1. Security Configuration Guide
  2. Configuring User Directories
  3. Setting Security Options

Setting Security Options

Security options comprise the global parameters applicable to all user directories included in the search order.

To set security options:

  1. Access Oracle Hyperion Shared Services Console as System Administrator. See Launching Shared Services Console.
  2. Select Administration, and then Configure User Directories.
  3. Select Security Options.
  4. In Security Options, set global parameters.

    Illustration of Security Options screen

    Table 4-6 Security Options for User Directories

    Parameter Description
    Token Timeout Time (in minutes) after which the SSO token issued by Oracle Enterprise Performance Management System products or the web identity management solution expires. Users must log in again after this period. Token timeout is set based on the server's system clock. Default is 480 minutes.

    Note:

    Token timeout is not the same as session timeout.

    Cache Refresh Interval Interval (in minutes) for refreshing the Oracle Hyperion Shared Services cache of groups to users relationship data. Default is 60 minutes.

    Shared Services caches information about new external user directory groups and new users added to existing groups only after the next cache refresh. Users provisioned through a newly created external user directory group do not get their provisioned roles until the cache is refreshed.

    Refresh Now Click this button to manually initiate the refreshing of Shared Services cache that contains groups to users relationship data. You may want to initiate a cache refresh after creating new groups in external user directories and provisioning them or after adding new users to existing groups. The cache is refreshed only after Shared Services makes a call that uses the data in the cache.
    Enable SSO Compatibility

    Select this option if your deployment is integrated with Oracle Business Intelligence Enterprise Edition Release 11.1.1.5 or earlier.

    Enable Delegated User Management Mode Option enabling delegated user management of EPM System products to support the distributed management of provisioning activities. See "Delegated User Management" in the Oracle Enterprise Performance Management System User Security Administration Guide.
    Enable SSO Option enabling support for SSO from security agents such as Oracle Access Manager
    SSO Provider or Agent Select the web identity management solution from which EPM System products should accept SSO. Select Other if your web identity management solution; for example, Kerberos, is not listed.

    The preferred SSO mechanism and name are automatically selected when you select the SSO provider. You can change the name of the SSO mechanism (HTTP header or custom login class), if required.

    If you select Other as the SSO provider or agent, you must censure that it supports an EPM System supported SSO mechanism. See "Supported SSO Methods" in the Oracle Enterprise Performance Management System Security Configuration Guide.

    SSO Mechanism

    The method that the selected web identity management solution uses to provide user's login name to EPM System products. For a description of acceptable SSO methods, see "Supported SSO Methods" in the Oracle Enterprise Performance Management System Security Configuration Guide.

    • Custom HTTP Header: Set the name of the header that the security agent passes to EPM System.

    • Custom Login Class: Specify the custom Java class that handles HTTP requests for authentication. See "Custom Login Class" in the Oracle Enterprise Performance Management System Security Configuration Guide.

      Note:

      Custom Login Class is not the same as custom authentication.

    • HTTP Authorization Header: The standard HTTP mechanism.

    • Get Remote User from HTTP Request: Select this option if the security agent populates the remote user in the HTTP request.

    Custom Authentication Module The fully qualified Java class name of the custom authentication module (for example, com.mycompany.epm.CustomAuthenticationImpl) that should be used to authenticate users on all user directories for which the custom authentication module is selected.

    The authentication module is used for a user directory only if the directory configuration has enabled (default) its use.

    Oracle Hyperion Foundation Services requires that the custom authentication JAR file be named CustomAuth.jar. CustomAuth.jar must be available in MIDDLEWARE_HOME\user_projects\domains\WEBLOGIC_DOMAIN\lib, typically, C:\Oracle/Middleware/user_projects/domains/EPMSystem/lib.

    On all client installations, CustomAuth.jar must be present in EPM_ORACLE_HOME/common/jlib/11.1.2.0, typically, C:\Oracle\Middleware\EPMSystem11R1\common\jlib\11.1.2.0.

    You can use any package structure and class name within the JAR file.

    For more information, see "Using a Custom Authentication Module" in the Oracle Enterprise Performance Management System Security Configuration Guide.

  5. Click OK.
  6. Restart Foundation Services and other EPM System components.