EPM Shared Services Authentication

If you use EPM Shared Services authentication with Essbase 21c, Shared Services manages all the Essbase users, groups, roles, and permissions.

Requirements to Integrate EPM Shared Services with Essbase 21c

Essbase 21c with Shared Services authentication requires a network-accessible, dedicated EPM 11g Services installation, separate from any EPM installation you have already deployed. Oracle recommends that this Foundation Services instance not be on the same host where you are running Essbase.

For versions prior to Essbase 21.2.1, you must install or reuse an existing EPM 11.1.2.4 or 11.2.x (Foundation only) and not use your existing Shared Services for Essbase integration. For versions of Essbase v21.2.1 and later, install EPM 11.2.x (including 11.2.x Essbase), to configure with 21.2.x.

Caution:

For versions prior to Essbase 21.2.1, if you attempt to configure Essbase with a production Essbase 11g instance that is associated with Essbase 11g On-Premise, your Essbase 11g instance in Shared Services will be overwritten!

If you plan to set up a failover environment, and you are using EPM Shared Services for authentication, then you must install EPM 11g Services to a shared network location accessible by all the Essbase nodes. If this is not possible, you can install only the EPM Foundation component locally in each Essbase node, but pointing to the same EPM Schema. Each Essbase node must be able to find the EPM_ORACLE_HOME and EPM_ORACLE_INSTANCE locations associated with your EPM installation.

About User Directories

User directories (also called identity providers, security providers, or external authentication providers), are directory services providing user and group authentication. LDAP is one example. By default, Shared Services uses a native LDAP directory to store users and groups, but you can optionally configure it to use a federated (external) LDAP or identity provider. To add an external provider to Shared Services, see Configuring LDAP-based User Directories.

You can share one user directory between both EPM 11g Services instances.

Configure Essbase with EPM Shared Services

1. For versions prior to Essbase 21.2.1, you must install or reuse an existing EPM 11.1.2.4 or 11.2.x (Foundation only) and not use your existing Shared Services for Essbase integration. For versions of Essbase v21.2.1 and later, install EPM 11.2.x (including 11.2.x Essbase), to configure with 21.2.x.

2. Start Shared Services (it must be running when you go to configure Essbase).

3. Install Essbase 21.3 on the same system (or network) where you just installed EPM Services.

4. Configure Essbase. When you get to the Identity Provider screen,

   1. Click the check box to Enable EPM Shared Services Identity Provider.

   2. Specify the EPM installation locations <EPM_Oracle_Home> and <EPM_Oracle_Instance>. These EPM directories must be network-accessible from the Essbase 21c instance you are configuring. All external providers configured in Shared Services for use by Essbase MUST have trust enabled. See Essbase 21 Not Authenticating to External Provider When Configured with Shared Services, Essbase UI Login Screen Flashes. Doc ID 2938405.1).

5. Complete the Essbase 21c configuration.

6. Choose an option:

   1. Federate the new Shared Services environment with your identity provider.

   2. Migrate users and groups only, using Shared Services. Do not select to export roles. Instead, use the 11g Export Utility or LCM Export to export roles with the application export.

   For more about these options, see Scenario 1 in Migrate 11g Users and Groups Migrate Essbase 11g Users and Groups.

7. Migrate roles when you migrate applications. See Prepare to Migrate From Essbase 11g.

Essbase and Shared Services Authentication Diagram