To use Shared Services for user management, existing users need to be migrated to Shared Services. This includes "native" users who were externally authenticated in a previous release. See Converting Essbase Server and Migrating Users to Shared Services.
When an Essbase Administration Server, Essbase Server, or Oracle Hyperion Provider Services runs in EPM System security mode, all functionality that is related to managing users (for example, creating, renaming, deleting, and assigning access permissions) can be performed only via the Shared Services Console. You cannot use Administration Services Console to perform most user management tasks. For Essbase Servers, you can continue to view information about users who are currently provisioned for Essbase via Shared Services, but you cannot edit user information.
In EPM System security mode, some Essbase security information is stored by Shared Services and external user directories, and some security information is stored in the Essbase security file (essbase.sec). See About the Essbase Security File.
Because Essbase obtains user and group details (including user and group information and provisioning to Essbase applications) from Shared Services, an Essbase Administrator does not need to explicitly synchronize security between Essbase and Shared Services.
When a user logs on to Essbase, Essbase queries Shared Services for that user’s information. The privileges with which a user starts a session are preserved throughout the session, regardless of whether the user’s privileges are changed in Shared Services during the session.
For information about security for users and groups in EPM System security mode and Essbase user roles for Shared Services, see the Oracle Essbase Database Administrator's Guide.
The only role that can be provisioned for Provider Services is Administrator. Provider Services does not have any users, therefore, migration of users from native mode to EPM System security mode is not required.
In EPM System security mode, Essbase Administration Server users do not have roles associated with them; therefore, any users who are authenticated through Shared Services can connect to any Essbase Administration Server. There are no provisioning assignments needed for Essbase Administration Server users. The currently logged-on Essbase Administration Server user is the only user visible in Administration Services Console. You can continue to map users to Essbase Servers via Administration Services Console, but you cannot edit other user information.
For information about using Shared Services Console to manage and provision users, see the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide.