Essbase administrator to create/delete Essbase users, and you must additionally be a Shared Services administrator to create/delete users in Shared Services.

                      Any externally authenticated users are registered with Shared Services but remain stored in their original authentication directory. If a user directory is not running, the entire migration fails.

                      Users created using custom authentication are not migrated unless a matching user is already in Shared Services.

                      Any disabled Essbase users or groups do not migrate.

                      An Essbase user name cannot exist as a group name in Shared Services. If it does, the Essbase user does not migrate.

                      In Shared Services, if an Essbase application contains multiple databases, the databases must have the same user security access levels. During migration, if a user has different access levels for two databases in the same application, the user is given the more restrictive access level for both databases. In such cases, a warning is sent to the Administrator who ran the migration and the information is logged in the Essbase Server log (ARBORPATH/essbase.log). You can also use the MaxL statement display user to list instances of multiple database access level changes.

                      Users and groups are migrated in the following order:

                      1. Applications are registered with Shared Services.

                      2. Groups are migrated.

                      3. Users are migrated.

                      If a migration fails, the status of the migration depends on the point at which it fails. For example, if the migration fails at step 1, then the total migration fails. If a migration fails at step 2, the result depends on the reason for failure. If a migration fails at step 3, when one or more users fails to migrate, then applications and groups may have been migrated.

                      Users and groups that fail migration are listed in the Essbase Server log (ARBORPATH/essbase.log). You can use the MaxL statements display user and display group to list users and groups that failed migration and to remigrate all or a selection of these failed users and groups.

                      When you use Administration Services Externalize Users Wizard to migrate Administration Services users or to remigrate Essbase users that previously failed migration, migration errors are logged in the file that you specify in the wizard, as well as in the Essbase Server log (ARBORPATH/essbase.log).

                      If a group fails migration, all users in the group fail migration; you must repair and migrate the group in order for the users to migrate successfully.

                      The following conditions apply for successful group migration:

                      • An Essbase group name cannot exist as a user name in Shared Services. If it does, the Essbase group, and all users in the group, do not migrate.

                      • An Essbase user name cannot exist as a group name in Shared Services. If it does, the Essbase user does not migrate.

                      If a group exists in both Essbase and Shared Services, the following conditions apply:

                      • Shared Services cannot contain two groups at different levels in the same hierarchy (an ancestor-child relationship) when the groups exist in Essbase (see Example 2). If it does, the entire migration process fails.

                      • The Shared Services group cannot contain a user that does not exist in the Essbase group of the same name. If it does, the Essbase group, and all users in the group, do not migrate.

                      • The Essbase group cannot contain a user that exists in Shared Services, unless the Shared Services user belongs to the Shared Services group of the same name. If it does, the Essbase group, and all users in the group, do not migrate.

                      The following examples highlight group migration considerations:

                      Example 1: The groups in this example migrate successfully from Essbase to Shared Services.

                      Essbase has groups named group 1 and group 2:

                         group 1, group 2

                      Shared Services has two identical groups and also has a group 3, which contains group 1 and group 2:

                             group 3
                                |
                         group 1, group 2

                      The groups migrate successfully because group 1 and group 2 are at the same level as each other in Shared Services and because Essbase does not have a group 3.

                      Note:

                      If group 3 has Administrator (previously known as Supervisor) access to the Essbase Server instance and Essbase group 1 and group 2 have user access, the resulting group 1 and group 2 in Shared Services will have Administrator access.

                      Example 2: The migration in this example fails because Shared Services contains group 1 and group 2 at different levels.

                      Essbase has groups named group 1 and group 2:

                         group 1, group 2

                      Shared Services has group 1 and group 2, but group 1 contains group 2:

                         group 1
                             |
                         group 2

                      Example 3: The migration in this example fails because Essbase contains group 1, group 2, and group 3 and Shared Services contains group 3 at a different level from group 1 and group 2.

                      Essbase has groups named group 1, group 2, and group 3:

                         group 1, group 2, group 3

                      Shared Services has group 1 and group 2, but has a group 3, which contains group 1 and group 2:

                             group 3
                                |
                         group 1, group 2

                      Continuing to Use Essbase in Native Security Mode

                      ForEssbase Servers, you can continue to use native authentication if you want to continue managing users and groups as you did in previous releases. In native security mode, you continue to manage users via Administration Services Console. You can continue to create native and external users as you did before.

                      If you plan to use external authentication in native security mode, you must configure external authenticating through Shared Services. See Using Shared Services Security for External Authentication in Native Security Mode. Shared Services is not required for the custom authentication feature, see the Oracle Essbase Administration Services Online Help.

                      The following options apply:

                      • Essbase Server and Essbase Administration Server can both run in native security mode. You do not need to install and configure Shared Services if both of the following are true:

                        • Essbase and Administration Services are the only Oracle products you are installing.

                        • You want Essbase Server and Essbase Administration Server to continue running in native security mode and you do not plan to use external authentication in native security mode.

                      • Essbase Administration Server can run in Shared Services security mode with Essbase Server running in native security mode. The same rules apply to Essbase Provider Servers.

                        Note:

                        If any Essbase Server that you administer from Administration Services Console runs in Shared Services security mode, Essbase Administration Server must also run in Shared Services security mode. You cannot use a combination of Shared Services security mode and native security mode to manage users on an Essbase Server. You must choose one mode for managing all Essbase users on an Essbase Server. Native security mode will not be available in future releases of Essbase.

                      Understanding Native Security Mode in Essbase

                      Essbase provides a system for managing access to applications, databases, and other artifacts within Essbase. Using the Essbase security system provides protection in addition to the security available through your local area network.

                      The Essbase security system addresses a wide variety of database security needs with a multilayered approach to enable you to develop the best plan for your environment. Various levels of permission can be granted to users and groups or defined at the system, application, or database scope. You can apply security in the following ways:

                      • Users and groups.

                        To grant permissions to individual users and groups of users. When higher, these permissions take precedence over minimum permissions defined for applications and databases. Ordinary users have no inherent permissions. Permissions can be granted to users and groups by editing the users and groups or by using the grant statement in MaxL DDL (data definition language). See Granting Permissions to Users and Groups in Native Security Mode.

                        You can create users who log on using the parameters of an external authentication repository instead of the Essbase password. If you want users to use an outside authentication repository such as LDAP, you must implement the Shared Services security platform and create the Essbase users with a reference to the security platform. See Using Shared Services Security for External Authentication in Native Security Mode.

                      • Application and database settings.

                        To set common permissions for all users of an application or database, you can set minimum permissions that all users can have at each application or database scope. Users and groups with lower permissions than the minimum gain access; users and groups with higher granted permissions are not affected. You can also temporarily disable different kinds of access using application settings. See Managing Global Security for Applications and Databases in Native Security Mode.

                      • Server-wide settings.

                        Create and manage login restrictions for the entire Essbase Server. View and terminate current sessions and requests running on the entire Essbase Server or only on particular applications and databases. See Managing User Activity on the Essbase Server in Native Security Mode.

                      • Database filters.

                        Define database permissions that users and groups can have for particular members, down to the individual data value (cell). See Controlling Access to Database Cells.

                      Table 62 describes security permissions and the tasks that can be performed with those permissions.

                      Table 62. Description of Essbase Permissions  

                      Permission

                      Affected Scope

                      Description

                      No Access or None

                      Entire system, application, or database

                      No inherent access to any users, groups, or data values, unless access is granted globally or by a filter. No Access is the default when creating an ordinary user. Users with No Access permissions can change their passwords.

                      Read

                      Database

                      Ability to read data values.

                      Write

                      Database

                      Ability to read and update data values.

                      Metaread

                      Database

                      Ability to read metadata (dimension and member names) and update data for the corresponding member specification.

                      Execute (or Calculate)

                      Entire system, application, database, or single calculation

                      Ability to calculate, read, and update data values for the assigned scope, using the assigned calculation.

                      Administrators, application managers for the application, and database managers for the database can run calculations without being granted execute access.

                      Database Manager

                      Database

                      Ability to modify outlines, create and assign filters, alter database settings, and remove locks/terminate sessions and requests on the database.

                      A user with Database Manager permission in one database does not necessarily have that permission in another.

                      Application Manager

                      Application

                      Ability to create, delete, and modify databases within the assigned application. Ability to modify the application settings, including minimum permissions, remove locks on the application, terminate sessions and requests on the application, and modify any artifact within the application. You cannot create or delete an application unless you also have been granted the system-level Create/Delete Applications permission.

                      A user with Application Manager permission in one application does not necessarily have that permission in another.

                      Filter Access

                      Database

                      Ability to access specific data and metadata according to the restrictions of a filter assigned to the user or group. The filter definition specifies, for subsets of a database, whether read, write, no access, or metaread is allowed for each subset. A user or group can be granted only one filter per database. Filters can be used in conjunction with other permissions. See Controlling Access to Database Cells.

                      Create/Delete Applications

                      Entire system

                      Ability to create and delete applications and databases within those applications, and control permissions, locks, and resources for applications created. Includes designer permissions for the applications and databases created by this user.

                      Create/Delete Users, Groups

                      Entire system

                      Ability to create, delete, edit, or rename all users and groups having equal or lesser permissions than their own.

                      Administrator

                      Entire system

                      Full access to the entire system and all users and groups.

                      Creating Users and Groups in Native Security Mode

                      When you create a user or a group in Essbase, you define a security profile. The security profile is where you define the extent of the permissions that users and groups have in dealing with each other and in accessing applications and databases.

                      If you are using Administration Services, you also must create users on the Essbase Administration Server. See About Administration Services Users.

                      Creating Users in Native Security Mode

                      To create a user means to define the user name, password, and permission. You can also specify group membership for the user, and you can specify that the user must change the password at the next login attempt, or that the user name is disabled, preventing the user from logging on.

                      User names can contain only characters defined within the code page referenced by the ESSLANG variable, and they cannot contain a backslash (\). User names must begin with a letter or a number.

                      *  To create a user, use a tool:

                      Tool

                      Topic

                      Location

                      Administration Services

                      Creating Users on Essbase Servers

                      Oracle Essbase Administration Services Online Help

                      MaxL

                      create user

                      Oracle Essbase Technical Reference

                        For example, to create a user named admin and grant that user Administrator permissions, use the following MaxL statements:

                        create user admin identified by 'password';
                        grant administrator to admin;

                        Essbase and Planning have the concept of an “application access type” for Essbase and Planning users. For example, when an Essbase user is created using any Essbase administration tool, the user is automatically assigned the application access type “Essbase”; when a Planning user is created using the Planning interface, the user is automatically assigned the application access type “Planning.” A user’s application access type specifies whether the user has access to Essbase applications only, to Planning applications only, or to both.

                        *  To specify application access types for users, use a tool:

                        Tool

                        Topic

                        Location

                        Administration Services

                        Setting Application Access Type for Users

                        Oracle Essbase Administration Services Online Help

                        MaxL

                        create user

                        Oracle Essbase Technical Reference

                          For information about specifying application access type for Planning users, see Oracle Hyperion Planning, Fusion Edition documentation.

                          Creating Groups in Native Security Mode

                          Groups comprise users who share minimum access permissions. Placing users in groups can save you the time of assigning identical permissions to users again and again.

                          Note:

                          A member of a group may have permissions beyond those assigned to the group, if permissions are also assigned individually to that user.

                          The process for creating, editing, or copying groups is the same as that for users, except that there are no group passwords. You define group names and permissions just as you do for users.

                          Note:

                          A group name may not contain a backslash (\).

                          When you create a user, you can assign the user to a group. Similarly, when you create a group, you can assign users to the group. You must define a password for each user; there are no passwords for groups.

                          *  To create groups, use a tool:

                          Tool

                          Topic

                          Location

                          Administration Services

                          Creating Groups on Essbase Servers

                          Oracle Essbase Administration Services Online Help

                          MaxL

                          create group

                          Oracle Essbase Technical Reference

                            Granting Permissions to Users and Groups in Native Security Mode

                            You can define security permissions for individual users and groups. Groups comprise users who share minimum permissions. Users inherit the permissions of the group and additionally can have access to permissions exceeding those of the group.

                            Permissions can be granted to users and groups in the following ways:

                            Assigning User and Group Types in Native Security Mode

                            One way to assign permissions to users and groups is to define user and group types when you create or edit (modify the permissions of) the users and groups.

                            In Administration Services, users and groups can be created in different ways to specify their system-level permissions. These methods are represented in Administration Services Console as user types. In MaxL, user types do not exist; instead, you grant the permissions after the user is created.

                            In Administration Services, users can be created with the following types:

                            • Administrator.

                              A user or group with Administrator permission has full access to the entire system and all users and groups. The user who installs Essbase on the server is designated the System Administrator for that server. Essbase requires that at least one user on each server has Administrator permission. Therefore, you cannot delete or downgrade the permission of the last administrator on the server.

                            • User.

                              Users or groups with ordinary permission have no inherent access to any users, groups, or resources. This type of user is the default user.

                            • Users with Create/Delete Users, Groups permission.

                              This type of user or group can create, delete, edit, or rename users and groups with equal or lower permissions only.

                            • Users with Create/Delete Applications permission.

                              This type of user or group can create and delete applications and control permissions and resources applicable to those applications or databases they created.

                              Users with Create/Delete Applications permission cannot create or delete users, but they can manage application-level permission for those applications that they have created. For information about application-level permission, see Managing Global Security for Applications and Databases in Native Security Mode.

                            For instructions about creating users and groups, see Creating Users in Native Security Mode and Creating Groups in Native Security Mode.

                            Granting Application and Database Access to Users and Groups in Native Security Mode

                            If you need to grant resource-specific permissions to users and groups that are not implied in any user types, you can grant the specific application or database permissions to users when creating or editing them in Administration Services. Using MaxL, you grant the permissions after the user is created by using the grant statement.

                            You can grant or modify user and group application and database permissions from an edit-user standpoint or from an application or database security perspective. The results are the same.

                            Note:

                            If a user has insufficient permission to access the data in a database, the value does not show up in queries, or shows up as #NOACCESS.

                            There is no need to grant permissions to users or groups that are already Administrators—they have full permissions to all resources on the Essbase Server. For a given database, users or groups can also be granted any of the following permissions:

                            Table 63. Permissions Available at the Database Scope  

                            Database permission

                            Description

                            None

                            Indicates no access to any artifact or data value in a database.

                            Filter Access

                            Indicates that data and metadata access is restricted to those filters assigned to the user. (See Controlling Access to Database Cells.)

                            The Filter check box grants a filter artifact to a user or group. A user or group can be granted only one filter per database. Selecting this option or any other option except None enables the selection of a filter artifact from the list box.

                            Read only

                            Indicates read permission; that is, the ability to retrieve all data values. Report scripts can also be run.

                            Read-write

                            Indicates that all data values can be retrieved and updated (but not calculated). The user can run, but cannot modify, Essbase artifacts.

                            Metaread

                            Indicates that metadata (dimension and member names) can be retrieved and updated for the corresponding member specification.

                            Calculate

                            Indicates that all data values can be retrieved, updated, and calculated with the default calculation or any calculation for which the user has been granted permission to execute.

                            Database Manager

                            Indicates that all data values can be retrieved, updated, and calculated. In addition, all database-related files can be modified.

                            *  To grant or modify application or database permissions for a user or group, use a tool:

                            Tool

                            Topic

                            Location

                            Administration Services

                            Managing User/Group Permissions for Applications and Databases

                            Oracle Essbase Administration Services Online Help

                            MaxL

                            To grant permissions: grant

                            To change the user type or group:

                            alter user

                            Oracle Essbase Technical Reference

                              Granting Designer Permissions to Users and Groups in Native Security Mode

                              Users and groups can be granted Application Manager or Database Manager permission for particular applications or databases. These permissions are useful for assigning administrative permissions to users who need to be in charge of particular applications or databases but need only ordinary user permissions for other purposes.

                              You must grant database access to other users if any of the following conditions apply:

                              • Users have not been granted sufficient user permission to access databases.

                              • The database in question does not allow users sufficient access through its minimum permission settings.

                              • Users do not have sufficient access granted to them through filters.

                              For references to methods you can use to grant Designer permissions to a user or group, see Granting Application and Database Access to Users and Groups in Native Security Mode.

                              Managing Users and Groups in Native Security Mode

                              To help manage security between users and groups, the following user-management tasks are available at varying degrees to users with different permissions.

                              Viewing Users and Groups in Native Security Mode

                              *  To view users and groups, use a tool:

                              Tool

                              Topic

                              Location

                              Administration Services

                              Viewing Essbase Server Users and Groups

                              Oracle Essbase Administration Services Online Help

                              MaxL

                              display user or display group

                              Oracle Essbase Technical Reference

                                Editing Users in Native Security Mode

                                To edit a user means to modify the security profile established when the user was created. For information about changing user passwords, see Propagating Password Changes in Native Security Mode.

                                *  To change a password or other user properties, use a tool:

                                Tool

                                Topic

                                Location

                                Administration Services

                                Editing Essbase Server User Properties

                                Oracle Essbase Administration Services Online Help

                                MaxL

                                alter user

                                Oracle Essbase Technical Reference

                                  Editing Groups in Native Security Mode

                                  To edit a group means to modify the security profile established when the group was created.

                                  *  To view or change group membership, use a tool:

                                  Tool

                                  Topic

                                  Location

                                  Administration Services

                                  Editing Group Properties

                                  Oracle Essbase Administration Services Online Help

                                  MaxL

                                  display user in group

                                  alter group

                                  Oracle Essbase Technical Reference

                                    Copying an Existing Security Profile in Native Security Mode

                                    An easy way to create a user with the same permissions as another user is to copy the security profile of an existing user. The new user is assigned the same user type, group membership, and application/database access as the original user.

                                    You can also create new groups by copying the security profile of an existing group. The new group is assigned the same group type, user membership, and application access as the original group.

                                    You can copy users and groups on the same Essbase Server or from one Essbase Server to another, according to your permissions. You can also migrate users and groups across servers along with an application. See “Copying Users” in the Oracle Essbase Administration Services Online Help.

                                    To copy a user or group, you duplicate the security profile of an existing user or group and give it a new name, which saves you the time of reassigning permissions when you want them to be identical.

                                    Note:

                                    Copying removes any security permissions that the creator does not have from the copy. For example, a user with Create/Delete Users permission cannot create an administrator by copying the profile of an existing administrator.

                                    *  To create a user or group by copying the security profile of an existing user or group, use a tool:

                                    Tool

                                    Topic

                                    Location

                                    Administration Services

                                    Copying Essbase Server Users

                                    Copying Groups

                                    Oracle Essbase Administration Services Online Help

                                    MaxL

                                    create user

                                    create group

                                    Oracle Essbase Technical Reference

                                      Deleting Users and Groups in Native Security Mode

                                      *  To delete users and groups, use a tool:

                                      Tool

                                      Topic

                                      Location

                                      Administration Services

                                      Deleting Essbase Server Users

                                      Deleting Groups

                                      Oracle Essbase Administration Services Online Help

                                      MaxL

                                      drop user

                                      drop group

                                      Oracle Essbase Technical Reference

                                        Renaming Users and Groups in Native Security Mode

                                        *  To rename users and groups, use a tool:

                                        Note:

                                        A group name may not contain a backslash (\).

                                        Tool

                                        Topic

                                        Location

                                        Administration Services

                                        Renaming Essbase Server Users

                                        Renaming Groups

                                        Oracle Essbase Administration Services Online Help

                                        MaxL

                                        alter user

                                        alter group

                                        Oracle Essbase Technical Reference

                                          Using Shared Services Security for External Authentication in Native Security Mode

                                          External authentication means that the user login information needed by Essbase is maintained in a central authentication directory, such as Oracle Internet Directory or Lightweight Directory Access Protocol (LDAP) Directory.

                                          An authentication directory is a centralized store of user information such as login names and passwords, and other corporate information. The repository functions like a telephone directory. The authentication directory probably contains much more than user names and passwords; for example, it may include e-mail addresses, employee IDs, job titles, access rights, and telephone numbers. It may also contain artifacts other than users; for example, it may contain information about corporate locations or other entities.

                                          To use Shared Services security for external authentication in native security mode, you must install and configure Shared Services:

                                          • Register Essbase with Shared Services.

                                            See the Oracle Hyperion Enterprise Performance Management System Installation and Configuration Guide

                                          • Configure user directories for Essbase.

                                            See Oracle Hyperion Enterprise Performance Management System Security Administration Guide

                                          *  To manage external authentication of users using Administration Services, see “Managing External Authentication” in the Oracle Essbase Administration Services Online Help.

                                            Managing Global Security for Applications and Databases in Native Security Mode

                                            In addition to granting permissions to users and groups, you can change security settings for entire applications and databases and their related files and resources. Application and database security settings enable you to manage connections and create a lowest-common-security profile for the applications and databases.

                                            Defining Application Settings in Native Security Mode

                                            You can define permissions and other security settings that apply to applications by changing the application settings. The settings you define for the application affect all users, unless they have higher permissions granted to them at the user level.

                                            Only users with Administrator permission (or Application Manager permission for the application) can change application settings.

                                            To define settings for an application, see the next two sections.

                                            Setting General Application Connection Options in Native Security Mode

                                            The following application settings are available:

                                            The following settings are available for various levels of application security. For information about how and when disabling these settings takes effect, see Table 64.

                                            • Allow Application to Start

                                              When disabled, prevents all users from starting the application directly or as a result of operations that would start the application; for example, attempting to change application settings or create databases. By default, the application is not prevented from starting.

                                            • Start When Essbase Server Starts

                                              When enabled, the application starts automatically whenever the Essbase Server starts. By default, the application does not start when the Essbase Server starts.

                                            • Allow commands

                                              When unchecked, prevents users from making requests to databases in the application, including non-data-specific requests such as viewing database information or changing database settings. Administrators are affected by this setting as a safety mechanism to prevent accidental changes to databases during maintenance operations. By default, commands are enabled.

                                            • Allow connects

                                              When unchecked, prevents users with a permission lower than Application Manager for that application from making connections to databases within the application which require the databases to be started. By default, connections to databases are allowed.

                                            • Allow updates

                                              When unchecked, prevents modification to on-disk database structures; for example, any operation that might have an effect on the data. This restriction does not include outline operations. To block metadata updates, set the database to read-only mode or uncheck Allow Commands and/or Allow Connects. By default, updates are enabled.

                                            • Enable Security

                                              When unchecked, Essbase ignores all security settings in the application and treats all users as Application Managers. By default, security is enabled.

                                            Table 64 describes when the implementation of protective application settings takes effect, how long the effects last, and which users are affected.

                                            Table 64. Scope and Persistence of Application-Protection Settings

                                            Disabled Application Setting

                                            When the Disabled Setting Takes Effect

                                            Which Users are Affected by the Disabled Setting

                                            Persistence of the Disabled Setting

                                            Allow Users to Start Application

                                            Immediately

                                            All users, including administrators.

                                            Users currently logged on and users who log on later.

                                            The application cannot be started until an administrator re-enables the startup setting.

                                            Start Application When Essbase Server Starts

                                            Immediately

                                            All users.

                                            The application will not start with Essbase Server unless an administrator enables it.

                                            Allow Commands

                                            Immediately

                                            All users, including administrators.

                                            Users currently logged on and users who log on later.

                                            Commands are disabled until any of the following actions occur:

                                            1. The administrator who disabled commands logs off.

                                            2. The application is stopped and restarted.

                                            3. An administrator re-enables commands.

                                            Allow Connects

                                            Immediately, except that disabling connections does not affect users who already have databases loaded.

                                            Users with permissions lower than Application Manager.

                                            Users currently logged on and users who log on later.

                                            Users already connected to the database are not affected.

                                            Connections are disabled until any of the following actions occur:

                                            1. The application is stopped and restarted.

                                            2. An administrator re-enables connections.

                                            Allow Updates

                                            Immediately

                                            All users, including administrators.

                                            Users currently logged on and users who log on later.

                                            Updates are disabled until any of the following actions occur:

                                            1. The administrator who disabled updates logs off.

                                            2. The application is stopped and restarted.

                                            3. An administrator re-enables updates.

                                            Enable Security

                                            Immediately

                                            All users, including administrators.

                                            Users currently logged on and users who log on later.

                                            Security is disabled until a user re-enables security.

                                            *  To change application settings, use a tool:

                                            Tool

                                            Topic

                                            Location

                                            Administration Services

                                            Setting Application Properties

                                            Oracle Essbase Administration Services Online Help

                                            MaxL

                                            alter application

                                            Oracle Essbase Technical Reference

                                              Note:

                                              If performing maintenance operations that require disabling commands or updates, make those maintenance operations within the same session as the one in which the setting was disabled.

                                              If you disable commands or updates in a MaxL script, be aware that the end of the script constitutes the end of the session. Calling a nested MaxL or ESSCMD script from the current MaxL script also constitutes the end of the session.

                                              If you disable commands or updates in an ESSCMD script, the end of the script constitutes the end of the session, but calling a nested ESSCMD script from the current ESSCMD script does not constitute the end of the session.

                                              Caution!

                                              Never power down or reboot your client computer when you have cleared any Allow settings. Always log off from the server correctly. Improper shutdown can cause the application to become inaccessible, which requires a full application shutdown and restart.

                                              If a power failure or system problem causes Essbase Server to improperly disconnect from the Essbase client, and the application is no longer accessible, you must shut down and restart the application. See Starting and Stopping Applications.

                                              Setting Application and Database Minimum Permissions in Native Security Mode

                                              Minimum database access permissions can be specified at the application or database level. If specified for an application, minimum database access permissions apply to all databases within the application. When a minimum permission is set to a level higher than None (or No Access) for an application or database, all users inherit that permission to access the database or databases.

                                              For example, if an application has read permission assigned as the minimum database access level, all users can read any database within that application, even if their individual permissions do not include read access. Similarly, if a database has a minimum permission setting of None, only users with sufficient granted permissions (granted directly or implied by filters or group membership) can gain access to the database.

                                              Users with Administrator, Application Manager, or Database Manager permissions are not affected by minimum permission settings applied to applications or databases they own. Administrators have full access to all resources, and Application Managers and Database Managers have full access for their applications or databases.

                                              Users and groups with lower than the minimum permissions inherit at least the minimum permissions for any applications or databases.

                                              Changes to the minimum permission settings for applications affect only those databases that have lower minimums. In other words, settings defined at a lower level take precedence over more global settings.

                                              The permissions listed in Table 65 are available as minimum settings for applications and databases. Databases of an application inherit the permissions of the applications whenever the application permissions are set higher than those of the database.

                                              Table 65. Minimum Permission Settings Available for Applications and Databases  

                                              Permission

                                              Description

                                              None

                                              Specifies that no minimum permission has been defined for the application or database. None is the default global permission for newly created applications and databases.

                                              Read

                                              Specifies read-only access to any artifact or data value in the application or database. Users can view files, retrieve data values, and run report scripts. Read access does not permit data-value updates, calculations, or outline modifications.

                                              Write

                                              Specifies Update access to any data value in the databases of the application, or in one database. Users can view Essbase files, retrieve and update data values, and run report scripts. Write access does not permit calculations or outline modifications.

                                              Metaread

                                              Gives read access to the specified members but hides data for their ancestors and hides data and metadata for their siblings.

                                              Calculate

                                              Specifies Calculate and update access to any data value in the databases of the application, or in one database. Users can view files, retrieve, update, and perform calculations based on data values, and run report and calculations scripts. Calculate access does not permit outline modifications.

                                              Designer (for Application or Database)

                                              Specifies Calculate and update access to any data value in the databases of the application, or in one database. In addition, Designer permission enables users to view and modify the outline and files, retrieve, update, and perform calculations based on data values, and run report and calculation scripts.

                                              Note:

                                              Although any user with a minimum of read access to a database can start the database, only an Administrator, a user with Application Manager permission for the application, or a user with Database Manager permission for the database can stop the database.

                                              *  To set minimum permissions for an application, use a tool:

                                              Tool

                                              Topic

                                              Location

                                              Administration Services

                                              Setting Minimum Permissions for Applications

                                              Oracle Essbase Administration Services Online Help

                                              MaxL

                                              alter application

                                              Oracle Essbase Technical Reference

                                                *  To set minimum permissions for a database, use a tool:

                                                Tool

                                                Topic

                                                Location

                                                Administration Services

                                                Setting Minimum Permissions for Databases

                                                Oracle Essbase Administration Services Online Help

                                                MaxL

                                                alter database

                                                Oracle Essbase Technical Reference

                                                  Managing User Activity on the Essbase Server in Native Security Mode

                                                  This topic explains how to manage the activities of users connected to the Essbase Server. The security concepts explained in this section are session and request management, lock management, connection management, and password and user name management. For information about managing security for partitioned databases, see Designing Partitioned Applications.

                                                  Disconnecting Users and Terminating Requests in Native Security Mode

                                                  The security system lets you disconnect a user from the Essbase Server in order to perform maintenance tasks.

                                                  To view sessions, disconnect sessions, or terminate requests, you must have Administrator permission or Application Manager permission for the specified application. You can view or terminate only sessions or requests for users with permissions equal to or lesser than your own.

                                                  A session is the time between login and logout for a user connected to Essbase Server at the system, application, or database scope. A user can have multiple sessions open at any time; for example, a user may be logged on to different databases. If you have the appropriate permissions, you can log off sessions based on any criteria you choose; for example, an administrator can log off a user from all databases or from one database.

                                                  A request is a query sent to Essbase Server by a user or by another process; for example, a default calculation of a database, or a restructuring of the database outline. Each session can process only one request at a time.

                                                  Note:

                                                  You cannot terminate a restructure process. If you attempt to terminate it, a "command not accepted" error is returned, and the restructure process is not terminated.

                                                  *  To disconnect a session or request using Administration Services, see “Disconnecting User Sessions and Requests” in the Oracle Essbase Administration Services Online Help.

                                                    *  To disconnect a session or request using MaxL, use alter system kill request or alter system logout session. See the Oracle Essbase Technical Reference.

                                                      Managing User Locks in Native Security Mode

                                                      Spreadsheet Add-in users can interactively send data from a spreadsheet to the server. To maintain data integrity while providing multiple-user concurrent access, Essbase enables users to lock data for the purpose of updating it. Users who want to update data must first lock the records to prevent other users from trying to change the same data.

                                                      Occasionally, you may need to force an unlock operation. For example, if you attempt to calculate a database that has active locks, the calculation must wait when it encounters a lock. By clearing the locks, you allow the calculation to resume.

                                                      Only Administrators can view users holding locks and remove their locks.

                                                      *  To view or remove locks, use a tool:

                                                      Tool

                                                      Topic

                                                      Location

                                                      Administration Services

                                                      Viewing Data Locks and Unlocking Data

                                                      Oracle Essbase Administration Services Online Help

                                                      MaxL

                                                      drop lock

                                                      Oracle Essbase Technical Reference

                                                        Managing Passwords and User Names in Native Security Mode

                                                        You can place limitations on the number of login attempts users are allowed, on the number of days users may not use Essbase before becoming disabled from the server, and on the number of days users are allowed to have the same passwords. Only system administrators (users with Administrator permission) can access these settings. The limitations apply to all users on the server and are effective upon clicking OK.

                                                        Note:

                                                        If you later change the number of unsuccessful login attempts allowed, Essbase resets the count for all users. For example, if the setting was 15 and you changed it to 20, users are allowed 20 new attempts. If you changed the setting to 2, a user who had exceeded that number when the setting was 15 is not locked out. The count returns to 0 for each change in settings.

                                                        *  To place limitations on users, use a tool:

                                                        Tool

                                                        Topic

                                                        Location

                                                        Administration Services

                                                        Managing Password Longevity

                                                        Disconnecting Users Automatically

                                                        Oracle Essbase Administration Services Online Help

                                                        MaxL

                                                        alter system

                                                        alter user

                                                        Oracle Essbase Technical Reference

                                                          Propagating Password Changes in Native Security Mode

                                                          You can change a user’s password and propagate the new password to other Essbase Servers. You need Create/Delete Users and Groups permissions for both the source and the target servers. The user whose password you are changing must exist on the target servers, and the target servers must be running.

                                                          If you use Administration Services to change a user’s Essbase Server password, and if the user is also an Administration Services user, the user’s Administration Services user properties are updated automatically. The user’s Administration Services password is not affected. See “Changing Passwords for Essbase Server Users” in the Oracle Essbase Administration Services Online Help.

                                                          *  To change a user’s Essbase Server password and propagate the new password to other Essbase Servers, see “Propagating Passwords Across Servers” in the Oracle Essbase Administration Services Online Help.

                                                            Viewing and Activating Disabled User Names in Native Security Mode

                                                            You can prevent a user from logging in to an Essbase Server by disabling the user name at the Essbase Server level. A user name is disabled automatically when the user exceeds limitations specified, or a user name can be disabled manually for individual users. For more information about limitations that cause user names to become disabled automatically, see Managing Passwords and User Names in Native Security Mode.

                                                            Administration Services provides a Disabled Usernames window that enables you to view and activate all user names that have been disabled for an Essbase Server. Only users with at least Create/Delete User permission can view or reactivate disabled user names.

                                                            *  To disable a user name manually, use a tool:

                                                            Tool

                                                            Topic

                                                            Location

                                                            Administration Services

                                                            Disabling Usernames

                                                            Oracle Essbase Administration Services Online Help

                                                            MaxL

                                                            alter user

                                                            Oracle Essbase Technical Reference

                                                              *  To view or activate currently disabled user names, use a tool:

                                                              Tool

                                                              Topic

                                                              Location

                                                              Administration Services

                                                              Viewing or Activating Disabled Usernames

                                                              Oracle Essbase Administration Services Online Help

                                                              MaxL

                                                              alter user

                                                              Oracle Essbase Technical Reference

                                                                Understanding the essbase.sec Security File

                                                                The contents of the essbase.sec security file are encrypted. When you back up essbase.sec, the contents of the essbase.bak backup file are also encrypted. The backup procedure for Essbase security information depends on whether you are using Essbase in native security mode or in Shared Services security mode.

                                                                To review the contents of the essbase.sec file, you can export the contents to a readable, text-file format. See Exporting the Security File.

                                                                Security File Backups in Native Security Mode

                                                                When Essbase is in native security mode, all information about users, groups, passwords, permissions, filters, applications, databases, and their corresponding directories is stored in the Essbase security file (essbase.sec) in the ESSBASEPATH/bin directory. See Backing Up the Security File.

                                                                Security File Backups in Shared Services Security Mode

                                                                When Essbase is in Shared Services security mode, some security information is stored by Shared Services and/or by the external user directories, and some security information is stored in the Essbase security file (essbase.sec).

                                                                When Essbase is in Shared Services security mode, in addition to backing up the Essbase security file (essbase.sec), you must follow backup procedures for Shared Services and for any external authentication directories.

                                                                The following information is stored by Shared Services or by the external user directories:

                                                                • Users

                                                                • Groups

                                                                • Passwords

                                                                • User and group role information for applications

                                                                For information on backup procedures, see the Oracle Hyperion Enterprise Performance Management System Backup and Recovery Guide and the documentation for the appropriate external user directories.

                                                                The following information is stored in the Essbase security file (essbase.sec) in the ESSBASEPATH/bin directory:

                                                                • Calculation script access

                                                                • Filter access

                                                                • Application access type

                                                                • Application and database properties, including substitution variables and DISKVOLUMES settings (block storage databases only).

                                                                See Backing Up the Security File.

                                                                Caution!

                                                                Back up the Essbase security file and Shared Services simultaneously.

                                                                Note:

                                                                Essbase automatically creates a backup of the security file before and after migration (essbase.bak_preUPM and essbase.bak_postUPM). See Migrating Essbase to Shared Services.

                                                                Security Information Recovery in Shared Services Security Mode

                                                                If a discrepancy occurs between the security information in Shared Services and the security information in the Essbase security file, the type of discrepancy determines whether Shared Services information or the Essbase security file information takes precedence.

                                                                User and Group Information

                                                                Shared Services takes precedence for user and group information. User and group information can be restored using Shared Services and external user directory backup and recovery procedures (see the Oracle Hyperion Enterprise Performance Management System Backup and Recovery Guide).

                                                                Note:

                                                                When recovering user and group information, any associations to filters, calculation scripts, and application access type are lost if the Shared Services backup does not have the information. If the Essbase security backup file does not have the information, the filters and calc scripts themselves are lost (not just the associations to the users or groups).

                                                                Application Information

                                                                Essbase takes precedence for application and database information. If an application is deleted from Shared Services, the application is still available in Essbase. You must reregister the application with Shared Services. If an application is deleted in Essbase, it is automatically deleted from Shared Services.

                                                                *  To reregister an application with Shared Services, use a tool:

                                                                Tool

                                                                Topic

                                                                Location

                                                                Administration Services

                                                                Reregistering an Application With Shared Services

                                                                Oracle Essbase Administration Services Online Help

                                                                MaxL

                                                                alter application

                                                                Oracle Essbase Technical Reference

                                                                  Backing Up the Security File

                                                                  Each time you successfully start Essbase Server, two backup copies of the security file are created—essbase.bak and essbase.bak_startup.

                                                                  The essbase.bak_startup file is updated only at Essbase Server startup. You cannot update it any other time.

                                                                  You can update essbase.bak more often using one of the following methods:

                                                                  • Manually compare essbase.bak to the security file at any time and update it if necessary.

                                                                  • Specify an interval at which Essbase automatically compares essbase.bak to the security file and updatesessbase.bak, if necessary. See Changing Security Backup File Comparison Frequency.

                                                                  *  To update the essbase.bak file, use a tool:

                                                                  Tool

                                                                  Topic

                                                                  Location

                                                                  Administration Services

                                                                  Updating the Security Backup File

                                                                  Oracle Essbase Administration Services Online Help

                                                                  MaxL

                                                                  alter system sync security backup

                                                                  Oracle Essbase Technical Reference

                                                                    If you attempt to start Essbase Server and cannot get a password prompt or your password is rejected, no backup files are created. You can restore from the last successful startup by copying essbase.bak to essbase.sec. Both files are in the ESSBASEPATH/bin directory where you installed Essbase. If you are using Essbase in Shared Services security mode, you must also restore the latest backups from Shared Services and any external user directories.

                                                                    Caution!

                                                                    If Essbase stops running unexpectedly for any reason, such as a freeze, abnormal shutdown, or as the result of terminating a process, do not restart Essbase Server until you copy the backup file (essbase.bak) to the security file (essbase.sec). If you do not perform the copy first, Essbase may replace the essbase.bak file with the corrupted essbase.sec file.

                                                                    In the event that the essbase.bak file is destroyed or lost, you can restore the security file using the essbase.bak_startup file by copying essbase.bak_startup to the security file (essbase.sec).

                                                                    Changing Security Backup File Comparison Frequency

                                                                    Essbase updates the essbase.bak security backup file if it does not match the essbase.sec security file. By default, Essbase compares the security backup file to the security file at specified intervals instead of only when Essbase Server starts.

                                                                    See “Updating the Security Backup File” in the Oracle Essbase Administration Services Online Help for information about updating the security backup file anytime.

                                                                    Consider the following facts before changing the interval value:

                                                                    • In Administration Services, the same check box manages how often the security backup file is checked against the security file and how often user inactivity is checked.

                                                                    • The default value is five minutes, the recommended setting to ensure that the security backup file is checked frequently enough to capture security changes. Five minutes is also the recommended value for the inactivity check.

                                                                    • If you set the value to zero, the inactivity check is disabled, and the essbase.bak file is compared to essbase.sec every five minutes (and updated if necessary).

                                                                    • Enter a larger value if your security file does not need to be updated frequently. Enter a smaller value if performance is not an issue.

                                                                    *  To change the frequency of backup file comparisons, use a tool:

                                                                    Tool

                                                                    Topic

                                                                    Location

                                                                    Administration Services

                                                                    Enter the time interval in the Check for inactivity every option of the Security tab when you edit Essbase Server properties.

                                                                    Oracle Essbase Administration Services Online Help

                                                                    MaxL

                                                                    alter system sync security_backup

                                                                    Oracle Essbase Technical Reference

                                                                      Caution!

                                                                      If Essbase stops running unexpectedly for any reason, such as a freeze, abnormal shutdown, or as the result of terminating a process, do not restart Essbase Server until you copy the backup file essbase.bak to the security file essbase.sec. If you do not perform the copy first, when Essbase Server starts, Essbase notes that essbase.sec is corrupt, creates an empty security file, and copies it to essbase.bak, destroying the backup of your security information.

                                                                      Managing Security-File Fragmentation

                                                                      Changing or deleting the Essbase security entities can cause fragmentation in the security file (essbase.sec): filters, users, groups, applications, databases, substitution variables, disk volumes, passwords, and other Essbase artifacts. Too much fragmentation in files can slow down security-related performance.

                                                                      Essbase compacts the security file automatically each time the Agent is stopped. You can check the fragmentation status of the security file and, if desired, you can compact the security file without stopping the Agent.

                                                                      Displaying the Security File Fragmentation Status

                                                                      The fragmentation status of the security file is displayed as a percent.

                                                                      *  To display the fragmentation status of the security file, see the display system MaxL statement with the security file fragmentation_percent grammar in the Oracle Essbase Technical Reference.

                                                                        Compacting the Security File While the Agent is Running

                                                                        Besides manually compacting the security file, you can use the SECURITYFILECOMPACTIONPERCENT configuration setting to define a percentage of fragmentation that triggers compaction automatically.

                                                                        *  To compact the security file without stopping the Agent, use a tool:

                                                                        Tool

                                                                        Topic

                                                                        Location

                                                                        Agent

                                                                        COMPACT

                                                                        Enter the Agent command at the command prompt in the Essbase Server console window.

                                                                        MaxL

                                                                        alter system compact security file

                                                                        Oracle Essbase Technical Reference

                                                                        essbase.cfg

                                                                        SECURITYFILECOMPACTIONPERCENT

                                                                        Oracle Essbase Technical Reference

                                                                        Note:

                                                                        Compacting the security file while the Agent is running slows down Agent activity until the operation is completed, which could take a few minutes.

                                                                          Exporting the Security File

                                                                          An Essbase Administrator can export the contents of the essbase.sec file for an Essbase Server instance to a readable text file format, which is useful for review purposes.

                                                                          Caution!

                                                                          When exporting essbase.sec, follow your company’s security procedures to ensure the integrity of the data.

                                                                          The export security file command, which can be run from Administration Services Console or as a MaxL statement, is run against the Essbase Server session for which you are currently logged in. The Essbase Server session can be run as a service.

                                                                          *  To export essbase.sec, use a tool:

                                                                          Tool

                                                                          Topic

                                                                          Location

                                                                          Administration Services

                                                                          Exporting the Security File

                                                                          Oracle Essbase Administration Services Online Help

                                                                          MaxL

                                                                          export security_file

                                                                          Oracle Essbase Technical Reference

                                                                            Note:

                                                                            The DUMP agent command is similar to the export security file command, except that the DUMP command cannot be run against an Essbase Server run as a service. See Table 70, Agent Commands and MaxL, ESSCMD, or Administration Services Equivalents.