Export 11g Users and Groups to Essbase 21c Configured in IDCS

If you're using native default Shared Services security, these steps are required. If Shared Services uses an external security provider, or you're using federated setup in Shared Services, the following steps are optional. You should configure Oracle Identity Cloud Service to use the same external security provider that Shared Services used.


If you want filters and calculation assignments of existing users to be migrated, ensure that Essbase has the same set of users and groups already available.

Assignment of user roles behavior differs from Essbase 11g On-Premise. Database Access is now the lowest role, and has, by default, read access to data values in all cells. To restrict access to data values in Essbase, you must now create a NONE filter and assign it to users and groups. This was not a requirement in Essbase 11g On-Premise, where Filter was the lowest role, and has, by default, no access to data values in all cells.

Required User Roles for Access

Note that the following Essbase security artifacts are migrated using the 11g Export Utility: Essbase server-level roles, application-level roles, filter associations, and calc associations. LCM handles provisioning users and groups with the corresponding new roles.

Table 4-2 Default role mapping

Source EPM System Security Mode Roles Target WebLogic Security Roles Level
Administrator Service Administrator Server
Application Manager Application Manager Application
Calc Database Update Application
Create/Delete application Power User Server
Database Manager Database Manager Application
Filter Database Access Application
Read Database Access Application
Server Access User Server
Start/Stop Application Database Access Application
Write Database Update Application

Note that Filter role in Essbase 11g On-Premise doesn't allow Read access, but allows access to members restricted by the filter. Now, there's no Filter role, and the lowest role access is Database Access, which allows Read access to all members. To restrict access to selective members, use a group filter that restricts global access.

The following access is required:

  • For exporting: A user with at least Application Manager role, for the application created, can export applications, folders, and artifacts.

    In addition, the following roles can use the 11g Export Utility and their corresponding operations: Service Administrator for all applications; Power User for all applications created by the Power User.

  • For importing: A user with at least Power User role can create applications (during import) and manage applications.

  1. Launch the Enterprise Performance Management (EPM) Shared Services user interface. Navigate to Application Groups, Foundation, and then Shared Services.
    Shared services folder holds the groups and users data.
  2. Select Groups and Users check boxes, and click Export.
  3. On the Export to File System dialog box, enter a name for the target File Systems Folder and click Export.
  4. After the export completes, the exported Shared Services-based security content appears under the target File System folder. Right-click on the exported Shared Services content, and click Download to download the files locally.
    Exported content is stored in file system folder
  5. Expand the downloaded zip file. For each folder, you may see files like those shown below.
    Downloaded zip file holds the groups and users CSV files.
  6. The format of the generated Users.csv and Groups.csv files are not compatible with Identity Cloud Service format. You must manually reorganize or map the files to Identity Cloud Service format, as shown below, using a CSV or text editor.
    Exported users and groups Shared Services format Identity Cloud Service format
    Users.csv id,provider,login_name,first_name,last_name,description,email,internal_id,password,activ User ID,Last Name,First Name,Middle Name,Honorific Prefix,Honorific Suffix,Display Name,Nick Name,Profile URL,Title,User Type,Locale,Preferred Language,TimeZone,Active,Password,Work Email,Home Email,Primary Email Type,Work Phone,Mobile No,Work Street Address,Work City,Work State,Work Postal Code,Work Country,Federated,Employee Number,Cost Center,Organization,Division,Department,Manager Name


    (Following data for each group:)



    Display Name,Description,User Members

    For columns that are empty, enter dummy text.

  7. Import the users and groups to Identity Cloud Service according to the instructions in Import a Batch of Users into a Cloud Account with Identity Cloud Service.