1. Using Oracle Essbase
  2. Understand Your Access Permissions in Essbase

4 Understand Your Access Permissions in Essbase

How you work with Essbase depends on your user role and application-level permissions.

In Essbase, there are three user roles:

The majority of Essbase users have User role. Power User and Service Administrator roles are reserved for those who require permission to author and maintain applications. Users with User role are granted application-level permissions that distinguish their access to data and permissions in each application.

Depending on your security provider, user roles and permissions may be different. When Essbase uses an external identity provider, the administrator manages user roles, permissions, users, and groups in the external provider, rather than in Essbase.

See About Identity Providers.

Security Provider Add, remove, and manage users and groups Provision and deprovision roles
EPM Shared Services security mode In the Shared Services Console In the Shared Services Console
External security configured in WebLogic In the external provider In the Essbase web interface or REST API
WebLogic Embedded LDAP In the Essbase web interface or REST API In the Essbase web interface or REST API

Note:

WebLogic Embedded LDAP is not recommended for production environments.

EPM Shared Services security mode

The following Essbase web interface items are disabled in EPM Shared Services security mode:

  • The Security page (there is no Security icon in the Essbase web interface)

    Essbase users and groups are stored directly in EPM Shared Services and are not added or managed in the Essbase web interface.

  • The Permissions tab in the application inspector
  • The Reset Password option on the Admin menu

External security configured in WebLogic

If you are using an external security provider configured in WebLogic, Essbase users and groups are stored directly in the external provider and are not added or managed in the Essbase web interface. However, you provision and deprovision roles in the Essbase web interface or through the REST API.

The following Essbase web interface items are enabled when using external security configured in WebLogic:

  • The Security page (there is a Security icon in the Essbase web interface)
  • The Roles tab on the Security page (the Users and Groups tab is disabled)
  • The Permissions tab in the application inspector
  • The Reset Password option on the Admin menu

Note:

If you need to clean up inactive users/groups from Essbase after they have been removed or renamed on the external provider, use the MaxL Drop User and Drop Group statements.

WebLogic Embedded LDAP (an internal LDAP that is part of WebLogic, and is not recommended for production use):

Use the Security page (the Security icon on the Applications page) in the Essbase web interface or use the REST API to manage users and groups and to provision and deprovision roles.