Export 11g Users and Groups to Essbase 21c Configured with IAM or IDCS
If you're using native default EPM Shared Services security, these steps are required. If Shared Services uses an external security provider, or you're using federated setup in Shared Services, the following steps are optional. You should configure OCI Identity and Access Management (IAM) or Oracle Identity Cloud Service (IDCS) to use the same external security provider that Shared Services used.
Notes
If you want filters and calculation assignments of existing users to be migrated, ensure that Essbase has the same set of users and groups already available.
Assignment of user roles behavior differs from Essbase 11g On-Premise. Database Access is now the lowest role, and has, by default, read access to data values in all cells. To restrict access to data values in Essbase, you must now create a NONE filter and assign it to users and groups. This was not a requirement in Essbase 11g On-Premise, where Filter was the lowest role, and has, by default, no access to data values in all cells.
Required User Roles for Access
Note that the following Essbase security artifacts are migrated using the 11g Export Utility: Essbase server-level roles, application-level roles, filter associations, and calc associations. LCM handles provisioning users and groups with the corresponding new roles.
Table 4-2 Default role mapping
| Source EPM System Security Mode Roles | Target WebLogic Security Roles | Level | 
|---|---|---|
| Administrator | Service Administrator | Server | 
| Application Manager | Application Manager | Application | 
| Calc | Database Update | Application | 
| Create/Delete application | Power User | Server | 
| Database Manager | Database Manager | Application | 
| Filter | Database Access | Application | 
| Read | Database Access | Application | 
| Server Access | User | Server | 
| Start/Stop Application | Database Access | Application | 
| Write | Database Update | Application | 
Note that Filter role in Essbase 11g On-Premise doesn't allow Read access, but allows access to members restricted by the filter. Now, there's no Filter role, and the lowest role access is Database Access, which allows Read access to all members. To restrict access to selective members, use a group filter that restricts global access.
The following access is required:
- 
                        For exporting: A user with at least Application Manager role, for the application created, can export applications, folders, and artifacts. In addition, the following roles can use the 11g Export Utility and their corresponding operations: Service Administrator for all applications; Power User for all applications created by the Power User. 
- 
                        For importing: A user with at least Power User role can create applications (during import) and manage applications. 


