25 Introduction to Using Oracle Essbase in Oracle Business Intelligence

This chapter explains what you need to know about using Oracle Essbase when installed with Oracle Business Intelligence. The chapter includes a high-level roadmap; contains information about installation, system administration, service-level maintenance and security, and links to alternative sources of information.

This chapter includes the following sections:

Overview

You can easily deploy Essbase and associated tools when installing Oracle Business Intelligence and benefit from using shared administration, user management, installation, and configuration support functionality that is also available to Oracle Business Intelligence users.

When you deploy Essbase with Oracle Business Intelligence, you can access Essbase multidimensional databases that provide multidimensional analysis, enabling rapid development of custom analytic applications. Essbase enables you to develop and manage analytic applications that model complex scenarios, forecast business trends, and perform "what-if" analyses. Essbase supports fast query response times using pre-aggregated dimensions, for large numbers of users, for large data sets, and for complex business models. Essbase can be configured to use with a range of data sources.

Essbase Studio and EAS can be deployed by the 11g EPM installer in a separate domain, and can be used with the 12c Essbase server installed through Oracle Business Intelligence.

This chapter includes information about installing, configuring, managing and securing Essbase installed through Oracle Business Intelligence as well as creating, securing, and accessing Essbase databases using Oracle Business Intelligence.

This chapter does not describe using Essbase when installed with the EPM System Installer. For information about using Essbase and associated tools when installed with the EPM System Installer, see the EPM System deployment documentation, located on the Deployment and Installation tab in the EPM System Documentation Library.

For information on which guide to refer to for information about Essbase and associated tools, when installed with Oracle Business Intelligence, see Performing Tasks When Essbase Is Installed with Oracle BI EE Compared to Performing the Same Tasks in EPM and Information on Which Guides to Consult.

Any other use of Essbase in the context of being used as a data source for Oracle Business Intelligence should leverage an EPM deployment of Essbase and related tools from 11g (see the EPM deployment guides). In future releases the role of Essbase deployed through Oracle Business Intelligence will expand. Therefore Oracle recommends installing the Essbase software to avoid future challenges with expanding the BI Domain. See Understanding Essbase Deployed in BI 12.2.1 in Oracle Essbase Database Administrator's Guide.

High-Level Roadmap for Working with Essbase When Installed with Oracle Business Intelligence

Read this section before you start working with Essbase when installed with Oracle Business Intelligence.

This high-level roadmap explains the tasks to perform and what choices are available. This section also indicates when to refer to the Oracle Business Intelligence documentation or the EPM System documentation.

Read the rest of this chapter for an overview of Essbase concepts and configuration tasks.

For example, see Performing Tasks When Essbase Is Installed with Oracle BI EE Compared to Performing the Same Tasks in EPM and Information on Which Guides to Consult.
Select the Essbase Suite option to install Essbase with Oracle Business Intelligence as described in Installing Essbase with Oracle Business Intelligence.
Perform essential security tasks as described in Configuring Security for Essbase in Oracle Business Intelligence.
Essbase uses the Oracle Fusion Middleware security model, which Oracle Business Intelligence also uses. For more information, see Security Guide for Oracle Business Intelligence Enterprise Edition.
Perform essential system administration tasks as described in Managing Essbase System Administration in Oracle Business Intelligence.

Perform these tasks after installing Essbase with Oracle Business Intelligence to ensure that Essbase is correctly configured.
Create, manage and use Essbase cubes as described in Working with Essabase Data in Oracle Business Intelligence.

Performing Tasks When Essbase Is Installed with Oracle BI EE Compared to Performing the Same Tasks in EPM and Information on Which Guides to Consult

When you install Essbase with Oracle Business Intelligence, you do not perform a full Enterprise Performance Management System installation. Instructions for completing certain tasks can vary form those documented in the EPM documentation.

Use the table below to help you decide what to use to perform certain tasks in Oracle Business Intelligence compared to EPM systems, and which guides to reference.

Essbase-Related Tasks Performed in Oracle BI and EPM Systems	How to Perform Essbase-Related Tasks in an Oracle BI System and Which Guides to Reference	How to Perform Essbase-Related Tasks in an 11g EPM System and Which Guides to Reference
Authentication	Essbase should be setup as part of the installation process and all security in the 12.2.1 release should be handled automatically through the BI security. Refer to EPM 11g guides.	When using an 11g EPM system, use HSS, MaxL. Refer to EPM guides.
Authorization	Essbase should be setup as part of the installation process and all security in the 12.2.1 release should be handled automatically through the BI security. Refer to EPM 11g guides.	When using an 11g EPM system, use HSS, MaxL. Refer to EPM guides.
Data Security (Provisioning)	When using Essbase and associated tools installed with Oracle Business Intelligence, use Fusion Middleware Control and Security. Refer to EPM 11g guides. There is no need to define Essbase filters for row level security; it is handled by BI security privileges. Filters will need to be created for Essbase when there is a 12c cube that will be accessed directly by the user, non-acceleration cubes.	When using an 11g EPM system, use HSS. Refer to EPM guides.
Data Security (filter definitions)	When using Essbase installed with Oracle Business Intelligence, use MaxL. Refer to EPM 11g guides. There is no need to define Essbase filters for row level security; it is handled by BI security privileges. Filters will need to be created for Essbase when there is a 12c cube that will be accessed directly by the user, non-acceleration cubes.	When using an 11g EPM system, use EAS (GUI) or Maxl (Command Line). Refer to EPM guides.
System Configuration	When using Essbase and associated tools installed with Oracle Business Intelligence, use Fusion Middleware Control, and essbase.cfg. Refer to Oracle Business Intelligence guides.	When using an 11g EPM system, use a text editor and MaxL, essbase.cfg. Refer to EPM guides for EAS and Studio.
Backup and Recovery	When using Essbase and associated tools installed with Oracle Business Intelligence use Fusion Middleware Control. Refer to Administering Oracle Fusion Middleware and Oracle Business Intelligence guides.	Refer to EPM guides, see also for backing up Studio.
Migration (Test to Production)	Migration should use a file system copy for artifacts while partitions, CDF/M, security filters and data should be exported via Maxl for EPM column.	Refer to Lifecycle Management guides.
Essbase cubes	When using Essbase you use the Acceleration Wizard.	Build and manage cubes using EAS and Studio. Refer to EPM guides (references to EAS and Studio). Refer to Oracle Essbase Database Administrator's Guide.
Capacity	N/A, Uses Active/Passive model (one cluster only). Refer to Oracle Business Intelligence guides.	Use N Clusters 1, 2, 3, 4 agents. Uses the Active/Active or Active/Passive model. Refer to EPM guides.
Availability	Use Fusion Middleware Control. Uses - Active/Passive model. Refer to Oracle Business Intelligence guides.	Refer to EPM guides. Uses Active/Passive model.
Financial Reporting	Financial Reports, Calculation Manager and Workspace are not part of the 12c deployment.	Refer to EPM guides.
Calculation Manager	Financial Reports, Calculation Manager and Workspace are not part of the 12c deployment.	Refer to EPM guides.
Workspace	Financial Reports, Calculation Manager and Workspace are not part of the 12c deployment.	Refer to EPM guides.
APIs	No need for custom API work in 12.2.1.	NA

Installing Essbase with Oracle Business Intelligence

You can install Essbase when you install Oracle Business Intelligence.

When you install Essbase with Oracle Business Intelligence, Essbase databases become available to Oracle Business Intelligence users, and you can manage Essbase components using a combination of Oracle Business Intelligence tools and Essbase EPM System tools. For information about which version of Essbase is installed, go to the Certifications page in Oracle Support and check the product details for appropriate releases of Oracle Business Intelligence Enterprise Edition with Oracle Essbase at:

https://support.oracle.com

Note:

You cannot add Essbase to an existing Oracle Business Intelligence installation although you can still use Essbase as a data source. The only way to install Essbase with Oracle Business Intelligence is to perform a new Oracle Business Intelligence installation and select the Essbase component.

You install EAS and Studio using the EPM installation. See the EPM guides for more details.

This topic contains the following sections:

Installing Essbase

You install Essbase Suite as part of an Oracle Business Intelligence Enterprise installation.

See Installing and Configuring Oracle Business Intelligence.

The Enterprise Install type creates and configures a single WebLogic Server Domain that contains a cluster with an Administration Server, and a Managed Server. If you select Essbase Suite during the install, then Essbase JEE components and Oracle Business Intelligence JEE components are installed on Managed Servers. See Selecting the Essbase Suite Option During Install.

Selecting the Essbase Suite Option During Install

You can install JEE applications and services during install.

Selecting the Essbase Suite option during the install does the following:

Pre-selects the Oracle Business Intelligence Enterprise Edition option.
Installs the following Essbase-related JEE applications and services into the local Oracle BI EE Managed Server in an Enterprise Install:
- Essbase Agent
- Cube Deployment Services
- Hyperion Provider Services (APS)
Installs the following Essbase server processes:
- Essbase App.
Enables you to download the following Essbase-related client applications from the Download BI Desktop Tools option, which is available in the Get Started area of the Home page for Oracle BI EE:
- Smart View for Office (EPM application)
See Downloading BI Desktop Tools in User's Guide for Oracle Business Intelligence Enterprise Edition.
Enables users to log in to the following Essbase command line tools:
- ESSCMD
- ESSMSH (MaxL)
Enables users to log in through the following supported Essbase API languages:
- JAPI
- C-API
  
  Note:
  Client applications and API languages that are not included in this section are not supported with Essbase and related components installed with Oracle Business Intelligence.

Limitations for Using Client Tools when Essbase Is Installed with Oracle Business Intelligence

There are limitations for using the following Essbase tools when Essbase is installed with Oracle Business Intelligence.

MaxL command line interface

The MaxL command line supports most of the tasks for Oracle Business Intelligence Essbase that are also possible with Oracle EPM System Essbase.

Note:
You cannot use the MaxL command line to provision security.

Essbase Features Not Supported when Essbase Is Installed with Oracle Business Intelligence

When Essbase is installed with Oracle Business Intelligence, you do not get a full Enterprise Performance Management installation.

The following Essbase features are not supported:

Permission grants are not supported at the database level. For example, if you have two multidimensional databases that are used by an application, then permission grants apply equally to the multidimensional databases in an application.
Multiple clusters are not supported.
The Active-Active failover process is not supported. You can have only one machine or cluster active at a time, and you cannot load balance across computers or clusters.
The audit report showing what users, groups and application roles can do in Essbase, when Essbase is installed as part of an Enterprise Performance Management System, is not available in this release. However, you can use Oracle Fusion Middleware to view the Essbase permissions assigned to application roles.
There might be other Enterprise Performance Management features that are not supported when Essbase is installed with Oracle Business Intelligence. To avoid misunderstandings, do not use EPM System or Essbase documentation (when Essbase is installed with Oracle Business Intelligence), unless directed to do so in this documentation.

Configuring Security for Essbase in Oracle Business Intelligence

This section explains typical Essbase-related security configuration when Essbase is installed with Oracle Business Intelligence. You might also refer to this section if you maintain Essbase security in an existing installation of Oracle Business Intelligence.

The Oracle Business Intelligence Installer configures Essbase to use Oracle Fusion Middleware security for authentication and authorization. You can secure an Essbase environment to provide equivalent functionality to Essbase secured through Hyperion Shared Services. Exceptions to this are documented in the Oracle Business Intelligence Certification Matrix.

Essbase installed using the Oracle Business Intelligence installer cannot use Native Essbase or Hyperion Shared Services (HSS) security. However, when you install Essbase with Oracle Business Intelligence, the Common Security Service (CSS) token-based identity assertion continues to be available and enables Oracle Business Intelligence to connect to Essbase data sources (both Essbase installed with Oracle Business Intelligence and Essbase installed with EPM) with the credentials of the end user. For this mechanism to work with an Essbase data source external to the Oracle Business Intelligence installation, you must follow the documentation. Also note that if multiple Essbase data sources are being used by Oracle Business Intelligence and there is a requirement to use this mechanism, all Essbase data sources must use the same shared secret for producing CSS tokens. See Section Configuring Oracle Business Intelligence to Use Hyperion SSO Tokens when Communicating with Essbase, Hyperion Financial Management, Hyperion Planning, and EPM Workspace.

The Oracle Business Intelligence installer pre-configures core users, groups, application roles, credentials, permissions, and privileges for Essbase. There is no automated migration of security artifacts from Essbase installed with the EPM System Installer to Essbase installed with Oracle Business Intelligence. You must configure the equivalent authentication and authorization mechanism for Essbase when it is installed with Oracle Business Intelligence.

Topics

Enabling Users to Perform Specific Actions in Essbase and Associated Tools

You enable users to perform specific actions in Essbase and associated tools (for example, read and write, use calculations, use filters, use specific filters) by granting resource permission definitions to application roles.

Appropriate resource permissions must be defined first (see Configuring Data-Level Security Using Essbase Filters and Configuring Access to Essbase Calculations). Resource permissions contain definitions of Essbase actions that a user can perform in an Essbase application. Essbase actions are derived from Essbase resource types, which are linked to resource permissions.

Resources are hierarchical; therefore global, cluster, and application level resources are listed.

Note:

The Essbase actions described here are not the same as actions in Oracle Business Intelligence.

The installation process grants default Essbase resource permissions to existing application roles in Oracle Business Intelligence.

For more details about the default Essbase resource permissions configured by default when you install Essbase with Oracle Business Intelligence, see Resource Permissions Reference for Essbase and Associated Tools.

Note:

The BIConsumer application role is granted to all users, and has oracle.essbase.server /EssbaseCluster-1 access and oracle.essbase.application /EssbaseCluster-1 user_filter. This gives all users access to Essbase by default.

Note:

Resource permissions are stored by default in a file-based shared policy store, but you can reassociate them to an OID LDAP shared policy store. SeeUsing Alternative Authentication Providers in Security Guide for Oracle Business Intelligence Enterprise Edition.

Note:

Parent roles inherit permission grants through child group or role members. Permission grants are cumulative; for example, a user who has a grant of oracle.essbase (filter) through an application role but not granted through another role, is still considered to have the oracle.essbase (filter) role.

Use the following steps to grant resource permissions to users and application roles.

If you are granting resource permission definitions to Essbase filters or Essbase calculations, then the filters or calculations must already exist.
If they do not exist, then follow one of these links:
- Configuring Resource Permission Definitions for Essbase Filters
- Configuring Resource Permission Definitions for Essbase Calculations
Log in to Oracle Fusion Middleware.
See Logging into Fusion Middleware Control to Manage Oracle Business Intelligence.
Select Business Intelligence, then coreapplication.
From the Business Intelligence Instance menu (or right-click coreapplication), select Security and Application Policies.
Select the obi Application Stripe.
Select a Principal Type and click Search to display a list of application roles.

Best practice is to assign permissions to application roles.

This search returns only principals that already have policies or permissions assigned. If you have a new application role that does not have any permissions yet, then you must click Create or Create Like.

Note:

Non-Essbase permissions might also be displayed for the selected principal.
Click Create to display the Create Application Grant page.
Click Add in the Grantee section, to add an application role.
Select Application Role from the Type list and click the Search arrow.
Click OK.
Click Add in the Permissions section to display the Add Permission page.
Click Resource Types and select an appropriate resource type from the list.
For example, select oracle.essbase.application.
Click the Search Arrow button to confirm your selection.

Note:

There is no synchronization between the filters or applications created in EAS and the list returned in the policy store. Therefore, you must manually enter the Resource Name in the following steps the first time that you provision a particular resource (server, application, filter or calculation).
Click Continue to display the Add Permission page.
Enter appropriate information into the Resource Name and Resource Type fields.
For example, to configure access permissions to use any filters within the Demo application, enter the following information:

Resource Type - oracle.essbase.application

Resource Name - /EssbaseCluster-1/Demo

Permission Actions - use_filter

For more examples of what to enter in the Resource Type, Resource Name, and Permission Actions fields when you grant resource permissions to filters or calculations, see the following:
- Configuring Resource Permission Definitions for Essbase Filters
- Configuring Resource Permission Definitions for Essbase Calculations
Note:

You can also manually enter permission actions for the resource into the Permission Actions field. Essbase actions are hierarchical, such that actions higher in the list include the lower members. For example, selecting read grants read and restart permissions to the /EssbaseCluster-1/Demo Essbase application.
Click Select.
Click OK.

Enabling Drill-through Reports in Oracle BI EE 12.2.1.x

Essbase Studio is not provided with Essbase Release 12.2.1.x. To use Essbase Studio to deploy Essbase cubes and enable drill-through functionality with Essbase 12.2.1.x you must install EPM 11g on a separate host and complete some configuration steps.

Use the following steps to run Essbase Studio 11g with Essbase 12.2.1.x.

Install EPM 11.1.2.4 and apply the latest Opatch.
Install BI 12.2.1 on a different host.
Update the Essbase Studio server properties file with server.trustedAuthenticationHost=<HOSTNAME>:<PORT>, where HOSTNAME is the host where Essbase is running, and PORT is the Essbase port.

Note:
The server.properties file is located in ORACLE_INSTANCE/EssbaseStudio/essbasestudio1/bin in the EPM 11.1.2.4 environment.
Stop and restart Essbase Studio server.
Stop the BI instance.
Copy cpld.jar from 11.1.2.4 EPM:
${EPM_ORACLE_HOME}/common/essbase-studio-sdk/11.1.2.0/lib
To BI12c:
${MIDDLEWARE_HOME}/user_projects/domains/${DOMAIN_NAME}/lib
Start Oracle Business Intelligence.

Note:

You cannot deploy and access drill-through reports on multiple BI Essbase instances. Multiple Essbase instances are not supported.

Configuring Data-Level Security Using Essbase Filters

Data-level security enables you to restrict the dimensional data that users see in Essbase multidimensional databases. You secure data-level access for Oracle Business Intelligence users by configuring resource permission definitions on Essbase filters and granting them to application roles.

See Enabling Users to Perform Specific Actions in Essbase and Associated Tools.

Topics

What Are Essbase Filters?

An Essbase filter is an Essbase resource that provides an access control mechanism for dimensional data. For example, a filter might restrict a user to view or update data only for a specific geographical region or a specific product.

Essbase filters are stored in a relational database.

Permission	Description
No Access or None	No inherent access to data values unless access is granted globally
Read	Ability to read data values
Write	Ability to read and update data values
Meta Read	Ability to read metadata (dimension and member names)

You create Essbase filters using Essbase Administration Services (and the MaxL command line), which also enables you to:

View dimensions and their members.
List filter operations.
Validate filters at design time.

See Oracle Essbase Administration Services Online Help and Oracle Essbase Database Administrator's Guide:

Oracle Essbase documentation

You can ignore any references to Hyperion Shared Services (HSS) in Enterprise Performance Management documentation.

Configuring Resource Permission Definitions for Essbase Filters

Resource permission definitions combine with Essbase filters in the policy store, and you grant them to an application role. This enables users associated with an application role to secure the data that is defined by one or more combinations of resource permission definitions for Essbase filters.

Before you can grant resource permission definitions for Essbase filters to an application role (see Enabling Users to Perform Specific Actions in Essbase and Associated Tools), the appropriate resource permission definitions must first exist in the policy store. Use the examples in this section to understand how to configure resource permission definitions so that users can use Essbase filters.

An application role requires at least two policy store permission grants to access to a specific filter. You must give an application role permission to use filters within a specific scope.

See Resource Permissions Reference for Essbase and Associated Tools.

Use the following examples to understand how to configure resource permission definitions for Essbase filters:

Example 1 - Configuring resource permissions to enable the use of filters within the Demo application:

This example configures resource permission definitions to enable the use of filters within the Demo application. In this example you must ensure that one of the following resource permission definitions exists in the policy store. For example:

oracle.essbase.application, /EssbaseCluster-1, use_filter

where:
- oracle.essbase.application, - is the resource type (in this case, an application)
- /EssbaseCluster-1, - is the cluster name
- use_filter - is the action permission (in this case it enables the use of filters)
In this example, the use_filter action permission configures the oracle.essbase.application resource type such that a user associated with this definition in the policy store can use filters in any application in EssbaseCluster-1 (including the Demo application).

OR
oracle.essbase.application, /EssbaseCluster-1/Demo, use_filter

In this example, the use_filter action permission configures the oracle.essbase.application resource type such that a user associated with this definition in the policy store can use filters in the Demo application in the EssbaseCluster-1.

Example 2 - Configuring resource permissions for specific filters:

This example configures resource permission definitions that enable the use of a specific filter. You must specify additional resource permission definitions that name the filter in scope of the first grant.

For example, to restrict a user's dimensional access in a database called Basic to members defined by the filter called read_filter, the following resource permission definitions are required:

oracle.essbase.application, /EssbaseCluster-1, use_filter

OR
oracle.essbase.application, ./EssbaseCluster-1/Demo, use_filter

AND
oracle.essbase.filter, /EssbaseCluster-1/Demo/Basic/read_filter, apply

In this example, the read_filter action permission configures the oracle.essbase.application resource type such that a user that is associated with this definition in the policy store is restricted to read filters in the Basic database in the Demo application in the EssbaseCluster-1.

Description of GUID-FC093FAE-13F2-41E7-94EA-182CB2852720-default.gif follows

Description of the illustration GUID-FC093FAE-13F2-41E7-94EA-182CB2852720-default.gif

Example 3 - Configuring resource permissions for multiple filters:

This example activates multiple filters with multiple resource permission definitions to restrict a user's dimensional access in database Basic to members that are defined either by filters "read_filter" or "readFeb_filter." The following resource permission definitions are required:

Note:

This differs from EPM installations where users and groups are limited to a single active filter.

oracle.essbase.application, /EssbaseCluster-1, use_filter

OR
oracle.essbase.application, ./EssbaseCluster-1/Demo, use_filter

AND
oracle.essbase.filter, /EssbaseCluster-1/Demo/Basic/read_filter, apply

AND
oracle.essbase.filter, /EssbaseCluster-1/Demo/Basic/readFeb_filter apply

Description of GUID-9CBC9827-3FB0-4F16-82B8-C0B6A6258B45-default.gif follows

Description of the illustration GUID-9CBC9827-3FB0-4F16-82B8-C0B6A6258B45-default.gif

Example 4 - Configuring resource permissions for filters to extend or restrict data access at database level:

This example uses an active filter to extend or restrict data access at the database level.

For example, a user that is associated with the following resource permission definitions cannot read from Demo where noAccess1 restricts access to all dimensions:

oracle.essbase.application, /EssbaseCluster-1/Demo, read
oracle.essbase.filter,/EssbaseCluster-1/Demo/Basic/noAccess1, apply

Securing Data Access with Essbase Filters

You secure data access by granting Essbase filters to an application role. An Essbase filter resource permission definition secures data access for the grantee at the database level.

If a specific filter does not exist, then create it using Essbase Administration Services Console or the MaxL command line.

See Oracle Essbase Administration Services Online Help and Oracle Essbase Database Administrator's Guide:

Oracle Essbase documentation
Grant filter resource permission definitions to an application role using Oracle Fusion Middleware.

See Enabling Users to Perform Specific Actions in Essbase and Associated Tools.

You can also do this programmatically using Oracle WebLogic Scripting Tool. See Managing Application Policies with OPSS Scripts in Securing Applications with Oracle Platform Security Services.

Note:

The following Enterprise Performance Management restriction does not apply when Essbase is installed with Oracle Business Intelligence:

For EPM-installed systems, there can be only one filter per multidimensional database per user or application role. If a user or application role is directly provisioned with a second filter, then the first is revoked. Multiple filters can be provisioned indirectly when a user is a member of multiple application roles that each have a provisioned filter.

Filter resource permission definitions are determined when you connect to a specific Essbase multidimensional database. Filter resource permission definitions pass to the Essbase Agent during authentication. If the user is authenticated successfully, then the list of filters for that user is updated in a locally stored .SEC file.

When Are Filter Access Permission Grant Changes Consumed?

The filter access permissions for a user are determined at login time and are consumed when the Essbase database is selected (SetActive).

Authorization changes are not noticed by existing sessions; a user must log in again to consume changes in authorization policy.

How Do Filter Permission Grants Differ Between Oracle Business Intelligence and EPM?

You grant filter resource permissions differently when Essbase is installed with Oracle Business Intelligence compared to when Essbase is installed as part of an EPM System.

Bear these guidelines while granting filter resource permissions:

When Essbase is installed with Oracle Business Intelligence.

You grant filter resource permission definitions to an application role, or assign the admin permission to the application role.
When Essbase is installed as part of an EPM System.

You grant filter resource permissions to a group, or assign the admin permission to the group.

Essbase installed with Oracle Business Intelligence grants a user the union of all permissions that are granted directly or through groups and application roles. Unlike an EPM system, with Oracle Business Intelligence there is no restriction that, for example, the oracle.essbase.application filter action must be granted using the same group as the filters. In Oracle Business Intelligence, you can have conflicting roles. See the following table to understand the consequences of these grants.

Application Role (Group)	Application Grant	Filter Grant
A	oracle.essbase.application, /EssbaseCluster-1/Demo, use_filter	oracle.essbase.filter, /EssbaseCluster-1/Demo/Basic/read_filter, apply
B	oracle.essbase.application, /EssbaseCluster-1/Demo, use_filter	oracle.essbase.filter, /EssbaseCluster-1/Demo/Basic/readFeb_filter, apply

In this table, user JDoe is a member of groups A and B, and so when querying Basic, JDoe has access to rows defined by read_filter and readFeb_filter. If group A has the application grant removed in an EPM System installation, then users of group A no longer have access to any filters. However, when Essbase is installed with Oracle Business Intelligence, user JDoe continues to have access to rows from both filters because JDoe also inherits the permissions from membership of group B.

Configuring Access to Essbase Calculations

Essbase calculations enable you to apply mathematical formula to data in Essbase multidimensional databases. You enable users to access Essbase calculations by configuring resource permission definitions for Essbase calculations and granting them to application roles.

See Enabling Users to Perform Specific Actions in Essbase and Associated Tools.

Topics

What Are Essbase Calculations?

An Essbase calculation enables a user to define and apply complex formulas to dimensional members. You can name calculations and save them in files at the application or database level; these are called calculation scripts. Calculations can also be interactively created and run; these are called inline calculations. Finally, every database has a default calculation defined in the outline.

Calculation scripts are stored in the local file system, and their definitions can be complex and require tool support. For example, you can use Essbase Administration Services (EAS) and Calculation Manager, which provide the ability to:

View dimensions and their members.
MaxL can also be used for calculation definition.

MaxL can also be used for calculation definition.

Configuring Resource Permission Definitions for Essbase Calculations

Before you can grant an application role permission to use Essbase calculations appropriate resource permission definitions must exist in the policy store.

See Enabling Users to Perform Specific Actions in Essbase and Associated Tools.

Use the examples in this section to understand how to configure resource permission definitions so that users can use Essbase calculations.

See Resource Permissions Reference for Essbase and Associated Tools.

Example 1 - To configure resource permission definitions to use default and inline calculations in /cluster/App1:

This example configures resource permission definitions to use default and inline calculations in /EssbaseCluster-1/App1. The following resource permission definition must exist in the policy store. For example:

oracle.essbase.application, /EssbaseCluster-1, use_calculation

In this example an application resource permission grants the use_calculation permission to all applications in the cluster.

OR
oracle.essbase.application, /EssbaseCluster-1/App1, use_calculation

In this example an application resource permission grants the use_calculation permission to applications in App1.

Example 2 - To configure resource permission definitions to use all calculations in /cluster/App1:

This example configures resource permission definitions to use all calculation scripts in /EssbaseCluster-1/App1, you must ensure that the following permissions exist in the policy store. For example:

oracle.essbase.application, /EssbaseCluster-1, use_calculation

OR

oracle.essbase.application, /EssbaseCluster-1/App1, use_calculation

AND
oracle.essbase.calculation, /EssbaseCluster-1/App1, all

This calculation permission grants access permissions to use to all calculation scripts in App1.

Example 3 - Configuring resource permission definitions to use all calculations in the cluster:

This example configures resource permission definitions to use all calculations in the cluster, you must ensure that both of the following permissions exist in the policy store. For example:

oracle.essbase.application, /EssbaseCluster-1, use_calculation
oracle.essbase.calculation, /EssbaseCluster-1, all

Example 4 - Configuring resource permission definitions to use calculation scripts forcastQ1 and forcastQ2:

This example configures resource permission definitions to use specific calculation scripts in the cluster (for example, forcastQ1 and forcastQ2), you must ensure that the following permissions exist in the policy store. For example:

oracle.essbase.application, /EssbaseCluster-1, use_calculation

OR

oracle.essbase.application, /EssbaseCluster-1/App1, use_calculation
oracle.essbase.calculation, /EssbaseCluster-1/App1/Db1/forcastQ1, execute

AND
oracle.essbase.calculation, /EssbaseCluster-1/App1/Db1/forcastQ2, execute

Note:

A grant to a specific calculation script revokes cluster or application level access to all calculations. Consider specific grants to calculations scripts as restrictions.

For example:

A user with the following grants has access only to the forcastQ1 calculation script:

oracle.essbase.application, /EssbaseCluster-1, use_calculation
oracle.essbase.calculation, /EssbaseCluster-1, all
oracle.essbase.calculation, /EssbaseCluster-1/App1/Db1/forcastQ1, execute

Note:

The presence of an oracle.essbase.calculation grant does not imply oracle.essbase.application calculate access. For example:

The user does not have access to any calculation, outline, inline, or script with any of following grants if there is no oracle.essbase.application calculate grant:

oracle.essbase.calculation, /EssbaseCluster-1/App1, all
oracle.essbase.calculation, /EssbaseCluster-1, all
oracle.essbase.calculation, /EssbaseCluster-1/App1/Db1/forcastQ1, execute

Enabling Users to Access Essbase Calculations

You enable a user to access Essbase calculations by granting one or more Essbase calculation access permissions to an application role that is associated with the user.

By default, users with the calculate permission can execute the default and inline calculations on all databases.

If the calculation script does not exist, then create and activate it using Essbase Administration Services Console or the MaxL command line.

See Oracle Essbase Database Administrator's Guide and Oracle Essbase Administration Services Online Help:

Oracle Essabase documentation
Grant the Essbase calculation access permission to an application role using Fusion Middleware Control.
See Enabling Users to Perform Specific Actions in Essbase and Associated Tools.

Changing Essbase Ports in Oracle Business Intelligence

Essbase Agent runs on two types of ports. Since Agent runs on BI Managed WebLogic Server, it has an HTTP Port that it listens to.

Since this port is common to all the applications hosted on the BI Managed server, this section covers the changing of Essbase specific ports.

By default, Essbase Agent uses port 9799. To change this port, edit the AGENTPORT parameter in essbase.cfg.

The Essbase Server uses a port range and by default it uses the available ports. To explicitly specify a server port range, define SERVERPORTBEGIN and SERVERPORTEND settings in essbase.cfg.

Use these steps to update the Essbase Agent port number or Essbase server port range.

To update the Essbase Agent port number.
1. Create a backup of DOMAIN_HOME/config/fmwconfig/biconfig/essbase/essbase.cfg
2. Open essbase.cfg, and locate and update the AGENTPORT parameter.
  
  For example: AGENTPORT 9799 can be changed to AGENTPORT 9779 where 9779 is any free port of your choice.
3. Save the essbase.cfg file.
4. Restart the BI Managed server.
To update the Essbase server port range.
1. Open the essbase.cfg file for editing:
  DOMAIN_HOME/config/fmwconfig/biconfig/essbase/essbase.cfg
2. Add SERVERPORTBEGIN and SERVERPORTEND parameters to suit your environment.
  
  For example:
  
  SERVERPORTBEGIN 9000
  
  SERVERPORTEND 9499
3. Save the essbase.cfg file.
4. Restart the BI Managed server.
  
  Note:
  
  If you are performing this step after a scaleout, make sure to edit the corresponding essbase.cfg on all other nodes, to have the same entries as primary and restart the BI Cluster (all the managed servers of bi_cluster).

Resource Permissions Reference for Essbase

This section provides reference information about the resource permissions for Essbase that are configured by default when you install Essbase with Oracle Business Intelligence.

To access Essbase-related functionality, a user (or group, or application role that the user belongs to), needs to be granted one or more resource permissions. Essbase-related resource permissions are defined by resource type, name, and actions and are held in the Policy Store as part of the Oracle Fusion Middleware security model. See Managing the Policy Store in Securing Applications with Oracle Platform Security Services.

Resource Type

Includes a named group of permissions.
Resource Name

Specifies the scope for which a permission applies.
Action

Defines what operation the permission allows the grantee to perform.

You manage Essbase-related resource permissions using Oracle Fusion Middleware Control. However, you can also use APIs in Oracle Platform Security Services using JMX or Oracle WebLogic Scripting Tool.

Note:

When Essbase is installed with Oracle Business Intelligence, the functionality described in this chapter replaces that provided by Hyperion Shared Services for provisioning users.

This topic contains the following sections:

What Resource Types Apply to Essbase?

Resource types are named groups of permissions that can be associated with specific actions. There are several levels of authority in the Essbase server with a resource type for each. Resource types are used by Fusion Middleware Control to limit the list of applicable Essbase-related actions when selecting a new grant.

The following table lists the Essbase-related resource types that are supported in Oracle Business Intelligence.

Resource Type	Description
oracle.essbase.server	Global, cluster, and server level permissions.
oracle.essbase.application	Application level permissions required to use filters and calculations.
oracle.essbase.filter	Filter access control.
oracle.essbase.calculation	Calculation script access control.

What Resource Names Apply to Essbase?

Each resource type has a set of resources and actions that can be authorized. Essbase-related resource names are either specific objects or scopes in which objects are contained.

For oracle.essbase.server and oracle.essbase.application resource types, resource names are scopes. They are hierarchical and as such any scope in the following table includes the set of scopes contained within it.

The following table lists the supported Essbase scopes:

Name	Scope
/	Global, all clusters, all applications, all cubes.
/cluster	All applications within a logical cluster.
/cluster/application	Specific application and its cubes.

The following table lists the supported oracle.essbase.filter scopes:

Name	Scope
/cluster/application/database/filtername	Access to a specific, named filter.

The following table lists the supported Essbase calculation scopes:

Name	Scope
/cluster/	All calculation scripts at cluster level: any applications, any cubes.
/cluster/application	All calculation scripts at application level: any cube within the named application.
/cluster/application/database/scriptname	Access to a specific named calculation script.

What Actions Apply to Essbase?

Essbase-related actions (permissions) represent operations that a user can perform on Essbase.

Actions granted to oracle.essbase.server or oracle.essbase.application resource types are hierarchical, such that any action listed includes the set of permissions listed beneath it.

For example, granting oracle.essbase.application, /EssbaseCluster-1, read enables the grantee to read multidimensional databases and to restart the applications in EssbaseCluster-1.

Actions on other Essbase-related resource types are not hierarchical and need to be individually granted.

The series of tables below give details on the actions available with each Essbase-related resource type.

The following table lists the supported oracle.essbase.server actions:

Action	Description
administer	Full access to administer the server, applications, and databases.
Create	Ability to create and delete applications and databases within applications. Includes Application Manager and Database Manager permissions for the applications and databases created by this user.
Access	Ability to log in to Essbase. This is deprecated and the existence of any server or application permission now suffices.

Action

Description

administer

Full access to administer the server, applications, and databases.

Create

Ability to create and delete applications and databases within applications. Includes Application Manager and Database Manager permissions for the applications and databases created by this user.

Access

Ability to log in to Essbase.

This is deprecated and the existence of any server or application permission now suffices.

Note:

A user that creates an application has permission to manage that application within the same session. The same user requires an explicit grant to manage the application in subsequent sessions.

The following table lists supported oracle.essbase.application actions.

Action	Description
manage_application	Ability to create, delete, and modify databases and application settings within the particular application. Includes Database Manager permissions for databases within the application.
manage_database	Ability to manage databases (for example, to change the database properties or cache settings), database artifacts, locks, and sessions within the assigned application.
use_calculation	Ability to execute calculations, update, and read data values based on the assigned scope, using any assigned calculations and filter.
write	Ability to update and read data values based on the assigned scope, using any assigned filter.
read	Ability to read data values.
use_filter	Ability to access specific data and metadata according to the restrictions of a filter.
restart	Ability to start and stop an application or database.

The following table lists supported oracle.essbase.filter actions.

Action	Description
Apply	Apply the filter identified by the resource name.

The following table lists supported oracle.essbase.calculation actions.

Action	Description
all	Enables the user to execute any calculation that is contained in the scope referenced by the resource name.
execute	Enables the user to execute the calculation script that is identified by the resource name.

The following table lists permissions granted to Oracle Business Intelligence application roles.

Role Name	Resource Permission	Role Members
BIAdministrator	oracle.essbase.server, /, administrator	BIAdministrators group
BIAuthor	not applicable	BIAuthors group BIAdministrator application role
BIConsumer	oracle.essbase.server,/,access,use_filter	BIConsumers group BIAuthor application role
AuthenticatedUser	not applicable	BIConsumer

This application role hierarchy and permission grants are defaults only and the administrator user can change them in Fusion Middleware Control.

AuthenticatedUser is a member of BIConsumer by default. This means that any successfully authenticated user has BIConsumer role permissions.

Managing Essbase System Administration in Oracle Business Intelligence

You manage Essbase system administration in Oracle Business Intelligence by starting and stopping Essbase Agents, enabling and viewing log files, setting logging levels, migrating Essbase configuration between domains, monitoring Essbase metrics, and backing up and recovering Essbase data.

This topic contains the following sections:

Starting and Stopping Essbase Components

You can monitor status, and start and stop Essbase components using BI process control commands (uses JAgent).

See Managing Oracle Business Intelligence Processes.

Maintaining High Availability of Essbase Components in Oracle Business Intelligence

High availability for Essbase in Oracle Business Intelligence is automatically maintained using an active-passive fault tolerance model.

Scaling Out Essbase to Support High Availability

You scale out Essbase onto additional computers to support high availability between computers. Scale-out is achieved in a similar way to existing Oracle BI EE components (see Managing Availability in Oracle Business Intelligence (Horizontally Scaling).

About the Essbase Active-Passive Topology

The two-node active-passive topology applies to the Essbase Server and Agent plus the mid-tier Essbase Administration Services, Analytic Provider Services, and Essbase Studio Server components.

See Oracle Essbase High Availability Concepts, Configuring Oracle Essbase Clustering, and Oracle Hyperion Provider Services Component Architecture in High Availability Guide.

Managing Essbase Capacity

You manage Essbase capacity within Oracle Business Intelligence by monitoring Essbase components and service levels using Fusion Middleware Control to answer the following questions:

How do I know that Essbase components are running?

See Displaying Oracle Business Intelligence Pages in Fusion Middleware Control.
How do I know if my system is overloaded?

See Monitoring Service Levels.

Configuring Logging for Essbase Components

You configure logging for all Essbase components in the BI Domain logging.xml file.

The file is located in:

DOMAIN_HOME/config/fmwconfig/servers/<BI_MANAGED_SERVER_NAME>

Log configuration details for each Essbase subcomponent, along with the location of the corresponding Oracle Diagnostic Log (ODL) files are provided below:

Note:

To capture every possible level of logging information for a particular component, set the logger level field value to 'TRACE:32'.

Essbase Java-Agent specific Logging Configuration

<log_handler name='jagent-handler-text' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
   <property name='path' value='${domain.home}/servers/${weblogic.Name}/logs/essbase/jagent.log'/>
   <property name='maxFileSize' value='10485760'/>
   <property name='maxLogSize' value='104857600'/>
   <property name='useSourceClassAndMethod' value='true'/>
</log_handler> 
<logger name='oracle.JAGENT' level='NOTIFICATION:1' useParentHandlers='false'>
   <handler name='jagent-handler-text'/>
</logger>

Essbase Applications specific Logging Configuration

<log_handler name='serverhandler' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
         <property name='path' value='${domain.home}/servers/${weblogic.Name}/logs/essbase/essbase'/>
         <property name='maxFileSize' value='10485760'/>
         <property name='maxLogSize' value='524288000'/>
</log_handler>
<logger name='DefSvrLogger' level='TRACE:1' useParentHandlers='false'>
         <handler name='serverhandler'/>
</logger>

Provider Services (APS) specific Logging Configuration

<log_handler name='provider-services-handler' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
   <property name='path' value='${domain.home}/servers/${weblogic.Name}/logs/aps/apsserver.log'/>
   <property name='maxFileSize' value='10485760'/>
   <property name='maxLogSize' value='104857600'/>
</log_handler>
<logger name='oracle.EPMOHPS' level='WARNING' useParentHandlers='false'>
   <handler name='provider-services-handler'/>
</logger>

Essbase WebServices specific Logging Configuration

<log_handler name='essbase-ws-handler' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
   <property name='path' value='${domain.home}/servers/${weblogic.Name}/logs/essbasews.log'/>
   <property name='maxFileSize' value='10485760'/>
   <property name='maxLogSize' value='104857600'/>
</log_handler>    
<logger name='oracle.EPMOHEWS' level='WARNING:1' useParentHandlers='false'>
   <handler name='essbase-ws-handler'/>
</logger>

Essbase Cube Deployment Service specific Logging Configuration

<log_handler name='cds-handler' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
   <property name='path' value='${domain.home}/servers/${weblogic.Name}/logs/cds/cds.log'/>
   <property name='maxFileSize' value='10485760'/>
   <property name='maxLogSize' value='104857600'/>
</log_handler>
<logger name='oracle.essbase.cds' level='NOTIFICATION:1' useParentHandlers='false'>
   <handler name='cds-handler'/>
</logger>

Migrating Essbase Configuration Between Domains

You can migrate an Essbase configuration between domains for an Oracle Enterprise Performance Management System installation.

See Moving Oracle Hyperion Enterprise Performance Management System to a Target Environment in Administering Oracle Fusion Middleware.

Monitoring Essbase Metrics

You monitor Essbase metrics using Fusion Middleware Control.

See Monitoring Service Levels.

Backup and Recovery of Essbase Data

This section describes backing up and recovering Essbase data when Essbase is installed with Oracle Business Intelligence.

For information about backing up and recovering Essbase data, see:

Oracle Business Intelligence and Essbase - When installed using the Oracle Business Intelligence installer, see Backup and Recovery Recommendations for Oracle Essbase in Administering Oracle Fusion Middleware.
EPM System products - When installed using the EPM System Installer, see Oracle Enterprise Performance Management System Backup and Recovery Guide at:

http://www.oracle.com/technetwork/middleware/performance-management/documentation/index.html

Working with Essabase Data in Oracle Business Intelligence

These topics provide orientation for using Essbase in Oracle Business Intelligence.

This section introduces working with Essbase cubes in Oracle Business Intelligence:

Enabling Single Sign-On for Essbase Data Sources

To enable SSO for Essbase data sources installed using the Oracle Business Intelligence installer, you select SSO in the General tab of the connection pool object that corresponds to the Essbase data source in the Oracle BI repository.

Also select the Virtual Private Database option in the corresponding database object to protect cache entries.

See Multidimensional Connection Pool Properties in the General Tab in Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

Also see note 1993210.1 at:

https://support.oracle.com

Creating, Scheduling, and Running Analyses and Reports Where Essbase Is the Data Source

A user with the BI Author application role can create, schedule, and run analyses and reports where Essbase is the data source, where filters are applied using the identity of the end user, and where SSO is configured.

For more information about:

Creating, scheduling, and running Oracle Business Intelligence analyses, see:

User's Guide for Oracle Business Intelligence Enterprise Edition
Creating and running BI Publisher reports, see:

Administrator's Guide for Oracle Business Intelligence Publisher

Enabling Oracle BI EE to Connect to Essbase Over SSL

This section addresses how Oracle BI Server handles Essbase connectivity when both the Oracle BI Server and Essbase are installed and configured as part of the Oracle Business Intelligence.

If Essbase is configured for SSL, the BI Server (which uses the Essbase RTC client), must perform all the client side SSL configuration as an Essbase client.

If the BI Server and Essbase run on the same machine, and the Essbase server is configured for SSL, then the BI Server can simply point to the Essbase configuration file (essbase.cfg). To do this you add the ESSBASE_CONFIG_PATH property to obis.properties to specify the location of essbase.cfg.

If you need the Oracle BI Server to have a custom client side essbase.cfg (for example, to control specific Essbase client settings), but you do not want to use the Essbase server configuration file, then refer to the sections "Setting up an Essbase Client Wallet" and "Copying and Configuring the Wallet Path" in the 12c version of Essbase Database Administrator Guide. In this case, the obis.properties file must point to the directory location which contains essbase.cfg defined for the Oracle BI Server.

To make the BI Server to point to the essbase.cfg location:

Open the obis.properties file located here:
DOMAIN_HOME/config/fmwconfig/bienv/OBIS/obis.properties

Add the ESSBASE_CONFIG_PATH property with a value that either represents the path to location of essbase.cfg defined for Oracle BI EE, or the location that is already being used by Essbase Server.

For example, to point to the Essbase server's configuration file, then:
```
ESSBASE_CONFIG_PATH=DOMAIN_HOME/config/fmwconfig/biconfig/essbase
```
Save the obis.properties file.

Note:

End-to-End SSL configuration in 12.2.1.0.0 release is not supported. That is, if the Oracle BI Server is also configured for SSL, then connectivity between Oracle BI Server and the Essbase server will not work. However, this will be supported in a future release of 12c.

Where Can I Learn More Information About Essbase?

There are several places where you can learn more about Essbase.

Use the following links to learn more about Essbase in Oracle Enterprise Performance Management System.

For all Essbase and EPM documentation, use the Performance Management Documentation page:

http://www.oracle.com/technetwork/middleware/performance-management/documentation/index.html

This page also contains links to EPM System Supported Platform Matrices, My Oracle Support, and other information resources.

Drill down to view specific documents for a release.
For information about meeting system requirements and understanding release compatibility, use Oracle Enterprise Performance Management System Certification Matrix:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
When Essbase is installed as part of Oracle BI Enterprise Edition, refer to System Requirements and Supported Platforms for Oracle Business Intelligence Suite Enterprise Edition for information about system requirements and release compatibility.