1. Essbase Stack Deployment on Oracle Cloud Infrastructure
  2. Migrate Essbase Applications
  3. Migrate From Essbase 11g On-Premise
  4. Migrate Essbase 11g Users and Groups

Migrate Essbase 11g Users and Groups

Here you learn about migrating users and groups. The task flow varies depending on your identity provider and details about your applications.

Prerequisites and Considerations

  • If, for your 11g Essbase instance, you stored users and groups natively in EPM Shared Services, you need to export those users and groups, to import them into your security provider for Essbase 21c. Reformatting of the exported user and group files may be required if you're migrating from EPM Shared Services into WebLogic Embedded LDAP.

    EPM Shared Services security is recommended only for Essbase customers who also use EPM applications and have user overlap between EPM applications and “stand-alone” Essbase applications. Essbase customers who don't use any EPM applications are recommended to migrate to Essbase using the default WebLogic security, and not EPM Shared Services security. WebLogic security can be federated with many external authentication identity providers. See WebLogic Authentication.

  • If you want filters and calculation assignments of existing users to be migrated, ensure that Essbase has the same set of users and groups already available.

  • If you're using native (default) identity providers, migrate users and groups from Essbase 11g On-Premise by exporting them to a CSV file and importing them after you install and configure Essbase 21c. If you're using federated/external providers, integrate these with Essbase 21c.

  • When you import user names, the following special characters are not allowed in the name.

    # ; , = + * ? [ ] |< > \ " ' / [Space] [Tab]

    The name length is limited to 50 characters.

Scenario 1 - Exporting users/groups from Essbase 11g and importing them into Essbase 21c, which is configured in EPM security mode

Scenarios for Migrating users and groups

Exporting users/groups

  • If the native Shared Services directory is used in the source EPM instance, then export users and groups using Shared Services Console. See Migrating Native Directory (Security). You should only select users and groups, and don't migrate roles, while exporting from EPM Shared Services. User roles are migrated by the Essbase 11g LCM Export Utility.
  • If a source Shared Services instance is configured to use an external security provider, then no explicit user/group export is required.

Importing users/groups

  • If native Shared Services directory is used in the target EPM instance, then import users and groups using Shared Services Console.
  • If the source EPM instance was configured to use an external security provider (including when you use MSAD or other LDAP-based user directories), then configure the target Shared Services instance with the same provider details. See Configuring OID, Active Directory, and Other LDAP-based User Directories.

Options for the Shared Services Administrator

If you want to import the Shared Services administrator user from an Essbase 11g On-Premise instance to an Essbase 21c instance configured to use EPM Shared Services for authentication, the following considerations can help you avoid pitfalls.

Before any user migration steps, ensure you have a dedicated EPM Foundation-only instance of Shared Services that you have configured with Essbase 21c. This Shared Services instance already has a Shared Services administrator.

Caution:

If the Shared Services administrator in the source 11g EPM instance isn’t the same administrator that you configured in the target EPM Foundation-only instance, and you include this source administrator in the CSV file when you import users to your EPM Foundation-only Shared Services configured with Essbase 21c, your target Shared Services administrator will be overwritten by the 11g Shared Services administrator.

To handle this, select an option:

  • Only Use 11g Administrator

    Allow the source Shared Services administrator to overwrite the target administrator.

    1. Export all users from Essbase 11g On-Premise to a CSV file, including the Shared Services administrator.
    2. Import all users to the target, empty EPM Foundation-only instance.
    3. Log in on the target instance as the 11g Shared Services administrator, and assign roles and permissions to users. Your Shared Services administrator user in the target instance retains the same user ID, but has the password you specified during configuration on the target instance.

  • Only Use Target Administrator

    Remove the 11g Shared Services administrator from the export file, so that the target administrator will not be overwritten.

    1. Export all users from Essbase 11g On-Premise to a CSV file, including the Shared Services administrator.
    2. From the export CSV file, remove the row containing the administrator.
    3. Import the rest of the users to the target, empty EPM Foundation-only instance.
    4. Log in as the target Shared Services administrator, and assign roles and permissions to users.

  • Keep Both Administrators

    Take steps to migrate the 11g Shared Services administrator without affecting the target administrator.

    1. Export all users from Essbase 11g On-Premise to a CSV file, including the Shared Services administrator.
    2. Edit the CSV file to remove the internal_id value associated with the source Shared Services administrator. This removes the Shared Services and Essbase administrator role, but keeps the user ID and password intact.
    3. Import the users to the target EPM Foundation-only instance. The Shared Services administrator's user ID is migrated, but no longer has administrator role.
    4. Log in as the target Shared Services administrator and grant whichever role you want to give to the 11g Shared Services administrator user ID you just migrated.

Scenario 2 - Exporting users/groups from Essbase 11g and Importing them into Essbase 21c, which is configured in WebLogic security mode

Exporting users/groups

  • If native Shared Services directory is used in the source EPM instance, then export users and groups using Shared Services Console. See Migrating Native Directory (Security).
  • If source Shared Services instance is configured to use an external security provider, then no explicit user/group export is required.

Importing users/groups

  • If native Shared Services directory was used in the EPM 11g instance, then you may need to manually convert the file exported from Shared Services to a format that WebLogic security mode can understand.
    1. Open the users/groups zip files exported by Shared Services, and extract the files "resource\Native Directory\Users.csv" and "resource\Native Directory\Groups.csv" as target 21c files.
    2. Manually assign groups as follows: user group associations should be extracted from the source Essbase 11g CSV file, added to the target Essbase 21c CSV file, and then later imported into the Essbase 21c interface.
    3. Manually re-order the columns in these target 21c CSV files to a format that contains the user ID, first and last names (optional), email address (optional), password (optional) and role type (User, Power User, or Service Administrator).
    4. Please specify the role type field in these target CSV files as "User".
    5. Import the modified target CSV files using the Essbase 21c interface, logged in as a Service Administrator. Go to the Applications home page > Security > Import. Browse to the .csv files, and click Import.
  • If source EPM instance was configured to use an external security provider, then please configure WebLogic with the same security provider details. See Configuring Authentication Providers.

  • Your existing 11g Essbase instances use EPM Shared Services security, with users and groups stored natively in Shared Services or with users and groups stored in an external identity provider.

    During configuration of Essbase 21c, you chose a security mode: either embedded WebLogic or EPM Shared Services security. Regardless of the selected security mode, if your Essbase users and groups exist in an external identity provider, you should integrate Essbase 21c with that provider. See WebLogic Authentication and EPM Shared Services Authentication and their subtopics on external identity providers.

    Note:

    Reformatting of the exported user and group files may be required if you're migrating from EPM Shared Services into WebLogic Embedded LDAP.

    Note:

    EPM Shared Services security is recommended only for Essbase customers who also use EPM applications and have user overlap between EPM applications and “stand-alone” Essbase applications. Essbase customers who don't use any EPM applications are recommended to migrate to Essbase using the default WebLogic security, and not EPM Shared Services security. WebLogic security can be federated with many external authentication identity providers. See WebLogic Authentication.

User Roles for Access

Assignment of user roles behavior differs from Essbase 11g On-Premise if you choose Essbase to run in WebLogic security mode. Database Access is now the lowest role, and has, by default, read access to data values in all cells. To restrict access to data values, you must create a NONE filter and assign it to users and groups. This was not a requirement in Essbase 11g On-Premise, where Filter was the lowest role, and has, by default, no access to data values in all cells.

The following Essbase security artifacts are migrated using the 11g LCM Export Utility: Essbase server-level roles, application-level roles, filter associations, and calc associations. If you choose to migrate to an Essbase instance that uses WebLogic security, LCM handles provisioning users and groups with the corresponding new roles. Note that this mapping isn't applicable if your target Essbase instance is configured to EPM Shared Services security and the same 11g roles would remain in Essbase.

Table 4-1 Default role mapping

Source 11g EPM Shared Services Roles Target 21c WebLogic Embedded LDAP Roles Level
Administrator Service Administrator Server
Application Manager Application Manager Application
Calc Database Update Application
Create/Delete application Power User Server
Database Manager Database Manager Application
Filter Database Access Application
Read Database Access Application
Server Access User Server
Write Database Update Application

Note that Filter role in Essbase 11g On-Premise doesn't allow Read access, but allows access to members restricted by the filter. Now, there's no Filter role, and the lowest role access is Database Access, which allows Read access to all members. To restrict access to selective members, use a group filter that restricts global access.

Required access for tasks:

  • For exporting: A user with at least Application Manager role, for the application created, can export applications, folders, and artifacts.

    In addition, the following roles can use the 11g LCM Export Utility and their corresponding operations: Service Administrator role for all applications; Create or Delete Application roles for only those applications created by the user.

  • For importing: A user with at least Power User role (in WebLogic security mode) or Create or Delete application roles (in EPM security mode) can create applications (during import) and manage applications can create applications (during import) and manage applications.

Scenario 3 - Exporting users/groups from Essbase 11g and Importing them into Essbase 21c, which is configured in IDCS mode

See Export 11g Users and Groups to Essbase 21c Configured in IDCS.