S E C U R I T Y A D M I N I S T R A T I O N G U I D E

Transcription

1 H Y P E R I O N R E L E A S E S E C U R I T Y A D M I N I S T R A T I O N G U I D E P / N : D H A

2 Hyperion Shared Services Security Administration Guide, Copyright 2006, 2009, Orace and/or its affiiates. A rights reserved. Authors: EPM Information Deveopment Team The Programs (which incude both the software and documentation) contain proprietary information; they are provided under a icense agreement containing restrictions on use and discosure and are aso protected by copyright, patent, and other inteectua and industria property aws. Reverse engineering, disassemby, or decompiation of the Programs, except to the extent required to obtain interoperabiity with other independenty created software or as specified by aw, is prohibited. The information contained in this document is subject to change without notice. If you find any probems in the documentation, pease report them to us in writing. This document is not warranted to be error-free. Except as may be expressy permitted in your icense agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, eectronic or mechanica, for any purpose. If the Programs are deivered to the United States Government or anyone icensing or using the Programs on behaf of the United States Government, the foowing notice is appicabe: U.S. GOVERNMENT RIGHTS Programs, software, databases, and reated documentation and technica data deivered to U.S. Government customers are "commercia computer software" or "commercia technica data" pursuant to the appicabe Federa Acquisition Reguation and agency-specific suppementa reguations. As such, use, dupication, discosure, modification, and adaptation of the Programs, incuding documentation and technica data, sha be subject to the icensing restrictions set forth in the appicabe Orace icense agreement, and, to the extent appicabe, the additiona rights set forth in FAR , Commercia Computer Software--Restricted Rights (June 1987). Orace USA, Inc., 500 Orace Parkway, Redwood City, CA The Programs are not intended for use in any nucear, aviation, mass transit, medica, or other inherenty dangerous appications. It sha be the icensee's responsibiity to take a appropriate fai-safe, backup, redundancy and other measures to ensure the safe use of such appications if the Programs are used for such purposes, and we discaim iabiity for any damages caused by such use of the Programs. Orace is a registered trademark of Orace Corporation and/or its affiiates. Other names may be trademarks of their respective owners. The Programs may provide inks to Web sites and access to content, products, and services from third parties. Orace is not responsibe for the avaiabiity of, or any content provided on, third-party Web sites. You bear a risks associated with the use of such content. If you choose to purchase any products or services from a third party, the reationship is directy between you and the third party. Orace is not responsibe for: (a) the quaity of third-party products or services; or (b) fufiing any of the terms of the agreement with the third party, incuding deivery of products or services and warranty obigations reated to purchased products or services. Orace is not responsibe for any oss or damage of any sort that you may incur from deaing with any third party.

3 Contents Chapter 1. About Hyperion Security Security Components User Authentication Authentication Components Security API Native Directory User Directories User Authentication Scenarios Singe Sign-on Directy to Hyperion Products Singe Sign-on from Externa Systems Provisioning (Roe-Based Authorization) Roes Goba Roes Predefined Roes Aggregated Roes Users Groups Chapter 2. Setting Up Authentication Setting Up Direct Authentication to Hyperion Products Creating Users on the User Directory Creating Groups Migrating Users and Groups to Shared Services Security Instaing and Depoying Shared Services Identifying User Directories to Shared Services Setting Up SSO with SAP Enterprise Porta Nested SAP Groups Inheritance Poicy for Nested Groups Depoyment Locations Prerequisites Setting Up SSO from SiteMinder Specia Considerations Contents iii

4 Configuring the SiteMinder Poicy Server Configuring the SiteMinder Web Agent Enabing SiteMinder Authentication in Shared Services Other Procedures Using NTLM to Support SSO NTLM with UNIX Appication Environments Support for Mutipe NTLM Domains Chapter 3. User Management Consoe Launching User Management Consoe Overview of User Management Consoe Navigating in User Management Consoe Searching for Users, Groups, Roes, and Deegated Lists Chapter 4. Configuring User Directories Operations Reated to User Directory Configuration Using the Unique Identity Attribute to Hande Inter-OU Moves in LDAP-Enabed User Directories Panning the Migration to the Unique Identity Attribute Back Up Native Directory and Hyperion Product Repositories Migration Sequence Behavior During Migration Important Considerations When Using the Unique Identity Attribute Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories Configuring an SAP Provider Configuring an NTLM User Directory Configuring Reationa Databases as User Directories Testing User Directory Connections Editing User Directory Settings Deeting User Directory Configurations Managing User Directory Search Order Adding a User Directory to the Search Order Changing the Search Order Removing a Search Order Assignment Setting Goba Parameters Overriding Cache Refresh Interva for MSAD and other LDAP-Enabed User Directories Setting Timeout to Resove SAP Keystore Fie Connection Pooing iv Contents

5 Using Specia Characters Chapter 5. Working with Appications and Projects Overview Working with Projects Creating Projects Modifying Project Properties Deeting Projects Managing Appications Assigning Access Permissions to Appications Moving Appications Copying Provisioning Information Across Appications Deeting an Appication Chapter 6. Deegated User Management About Deegated User Management Hierarchy of Administrators Shared Services Administrators Deegated Administrators Enabing Deegated User Management Mode Creating Deegated Administrators Panning Steps User Accounts for Deegated Administrators Create a Deegation Pan Provisioning Deegated Administrators Creating Deegated Lists Modifying Deegated Lists Deeting Deegated Lists Viewing Deegated Reports Chapter 7. Managing Native Directory About Native Directory Instaation Location Defaut Users and Groups Starting Native Directory Starting Native Directory in Norma Mode Starting Native Directory in Debug Mode Stopping Native Directory Managing Native Directory Users Creating Users Contents v

6 Modifying User Accounts Deactivating User Accounts Activating Inactive User Accounts Deeting User Accounts Managing Native Directory Groups Creating Groups Modifying Groups Deeting Groups Managing Roes Creating Aggregated Roes Modifying Aggregated Roes Deeting Aggregated Roes Changing Native Directory root User Password Backing Up the Native Directory Database Best Practices Hot Backup Cod Backup Synchronizing Native Directory Database with the Shared Services Repository Recovering Native Directory Data Setting Up Native Directory for High Avaiabiity and Faiover Out of the Box Depoyment Cod Standby Depoyment Hot Standby Depoyment Migrating Native Directory Chapter 8. Managing Provisioning Provisioning Users and Groups Deprovisioning Users and Groups Generating Provisioning Reports Importing and Exporting Native Directory Data Overview Use Scenarios Move Provisioning Data Across Environments Manage Users and Groups in Native Directory Buk Provision Users and Groups Instaing the Import/Export Utiity Before Starting Import/Export Operations Sampe importexport.properties Fie Sequence of Operations vi Contents

7 Preparing the Property Fie Product Codes Considerations for Setting Fiters Prerequisites for Running Import/Export Utiity from a Remote Host Running the Utiity Import Fie format XML Fie Format CSV Fie Format Chapter 9. Using the Update Native Directory Utiity to Cean Stae Native Directory Data About the Update Native Directory Utiity Instaing the Update Native Directory Utiity Running the Update Native Directory Utiity Update Native Directory Utiity Options Update Native Directory Utiity Log Fies Product-Specific Updates Essbase Panning Financia Management Reporting and Anaysis Strategic Finance Chapter 10. Troubeshooting Shared Services Log Fies Troubeshooting Toos and Utiities CSSSpy WebDAV Browser Appendix A. Hyperion Product Roes Shared Services Roes Essbase Roes Reporting and Anaysis Roes Financia Management Roes Panning Roes Business Rues Roes Business Modeing Roes Strategic Finance Roes Transaction Manager Roes Performance Scorecard Roes Strategic Finance Roes Contents vii

8 Data Integration Management Roes Essbase Provider Services Roes Appendix B. Shared Services Roes and Permitted Tasks Appendix C. Essbase User Provisioning Launching User Management Consoe from Essbase Essbase Projects, Appications, and Databases in Shared Services Essbase Users and Groups in Shared Services Assigning Database Cacuation and Fiter Access Setting Appication Access Type Synchronizing Security Information Between Shared Services and Essbase Migrating Essbase Users to Shared Services Security Backing Up Security Information Appendix D. Reporting and Anaysis User Provisioning Launching User Management Consoe from Workspace Reporting and Anaysis Roes Reporting and Anaysis Roe Hierarchy Content Manager Branch Scheduer Manager Branch Sampe Roe Combinations Appendix E. Financia Management User Provisioning Assigning Users and Groups to Financia Management Appications Assigning User Access to Security Casses Setting Up E-mai Aerting Process Management Aerting Intercompany Transaction Aerting Running Security Reports for Financia Management Appications Migrating Financia Management Users to Shared Services Security Appendix F. Panning User Provisioning Launching User Management Consoe From Panning Returning to Panning From User Management Consoe Updating Users and Groups in Panning Migrating User and Group Identities Deprovisioning or Deeting Users and Groups Updating Users With a Utiity Roes in Panning Write Access to Data in Essbase viii Contents

9 Roes Between Panning and Business Rues Access Permissions Between Panning and Essbase About Connection Types and Panning Migrating Users to Shared Services Appendix G. Business Rues User Provisioning About Business Rues Security Launching User Management Consoe Business Rues User Roes Migrating Business Rues Users to Shared Services Security Appendix H. Performance Scorecard User Provisioning Launching User Management Consoe from Performance Scorecard Managing Permissions in Performance Scorecard Creating and Provisioning Users and Groups over Shared Services Access Permissions Before You Begin Creating a New User or Group Using Shared Services Assign Performance Scorecard Properties Individuay Assign Buk Properties in Performance Scorecard Migrating Performance Scorecard Users and Groups to Shared Services Security Appendix I. Business Modeing Roes and Tasks Administrator Buider End User Appendix J. Essbase Provider Services User Provisioning Provisioning the Administrator Roe in Shared Services Migrating Anaytic Provider Services Users to Shared Services Appendix K. Data Integration Management User Provisioning Authentication Methods Data Integration Management User Roes Gossary Index Contents ix

10 x Contents

11 1 About Hyperion Security In This Chapter Security Components...11 User Authentication...11 Provisioning (Roe-Based Authorization)...14 Security Components Hyperion appication security comprises two distinct and compementary ayers that contro user access and permissions: User Authentication on page 11 Provisioning (Roe-Based Authorization) on page 14 User Authentication User authentication enabes singe sign-on functionaity across Hyperion products by vaidating the ogin information of each user to determine authenticated users. User authentication, aong with product-specific authorization, grants the user access to Hyperion products. Authorization is granted through provisioning. Singe sign-on (SSO) is a session and user authentication process that permits a Hyperion product user to enter credentias ony once at the beginning of a session to access mutipe Hyperion products. SSO, which is requested at session initiation, eiminates the need to og in separatey to each Hyperion product to which the user has access. Authentication Components These components are used to support SSO: Security API on page 12 Native Directory on page 12 User Directories on page 12 Security Components 11

12 Security API The Security Appication Programming Interface (Security API) is the main interface to vaidate users and interpret user access to Hyperion products. It is a Java API that enabes Hyperion products to authenticate users against user directories configured in Orace's Hyperion Shared Services. It aso aows integration with a security agents such as Netegrity SiteMinder, and retrieva of users and groups based on names and identities. Each Hyperion appication impements the Security API to support user authentication. Native Directory Native Directory (OpenLDAP), an open source Lightweight Directory Access Protoco (LDAP)- enabed user directory, is bunded and configured with Shared Services. Native Directory functions: Used to maintain and manage the defaut Shared Services user accounts required by Hyperion products Is the centra storage for a Hyperion provisioning information because it stores the reationships between users, groups, and roes. Native Directory is accessed and managed using the User Management Consoe. Refer tochapter 7, Managing Native Directory for more information on provisioning users. User Directories User directories refer to any corporate user and identity management system compatibe with Shared Services. Hyperion products are supported on a arge number of user directories. These incude LDAP-enabed user directories, such as Sun Java System Directory Server (formery SunONE Directory Server) and Microsoft Active Directory, Windows NT LAN Manager (NTLM); SAP Provider; and custom-buit user directories that support LDAP version 3. In addition to Native Directory, which is automaticay configured for your environment, one or more user directories can be configured as the user information provider for Hyperion products. User directories used with Hyperion products must contain an account for each user who accesses Hyperion products. These users may be assigned to groups to faciitate provisioning. User Authentication Scenarios Singe Sign-on Directy to Hyperion Products on page 12 Singe Sign-on from Externa Systems on page 13 Singe Sign-on Directy to Hyperion Products Direct authentication connects Hyperion products to avaiabe user directories to verify the user name and password (credentias) entered on the Login screen. 12 About Hyperion Security

13 1. Using a browser, users access the Hyperion product ogin screen. They enter user names and passwords. The Security API impemented on the Hyperion product queries the configured user directories (incuding Native Directory) to verify user credentias. A search order is used to estabish the search sequence. On finding a matching user account in a user directory, the search is terminated and the user's information is returned to the Hyperion product. Access to Hyperion product is denied if a user account is not found in any of the user directories. 2. Using the retrieved user information, the Hyperion product queries Shared Services to obtain provisioning detais for the user. Provisioning detais are stored in Native Directory. On receiving provisioning information from Shared Services, the appropriate Hyperion product is made avaiabe to the user. At this point, SSO is enabed for a Hyperion products for which that user is provisioned. Access permissions within Hyperion products are determined by the provisioning information. Singe Sign-on from Externa Systems Hyperion products can be configured to accept pre-authenticated users from externa sources, such as Netegrity SiteMinder and SAP Enterprise Porta, to enabe SSO. In this scenario, Hyperion products use the user information provided by a trusted externa source to determine access permissions of users. SSO with SAP is supported by accepting an SAP ogon ticket. In this scenario, users defined in an SAP user directory can navigate between the SAP Porta and Hyperion products. If an SAP provider is configured, users can aso directy og on to Hyperion products using the user ID and password stored in the SAP system. The SAP provider creates the SAP ogon ticket to enabe SSO with SAP systems. User Authentication 13

14 1. Using a browser, users access the ogin screen of a web identity management soution (for exampe, SiteMinder) or SAP Enterprise Porta. They enter user names and passwords, which are vaidated against configured user directories to verify user authenticity. Hyperion products are aso configured to work with these user directories. When users navigate to a Hyperion product, information about the authenticated user is passed to Hyperion product, which accepts the information as vaid. If the user ogged on to SAP Porta, an SAP ogon ticket is passed to Hyperion product. The Security API impemented on Hyperion product decrypts the SAP ogon ticket using a specified SAP certificate. If the user ogged on to a web identity management soution, a custom HYPLOGIN HTTP header is passed to Hyperion product. 2. To verify user credentias, Hyperion product tries to ocate the user in one of the user directories based on the search order. If a matching user account is found, user information is returned to Hyperion product. 3. Using the retrieved user information, Hyperion product queries Shared Services to obtain provisioning detais for the user. On receiving user provisioning information from Shared Services, the Hyperion product is made avaiabe to the user. SSO is then enabed for a Hyperion products for which that user is provisioned. Provisioning (Roe-Based Authorization) Hyperion appication security determines user access to products using the concept of roes. A roe is a set of permissions that determines user access to product functions. Each Hyperion product provides severa defaut roes taiored to suit various business needs. Predefined roes from each Hyperion appication registered with Shared Services are avaiabe from User Management Consoe. These roes are used for provisioning. You may aso create additiona roes that aggregate the defaut roes to suit specific requirements. The process of 14 About Hyperion Security

15 granting users and groups specific access permissions to Hyperion resources is caed provisioning. Native Directory and configured user directories are sources for user and group information for the provisioning (authorization) process. You can browse and provision users and groups from a configured user directories from User Management Consoe. Provisioning data is stored in Native Directory. You can aso use appication-specific aggregated roes created in Native Directory in the provisioning process. This iustration depicts a broad overview of the authorization process: 1. After a user is authenticated, Hyperion product queries the user directories to determine the user's groups. 2. Hyperion product uses the group and user information to retrieve the user's provisioning data from Shared Services. The product uses this data to determine resources that a user can access. Product-specific provisioning tasks, such as setting product-specific access contro, are competed from each product. This data is combined with provisioning data to determine the product access for users. Roe-based provisioning of Hyperion products uses these concepts. Roes A roe is a construct (simiar to access contro ist) that defines the access permissions granted to users and groups to perform functions on Hyperion resources. It is a combination of resource or resource types (what users can access; for exampe, a report) and actions that users can perform on the resource (for exampe, view and edit). Access to Hyperion appication resources is restricted; users can access them ony after a roe that provides access is assigned to the user or to the group to which the user beongs. Access restrictions based on roes enabe administrators to contro and manage appication access. Provisioning (Roe-Based Authorization) 15

16 Goba Roes Goba roes are Shared Services roes that enabe users to perform certain tasks within the User Management Consoe. See Appendix B, Shared Services Roes and Permitted Tasks for a compete ist of Shared Services goba roes. Administrator The Administrator roe provides contro over a products that integrate with Shared Services. It enabes more contro over security than any other Hyperion product roes and shoud therefore be assigned sparingy. Administrators can perform a administrative tasks in User Management Consoe and can provision themseves. This roe grants broad access to a appications registered with Shared Services. The Administrator roe is, by defaut, assigned to the admin Native Directory user, which is the ony user avaiabe after you depoy Shared Services. This user account is initiay used to create accounts for other administrators. For exampe, the Shared Services Administrator assigns other administrative users either the Directory Manager or Provisioning Manager roe (a productspecific roe assigned for individua appications). In turn, these users manage genera user access to appications. Directory Manager Users who are assigned the Directory Manager roe can create and manage users and groups within Native Directory. Do not assign to Directory Managers the Provisioning Manager roe because combining these roes aows Directory Managers to provision themseves. If a user is assigned the Provisioning Manager roe for an Orace's Hyperion Essbase System 9 appication as we as the Directory Manager roe, this user can create a new user, assign the user any roe within the Essbase appication, and og in as the new user, thereby granting persona access to the Essbase appication. The recommended practice is to grant one user the Directory Manager roe and another user the Provisioning Manager roe. Project Manager Users who are assigned the Project Manager roe can create and manage projects within Shared Services. LCM Manager Users who are assigned the LCM Manager roe can execute the Artifact Life Cyce Management Utiity to promote artifacts and data across product environments and operating systems. 16 About Hyperion Security

17 Predefined Roes Predefined roes are buit-in roes in Hyperion products. You cannot deete these roes from the product. Predefined roes are registered with Shared Services during the appication registration process. Aggregated Roes Aggregated roes are custom roes that aggregate mutipe product roes within a Hyperion product. An aggregated roe consists of mutipe roes, incuding other aggregated roes. For exampe, a Shared Services Administrator or Provisioning Manager can create a roe for Panning that combines the Panner and View User roes into an aggregated roe. Aggregating roes can simpify the administration of products that have a arge number of granuar roes. You cannot create an aggregated roe that spans products, and you cannot incude goba Shared Services roes in aggregated roes. Aggregated roes are aso known as custom roes. Users User directories store information about the users who can access Hyperion products. Both the authentication and the authorization processes utiize user information. You can ony create and manage Native Directory users from User Management Consoe. Users from a configured user directories are visibe from User Management Consoe. These users can be individuay provisioned to grant access rights on the Hyperion products registered with Shared Services. Hyperion does not recommend the provisioning of individua users. Groups Groups are containers for users or other groups. You can create and manage Native Directory groups from User Management Consoe. Groups from a configured user directories are dispayed in User Management Consoe. You can provision these groups to grant permissions for Hyperion products registered with Shared Services. Provisioning (Roe-Based Authorization) 17

18 18 About Hyperion Security

19 2 Setting Up Authentication In This Chapter Setting Up Direct Authentication to Hyperion Products...19 Setting Up SSO with SAP Enterprise Porta...21 Setting Up SSO from SiteMinder...25 Using NTLM to Support SSO...28 Setting Up Direct Authentication to Hyperion Products The security environment of Hyperion products comprises two compementary ayers: authentication and authorization. Setting up Hyperion security to authenticate users directy invoves severa broad procedures. See detais in ater sections. Creating Users on the User Directory on page 19 Creating Groups on page 20 Migrating Users and Groups to Shared Services Security on page 20 Instaing and Depoying Shared Services on page 20 Identifying User Directories to Shared Services on page 20 Creating Users on the User Directory The security environment of Hyperion products requires that user credentias be checked against a user directory as a part of the authentication process. This requirement mandates that each Hyperion appication user have an account on the user directory. A unique user identifier (typicay the user name) defined on the user directory is the foundation on which Hyperion appication security is buit. In most depoyment scenarios, existing user directories (with user accounts) are used to support user authentication. For information on creating user accounts, see vendor documentation. See Creating Users on page 81 for information on creating Native Directory users. Setting Up Direct Authentication to Hyperion Products 19

20 Creating Groups User accounts on user directories can be granted membership to groups based on common characteristics such as the user function and geographica ocation. For exampe, users can be categorized into groups such as Staff, Managers, Saes, and Western_Saes based on their function within the organization. A user can beong to one or more groups on the user directory, which is an important consideration in faciitating the provisioning process. The procedures to create groups and assign group membership vary depending on the user directory being used. For information on creating groups and assigning group membership, see vendor documentation. See Managing Native Directory Groups on page 84 for information on creating Native Directory groups. Migrating Users and Groups to Shared Services Security If you are upgrading Hyperion products from a reease that did not support provisioning, you must migrate users and groups from the products to Shared Services. You can migrate users who were authenticated through native product security or through an externa directory in that reease. Each product has a migration too that enabes you to migrate user, group, and roe information from Hyperion products to Shared Services. For migration information, see the appropriate product appendix at the end of this guide. After migrating users, you can provision users or groups as needed. See Chapter 8, Managing Provisioning for detais. Instaing and Depoying Shared Services See Hyperion Shared Services Instaation Guide for information about instaing Shared Services and depoying it to an appropriate appication server. Identifying User Directories to Shared Services The Shared Services instaation and depoyment process sets up and configures Native Directory as the defaut user directory for Hyperion products. Each additiona user directory that you use to support user authentication and SSO must be configured separatey using User Management Consoe. During the user directory configuration process, you assign the search order for each user directory. This order determines the sequence in which the authentication process searches within configured user directories to ocate the user account that matches the user ogin credentias. By defaut, Hyperion appication security is configured to terminate the search process when a matching user account is found. If you are using mutipe user directories, Hyperion recommends that user accounts be normaized across user directories. Information on configuring user directories: Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories on page Setting Up Authentication

21 Configuring an SAP Provider on page 46 Configuring an NTLM User Directory on page 49 Setting Up SSO with SAP Enterprise Porta Hyperion products hande SSO to SAP Enterprise Porta by issuing an SAP ogon ticket. This action enabes users who og in to Hyperion products to navigate seamessy to SAP appications. The iustrated concept: 1. When a user ogs in to Hyperion products, the Security API impemented on the product authenticates the user against configured user directories, incuding Native Directory. Hyperion product issues a Hyperion ogon token, which enabes SSO to Hyperion products. The Hyperion ogon token contains an SAP ogon ticket. Note: For SSO with SAP to work, you must configure SAP as vaid provider on Shared Services. 2. When the user subsequenty navigates to the SAP system or uses an SAP data source, the SAP ogon ticket contained in the Hyperion token is passed to SAP to enabe SSO. At this point, the SAP system assumes the responsibiity to vaidate the credentias in the SAP ogon ticket. Hyperion products hande SSO from SAP Enterprise Porta by accepting an SAP ogon ticket. This action enabes users who og in to SAP Enterprise Porta to navigate seamessy between SAP and Hyperion products. The iustrated concept: Setting Up SSO with SAP Enterprise Porta 21

22 1. When a user ogs in to SAP Enterprise Porta, SAP authenticates the user against the SAP provider and issues an SAP ogon ticket. SSO to SAP is enabed at this time. 2. The user navigates to a Hyperion product. The SAP ogon ticket is passed to the Hyperion product, which decrypts the SAP ogon ticket using a SAP certificate stored on the Shared Services server machine to retrieve the user name. 3. Accepting the user name, retrieved from the SAP ticket, as a vaid, the Hyperion product queries user directories to determine the user's groups. The SAP provider must be configured as a user directory in Shared Services for this process to work. 4. Using the group information, Hyperion product gets the provisioning information for the user from Shared Services. Assumptions in both scenarios: If using a non-sap corporate directory, the corporate user directory used by SAP Enterprise Porta is supported by Shared Services. See Hyperion Instaation Start Here for a ist of supported user directories. Users accounts and groups are aready defined on the corporate user directory. The corporate user directories are configured to work with Shared Services. Users and groups are provisioned to access Hyperion products. Nested SAP Groups After configuring an SAP user directory, avaiabe SAP users and groups are dispayed in User Management Consoe. Shared Services considers the SAP roes to be the equivaents of groups created by any corporate directory server. Each roe from the SAP user directory is dispayed as a distinct group in User Management Consoe. Shared Services, however, does not retrieve the reationships that exist between simpe and composite roes within the SAP user directory. If needed, nested groups can be created in Native Directory to mimic the reationship that existed between the simpe and composite roes in the SAP user directory. 22 Setting Up Authentication

23 Inheritance Poicy for Nested Groups If you use nested groups from Native Directory to mimic nested SAP groups for provisioning, the component groups inherit the roes assigned to the nested group. The iustrated concept: In addition to the roes assigned directy to it, each component roe (for exampe, Group2) inherits a the roes assigned to the nested group (Roe8 and Roe9 in the iustration). For exampe, the roe assignment of Group1 in the iustration is Roe1, Roe8, and Roe9. The nested group does not inherit the groups assigned to component groups. Depoyment Locations Depoyment ocation conventions: <Hyperion_Home> denotes the root directory where Hyperion products are instaed. The ocation of this directory is specified during the instaation process. For exampe: C:\Hyperion (Windows) /vo1/hyperion (UNIX) <HSS_Home> denotes the Shared Services root directory. For exampe: C:\Hyperion\depoyments\<App_Server_Name>\SharedServices9 (Windows) /vo1/hyperion/depoyments/<app_server_name>/sharedservices9 (UNIX) Prerequisites A SAP systems within the SAP andscape must be set up for singe sign-on with the SAP ogin ticket. User names must be normaized across the SAP andscape so that a user name in one SAP system refers to the same user across a SAP systems. See the SAP documentation for more information. Copy or downoad the SAP JCo binaries (.d fies for Windows and shared ibraries for UNIX) into <Hyperion_Home>/common/SAP/bin directory. For exampe: /vo1/hyperion/common/sap/bin(unix) C:\Hyperion\common\SAP\bin (Windows). These binaries are avaiabe in your SAP distribution. Registered SAP users may aso downoad them from the SAP Web site Setting Up SSO with SAP Enterprise Porta 23

24 Copy or downoad the SAP JCo archives (.jar fies) into <Hyperion_Home>/common/ SAP/ib directory. For exampe: /vo1/hyperion/common/sap/ib (UNIX) C:\Hyperion\common\SAP\ib (Windows) These binaries are avaiabe in your SAP distribution. Registered SAP users may aso downoad them from the SAP Web site Copy or downoad the foowing SAP ibraries into <Hyperion_Home>/common/SAP/ ib directory. For exampe, /vo1/hyperion/common/sap/ib (UNIX) C:\Hyperion\common\SAP\ib (Windows) These ibraries are required to verify the SAP SSO ogon ticket provided to Hyperion products. You can extract these ibraries from the fie system of any SAP J2EE Engine 6.30 or ater reease. Or extract them from Enterprise Porta EP60 SP2 or ater by searching through the SDA fies containing ibraries. This step is required ony if Hyperion products are pugged into SAP Enterprise Porta. m m m m m m com.sap.security.core.jar com.sap.security.api.jar sapjco.jar sap.ogging.jar iaik_jce.jar iaik_jce_export.jar (if using the export version of the IAIK-JCE ibraries) Expand the contents of each of the SAP jar fies by running the expodejar.bat (Windows) or expodejar.sh (UNIX) fie avaiabe in the <Hyperion_Home>/common/ SAP/ib directory. Using User Management Consoe, configure the SAP provider for Shared Services. See Configuring an SAP Provider on page 46 for detaied information. If you are providing SSO to Hyperion products from SAP Enterprise Porta, insta the SAP Digita Certificate (SAP X509 certificate) in a convenient ocation. Hyperion recommends that this certificate be instaed in the foowing directory where the CSS.xm fie is stored: <HSS_Home>/config. For Exampe: C:\Hyperion\depoyments\WebLogic9\SharedServices9\config (Windows) /vo1/hyperion/depoyments/weblogic9/sharedservices9/config (UNIX) Using User Management Consoe, provision SAP users and groups to provide them appropriate access rights to Hyperion products. See Chapter 8, Managing Provisioning for detaied information. 24 Setting Up Authentication

25 Setting Up SSO from SiteMinder Hyperion products can be integrated with Web access management soutions such as Netegrity SiteMinder to provide SSO to Hyperion products. Where SSO from SiteMinder is accepted, Hyperion products trust the authentication information sent by SiteMinder regarding the protected resources on the user directory. The iustrated concept: 1. When a user ogs in to SiteMinder to access Hyperion products, SiteMinder presents a ogin screen. SiteMinder forwards the user credentias to the SiteMinder Poicy Server, which authenticates users against configured user directories. 2. If the user is authenticated, the SiteMinder Poicy Server grants access to Hyperion products and passes a SiteMinder token that has HYPLOGIN HTTP header appended to it. HYPLOGIN is configured to SM_USERLOGINNAME parameter in SiteMinder. Note: In SiteMinder Version 6, configure HYPLOGIN to use SMUSER parameter. HYPLOGIN is a header that you must create to support SiteMinder integration with Hyperion products. See SiteMinder documentation for information on configuring HYPLOGIN HTTP header to carry the user name of the authenticated user. 3. The Security API impemented on the Hyperion product parses the HYPLOGIN HTTP header and vaidates the user against the user directories configured on Shared Services. 4. Hyperion product checks Shared Services for the user's provisioning information. Based on the provisioning information, the Hyperion product provides access to the user. To enabe SSO, SiteMinder and Shared Services must be configured to use the same set of user directories. Aso, the user directories configured in Shared Services must be set up to support security agent for singe sign on. See Setting Goba Parameters on page 56 for detais. The SiteMinder enabed SSO, genera overview: Setting Up SSO from SiteMinder 25

26 The foowing SiteMinder security agents are tested and supported for SSO with Hyperion products: SiteMinder Poicy Server 5.5 SP 2 SiteMinder Web Agent 5.5 SP 2 Note: The corporate user directories configured with Shared Services must be trusted when SSO from SiteMinder is enabed. This is because Shared Services does not store a password in the token when a security agent is used. Specia Considerations SiteMinder is a Web ony soution. Desktop appications and their addins (for exampe, Microsoft Exce and Report Designer) cannot use authentication through SiteMinder. Hyperion products are supported ony on NTLM and LDAP-enabed user directories (incuding MSAD). Configuring the SiteMinder Poicy Server A SiteMinder administrator must configure the poicy server to enabe SSO to Hyperion products. 26 Setting Up Authentication

27 The configuration process: Setting up protection for the Web resources of Hyperion products. Configuring a response that adds a custom HTTP header to make the user ogin name avaiabe to Hyperion appications. The header must incude the parameter HYPLOGIN and must contain the ogin name of the authenticated user. See the Responses and Response Groups topic in the Netegrity Poicy Design Guide for detaied information. For exampe, if you use cn from an LDAP enabed user directory as the ogin name attribute in the configuration fie, the HYPLOGIN parameter shoud carry the vaue of the cn attribute, which is the ogin name of the authenticated user. SiteMinder administrators can aso configure the header to SM_USERLOGINNAME (SMUSER for SiteMinder version 6), the user name specified by the user during ogon. Configuring the SiteMinder Web Agent The Web agent is instaed on a Web server that intercepts requests for Hyperion appication Web resources, such as JSPs, ASPs, and HTML fies on the appication server. If these Web resources are protected, the Web agent issues a chaenge to unauthenticated users. When a user is authenticated, the poicy server adds HYPLOGIN, which carries the ogin name of the authenticated user. Thereafter, the HTTP request is passed on to the Web resources of the Hyperion appication, and the ogin name is extracted from headers. SiteMinder supports SSO across Hyperion products running on heterogeneous Web server patforms. If Hyperion products use different Web servers, you must ensure that the SiteMinder cookie can be passed among Web servers within the same domain. You do this by specifying the appropriate Hyperion appication domain as the vaue of the Cookiedomain property in the WebAgent.conf fie of each Web server. See the Configuring Web Agents chapter in the Netegrity SiteMinder Agent Guide. Note: Because Shared Services uses basic authentication to protect its content, the Web server that intercepts requests to Shared Services shoud enabe basic authentication to support SSO with SiteMinder. Enabing SiteMinder Authentication in Shared Services Integration with SiteMinder requires that you enabe SiteMinder Authentication in Shared Services. This can be done from User Management Consoe or by editing the CSS.xm fie. This fie is ocated in <HSS_Home>/config. For exampe: C:\Hyperion\depoyments\WebLogic9\SharedServices9\config (Windows) /vo1/hyperion/depoyments/weblogic9/sharedservices9/config (UNIX) ä To enabe SiteMinder authentication: 1 In Shared Services, configure the user directories that SiteMinder use to authenticate users. See the foowing topics: Setting Up SSO from SiteMinder 27

28 Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories on page 40 Configuring an NTLM User Directory on page 49 2 Seect the Support for Security Agent for Singe Sign-oncheck box to specify that the user directories are used to support SSO from security agents such as SiteMinder. See Setting Goba Parameters on page 56. Other Procedures You must perform these tasks, if not aready competed: Using User Management Consoe, configure the corporate directories used by SiteMinder. See Chapter 4, Configuring User Directories. Using User Management Consoe, provision the users and groups to grant appropriate access to Hyperion products. See Chapter 8, Managing Provisioning. Using NTLM to Support SSO Shared Services aows you to configure Windows NT LAN Manager (NTLM) as a user directory to support SSO. Refer to Configuring an NTLM User Directory on page 49 for information on configuring the NTLM user directory. Under these conditions, you must perform prerequisite steps to support SSO using NTLM: NTLM user directory is to be used to authenticate and provision users where Shared Services and Hyperion products are running in a UNIX environment. In this scenario, Hyperion Remote Authentication Modue must be depoyed on the Windows domain that contains the user accounts. Shared Services and Hyperion products are running in a Windows environment, but users are in Windows NTLM domains that are not trusted on the domain where the Shared Services host machine is instaed. The prerequisite for this scenario is that you depoy Hyperion Remote Authentication Modue on each domain that is not trusted by the domain where Shared Services host machine is instaed. Do not impement Hyperion Remote Authentication Modue if a users beong to the NTLM domain where the Shared Services host machine is instaed or if a trust reationship is estabished between the domain where the Shared Services host machine is instaed and the NTLM domains to which users beong. NTLM with UNIX Appication Environments The foowing iustration depicts how the Hyperion Remote Authentication Modue enabes communication between NTLM and Shared Services running in a UNIX environment. 28 Setting Up Authentication

29 The Shared Services configuration fie (CSS.xm) resides on the appication server, as do the Hyperion appication binaries. For NTLM connectivity, you aso need NTLM support ibrary fie (css-9_3_0.d) on the machine that hosts Hyperion Remote Authentication Modue in the NTLM domain. The NTLM Primary Domain Controer and the Hyperion Remote Authentication Modue can be on a Windows 2000 or Windows 2003 server. Hyperion does not recommend, however, that you combine the Hyperion Remote Authentication Modue with the NTLM Primary Domain Controer on the same server. The Hyperion Remote Authentication Modue host machine needs to be in the same domain as the NTLM Primary Domain Controer. Support for Mutipe NTLM Domains Hyperion Remote Authentication Modue enabes a Hyperion product to authenticate users beonging to other NTLM domains that are not trusted by the domain on which Shared Services is instaed. The foowing iustration depicts how users spread across mutipe NTLM domains can be given access to Hyperion products depoyed in a Windows environment: Using NTLM to Support SSO 29

30 30 Setting Up Authentication Without the Hyperion Remote Authentication Modue, the ony way to use mutipe NTLM domains for Hyperion products is to estabish trust reationships between the Shared Services host machine's domain and the NTLM domains where user accounts are avaiabe.

31 Each NTLM domain is configured separatey on Shared Services as a user provider. See Configuring an NTLM User Directory on page 49 for detaied procedures. Using NTLM to Support SSO 31

32 32 Setting Up Authentication

33 3 User Management Consoe In This Chapter Launching User Management Consoe...33 Overview of User Management Consoe...34 Navigating in User Management Consoe...34 Searching for Users, Groups, Roes, and Deegated Lists...34 Launching User Management Consoe Launch User Management Consoe using one of the foowing methods: Using a browser and connecting to the User Management Consoe URL On Windows, navigating Start > A Programs > Hyperion > Foundation Services > User Management Consoe From a Hyperion product interface ä To aunch User Management Consoe by connecting to a URL: 1 Using a browser, access the foowing URL: In the URL, <server_name> indicates the name of the computer where the appication server that hosts Shared Services is running and <port_number> indicates the server port that Shared Services is using; for exampe, Note: Pop-up bockers may prevent User Management Consoe from opening. 2 On the Logon screen, type your user name and password. Initiay, the ony user who can access User Management Consoe is admin (defaut password for admin is password). 3 Cick Log On. Note: Vaid SAP users may get a CSSAuthenticationException error message during og on if the SAP account is ocked. Contact your SAP Administrator to unock the account. Launching User Management Consoe 33

34 If you receive Java Virtua Machine (JVM) errors in User Management Consoe whie using Microsoft Internet Exporer, ensure that your Internet Exporer instaation incudes Microsoft XML parser (MSXML) version 4. MSXML is bunded with Internet Exporer 6.0. To verify that you have the correct MSXML, check that the foowing fie exists: c:\winnt\system32\msxm4.d If this fie is missing, insta Internet Exporer 6.0 or ater. Overview of User Management Consoe User Management Consoe comprises an Object Paette and task tabs. When you og in for the first time, the User Management Consoe dispays the Object Paette and a Browse tab. The Object Paette is a navigation frame where you can choose objects (such as, user directories, users, groups, projects, and appications). Typicay, the detais of your current seection in the Object Paette are dispayed in the Browse tab. Additiona task tabs open as needed depending on the task that you perform; for exampe, a Report tab when you generate a report, or a Configure tab when you configure a user directory. Depending on the current configuration, User Management Consoe ists your existing objects user directories, projects, and unassigned appications on the Object Paette. You can expand these object istings to view detais. For exampe, you may expand the User Directories object to view a ist of a currenty configured user directories. You may aso search configured user directories for users and groups. A context-sensitive menu, accessibe by right-cicking an object, is associated with some objects on the Object Paette. Navigating in User Management Consoe When performing actions on objects in the Object Paette, you can right-cick an object to access a context-sensitive menu. These menu options change dynamicay, depending on what you seect. The commands dispayed on the right-cick menu are aso avaiabe on a menu from the menu bar. Buttons representing currenty enabed menu options are dispayed on the toobar. Note: Because Native Directory is administered from User Management Consoe, some menu options avaiabe in the context-sensitive menu for Native Directory are not avaiabe for other user directories. Searching for Users, Groups, Roes, and Deegated Lists User Management Consoe enabes searching for users and groups from configured user directories and for appication roes registered with Native Directory. 34 User Management Consoe

35 When searching for users in Native Directory, you can search for a users, active users, or inactive users. Search boxes that are dispayed on the Browse tab refect the search context based on the seection in the Object Paette. ä To search for users, groups, roes or deegated ists: 1 In the Object Paette, expand User Directories. 2 Expand the user directory to search. Roes are avaiabe ony in Native Directory. 3 To search for users: a. Right-cick Users. b. Seect a search context (A, Active, or Inactive). Appropriate search boxes are dispayed on the Browse tab. Note: You can seect a search context ony if you are searching within Native Directory. c. Enter the search string and cick Search. Use an asterisk (*) as the widcard in pattern searches. Aternativey, cick Show A to ist a users. A ist of users is dispayed on the Browse tab. 4 To search for groups or roes: a. Seect Groups or Roes. Appropriate search boxes are dispayed on the Browse tab. Note: Shared Services considers Orace and SQL Server roes as the equivaents of groups in user directories. Orace roes can contain other roes creating a hierarchy of roes. Shared Services does not dispay the reationships between database roes in the search resuts but honors them during the provisioning process. SQL Server roes cannot be nested. Because DB2 does not support roes, Shared Services does not dispay groups if you seect a DB2 database provider. b. For Name, type the Search string and cick Search. Use an asterisk (*) as the widcard in pattern searches. Aternativey, cick Show A to ist a groups or roes. A ist of groups or roes is dispayed on the Browse tab. 5 To search for deegated ists: a. Seect Deegated Lists. Appropriate search boxes are dispayed on the Browse tab. b. For List Name, type the Search string and cick Search. Use an asterisk (*) as the widcard in pattern searches. Aternativey, cick Show A to ist a ists. A ist of matching deegated ists is dispayed on the Browse tab. Searching for Users, Groups, Roes, and Deegated Lists 35

36 36 User Management Consoe

37 4 Configuring User Directories In This Chapter Operations Reated to User Directory Configuration...37 Using the Unique Identity Attribute to Hande Inter-OU Moves in LDAP-Enabed User Directories...38 Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories...40 Configuring an SAP Provider...46 Configuring an NTLM User Directory...49 Configuring Reationa Databases as User Directories...50 Testing User Directory Connections...52 Editing User Directory Settings...53 Deeting User Directory Configurations...54 Managing User Directory Search Order...54 Setting Goba Parameters...56 Overriding Cache Refresh Interva for MSAD and other LDAP-Enabed User Directories...57 Setting Timeout to Resove SAP Keystore Fie...58 Connection Pooing...58 Using Specia Characters...61 Operations Reated to User Directory Configuration Native Directory is configured automaticay when you insta and depoy Shared Services. You can configure externa user directories to support SSO and authorization. From User Management Consoe, you can perform severa tasks reated to configuring and managing user directories. These topics provide instructions: Configuring user directories m Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories on page 40 m Configuring an SAP Provider on page 46 m Configuring an NTLM User Directory on page 49 m Configuring Reationa Databases as User Directories on page 50 Testing User Directory Connections on page 52 Editing User Directory Settings on page 53 Operations Reated to User Directory Configuration 37

38 Deeting User Directory Configurations on page 54 Managing User Directory Search Order on page 54 Setting Goba Parameters on page 56 Using the Unique Identity Attribute to Hande Inter-OU Moves in LDAP-Enabed User Directories Native Directory, the defaut user directory for Hyperion products, maintains a ink to provisioned users and groups defined in externa user directories. When the foowing actions take pace in an LDAP-based user directory incuding MSAD, these inks are broken, creating stae data in Native Directory and causing oss of access to Hyperionappications. Users and groups are moved across Organizationa Units (OU). Mutipe users or groups are assigned identica common name (CN). CN of provisioned users or groups are modified. Shared Services resoves this issue by using a unique identity attribute that identifies user directory users and groups without reference to the ocation of their accounts. Caution! Before migrating to the unique identity attribute, you must cean the stae data, if any, in Native Directory by running the Update Native Directory Utiity utiity. See Chapter 9, Using the Update Native Directory Utiity to Cean Stae Native Directory Data for detaied information. Support for inter-ou moves can be impemented whie you configure LDAP-enabed user directories (see Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories on page 40). Panning the Migration to the Unique Identity Attribute You must migrate users and groups to the new unique identity attribute ony if you face any of the foowing scenarios in your MSAD or other LDAP-based user directories, which create broken inks and stae data in Native Directory. You moved users and groups across OUs. You have mutipe users or groups with identica CN. You modified the CN of users or groups. Because migrating to the new unique identity attribute affects a Hyperion products, pan the migration to minimize appication downtime. 38 Configuring User Directories

39 Back Up Native Directory and Hyperion Product Repositories After migrating users and groups to use the new identity attribute, you cannot revert to the previousy used identity attribute. Before starting the migration, create backups of Native Directory database and the Hyperion product databases that store user and group information. Native Directory repository Shared Services repository Essbase (security fie) Orace's Hyperion Panning System 9 repository Orace's Hyperion Financia Management System 9 repository Orace's Hyperion Reporting and Anaysis System 9 repository Migration Sequence Before migrating to the unique identity attribute, run the Update Native Directory Utiity if Native Directorycontain stae data. See Chapter 9, Using the Update Native Directory Utiity to Cean Stae Native Directory Data. Begin by migrating Shared Services users and groups to the unique identity attribute. If you use Essbase and Panning, migrate Essbase users and groups, and then migrate Panning users and groups. You can migrate Financia Management and Reporting and Anaysis users and groups anytime after migrating Shared Services users and groups. See Product-Specific Updates on page 128 for more information. Behavior During Migration After you migrate Shared Services users and groups to the unique identity attribute,hyperion products stop working unti the user and group information contained in product-specific repositories is updated to refect the unique identity attribute. Shared Services and Hyperion product migration to the unique identity attribute can take considerabe time, depending on the number of users and groups invoved. Because Hyperion products wi not be avaiabe during this time, Hyperion recommends that you schedue in a way that minimizes downtime. Important Considerations When Using the Unique Identity Attribute The unique identity attribute can be set ony for MSAD and other LDAP-enabed user directories. For migration to work, a simiar user directories configured on Shared Services must be migrated to the new unique identity attribute. A MSAD user directory configurations must be updated with the unique identity attribute before Shared Services can migrate MSAD users and groups to the new attribute. Simiary, the configuration of a LDAP-enabed user Using the Unique Identity Attribute to Hande Inter-OU Moves in LDAP-Enabed User Directories 39

40 directories other than MSAD (SunONE, IBM Directory Server, Nove edirectory, and custom user directories) must be updated to the new identity attribute before Shared Services can migrate users and groups from these user directories to the new attribute. For exampe, assume that three MSAD user directories are configured on Shared Services. Two are configured to use the new identity attribute ObjectGUID, and the third is configured to use the od identity attribute (DN). In this scenario, users and groups are not migrated unti the third configuration aso uses a unique attribute other than DN. Reverse migration is not supported. After migrating to the new unique identity attribute, you cannot return to the previous identity attribute (DN). Hyperion recommends that you back up Native Directory database before migrating to the new unique identity attribute. If you return to DN as the identity attribute, you can restore data from the backup. If your Reease 9.2.x user directory configuration uses an attribute other than DN, you must upgrade to Shared Services Reease Do not migrate to the unique identity attribute by using the Update Native Directory Utiity if you changed the attribute identified as oginattribute (using the Login fied of the User Configuration screen or by editing CSS.xm). If you run the utiity, provisioning data of the users whose accounts are defined on the user directory for which the oginattribute is changed is deeted from Native Directory. You cannot recover the deeted data; however, you can restore it from the atest backup. Configuring Orace Internet Directory, MSAD, and Other LDAP- Enabed User Directories Use the procedures in this section to configure any LDAP-enabed corporate user directory, such as Orace Internet Directory, MSAD, Sun Java System Directory Server, IBM Tivoi Directory Server, or a custom user directory. Note: Existing Orace Virtua Directories that are configured to use a database can be configured in Shared Services as externa LDAP providers. ä To configure Orace Internet Directory, MSAD and other LDAP-enabed user directories: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Configure User Directories. The Defined User Directories screen opens. This screen ists a user directories, incuding Native Directory, that are aready configured. 3 Cick Add. 4 In Directory Type, seect an option: Lightweight Directory Access Protoco (LDAP) to configure an LDAP-enabed user directory other than MSAD. 40 Configuring User Directories

41 Microsoft Active Directory (MSAD) to configure MSAD. 5 Cick Next. The Connection Information screen for the seected user directory type opens. 6 Enter the required parameters. Tabe 1 Connection Information Screen Labe Directory Server Name Host Name Port Description The user directory product you are using. Seect Other if you are using an LDAP Version 2 (or ater) product other than those isted. The ID Attribute vaue changes to the recommended unique identity attribute for the seected product. Note: To configure an existing Orace Virtua Directory that is configured with an underying database, choose Other. Exampe: Orace Internet Directory A descriptive name for the user directory. Used to identify a specific user directory if mutipe user directories are configured. Exampe: MY_OID Name of the server that hosts the user directory. Use the fuy quaified domain name if the user directory is to be used to support SSO from SiteMinder. Exampe: MyServer The server port number where the user directory is running. Exampe: 389 Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories 41

42 Labe Base DN ID Attribute Maximum Size SSL Enabed Anonymous Bind Trusted User DN Append Base DN Description The distinguished name (DN) of the container in the user directory hierarchy where the search for users and groups shoud begin. You can aso use the Fetch DNs button to ist avaiabe Base DNs and then seect the appropriate Base DN from the ist. See Using Specia Characters on page 61 for restrictions on the use of specia characters. Hyperion recommends that you be as specific as possibe whie identifying the Base DN. Exampe: dc=exampe,dc=com The attribute that carries the identity of the user. The recommended vaue of this attribute, which must uniquey identify a user in the user directory, is automaticay set for Orace Internet Directory orcguid, SunONE (nsuniqueid), IBM Directory Server (Ibm-entryUuid), Nove edirectory (GUID), and MSAD (ObjectGUID). You may change the defaut vaue if necessary. See Important Considerations When Using the Unique Identity Attribute on page 39. Maximum number of resuts that a search can return. For LDAP-enabed user directories other than MSAD, eave this bank to retrieve a users and groups that meet the search criteria. The maximum size entered in this screen is constrained by the user directory settings. For MSAD, set this vaue to 0 to retrieve a users and groups that meet the search criteria. The check box that enabes the use of Secure Socket Layer (SSL) for communication with this user directory. The check box to indicate that Shared Services can bind anonymousy to the user directory to search for users and groups. If this option is not seected, you must specify in the User DN an account with sufficient access permissions to search the directory where user information is stored. Orace Internet Directory connections do not support anonymous binds. Note: Hyperion recommends that you do not bind anonymousy with the user directory. The check box to indicate that this provider is a trusted source. User credentias from trusted sources are not vaidated during SSO. If this option is not set, the user credentias are vaidated every time the user requests SSO to a different Hyperion product. This box is disabed if the Anonymous bind option is seected. The user account that Shared Services shoud use to estabish a connection with the user directory. Typicay, for LDAP-enabed user directories other than MSAD, you use the Directory Manager account cn=directory Manager for this purpose. For MSAD, you use the Security Account Manager name (samaccountname). You may use other accounts that have sufficient access permissions to search the directory where user information is stored. Notice that this account must have proxy right to authenticate as a different user. Specia characters are not aowed in the User DN vaue. See Using Specia Characters on page 61 for restrictions on the use of specia characters. Exampe: cn=directory Manager (user directories other than MSAD) samaccountname=pturner (MSAD) The check box for appending the base DN (the distinguished name of the node where the search for users and groups coud begin) to the specified vaue. Do not append Base DN to the Directory Manager account. 42 Configuring User Directories

43 Labe Password Description This check box is disabed if the Anonymous bind option is seected. Password of the account specified in the User DN box. This box is disabed if the Anonymous bind option is seected. Exampe: UserDNpassword 7 Cick Next. The User Configuration screen for the seected user directory type opens. Shared Services uses the properties set in this screen to create a fiter that is used to search for users in the user directory. Using this fiter speeds the search. Hyperion recommends that you use the Auto Configure area of the screen to retrieve the required information. Note: Data entry in the User Configuration screen is optiona. If you do not specify the settings for the fiter, Shared Services searches the entire directory structure to ocate users. This may have performance impications, especiay if the user directory contains accounts for many users. Caution! If the user URL is not set for user directories that contain / (sash) or \ (backsash) in its node names, the search for users and groups fais. For exampe, any operation to ist the user or group fais if the user URL is not specified for a user directory where users and groups exist in a node such as OU=chid\ou,OU=parent/ou, or OU=chid/ou,OU=parent\ou. 8 In the text box in the Auto Configure area, enter a unique user identifier. The user identifier must be expressed in the format <attribute>=<identifier>; for exampe, uid=jdoe. Attributes of the user are dispayed in the User Configuration area. Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories 43

44 If you are configuring Orace Internet Directory as a user directory, you cannot automaticay configure the fiter because the root DSE of Orace Internet Directory does not contain entries in the Naming Contexts attribute. See Orace documentation for detaied information. Note: You can manuay enter required user attributes into text boxes in the User Configuration area. Tabe 2 User Configuration Screen Labe User RDN Login First Name Last Name Emai Object Cass Description The Reative DN of the user. Each component of a DN is caed an RDN and represents a branch in the directory tree. The RDN of a user is generay the equivaent of the uid or cn. See Using Specia Characters on page 61 for restrictions on the use of specia characters. Exampe: ou=peope The attribute that stores the ogin name of the user. Users use the vaue of this attribute as the User Name whie ogging into Hyperion products. Exampe: uid The attribute that stores the first name of the user. Exampe: givenname The attribute that stores the ast name of the user. Exampe: sn The attribute that stores the e-mai address of the user (optiona) Exampe: mai Object casses of the user (the mandatory and optiona attributes that can be associated with the user). Shared Services uses the object casses isted in this screen in the search fiter. Using these object casses, Shared Services shoud find a users who shoud be provisioned. You can manuay add additiona object casses if needed. To add an object cass, type the object cass name into the Object cass box and cick Add. Deete object casses by seecting the object cass and cicking Remove. Exampe: person, organizationaperson, inetorgperson 9 Cick Next. Note: Data entry in the Group Configuration screen is optiona. If you do not enter the group fiter settings, Shared Services searches the entire directory structure to ocate groups. This process can negativey affect performance, especiay if the user directory contains many groups. The Group Configuration screen for the seected user directory type opens. Shared Services uses the properties set in this screen to create a fiter to search for groups in the user directory. Using this fiter speeds the search. 44 Configuring User Directories

45 10 Cear Support Groups if you do not pan to provision groups or if users are not categorized into groups on the user directory. Deseecting this option disabes the fieds on this screen. If you are supporting groups, Hyperion recommends that you use the Auto Configure area to retrieve the required information. If you are configuring Orace Internet Directory as a user directory, you cannot automaticay configure the fiter because the root DSE of Orace Internet Directory does not contain entries in the Naming Contexts attribute. See Orace documentation for detaied information. 11 In the Auto Configure area, enter a unique group identifier and cick Go. The group identifier must be expressed in <attribute>=<identifier> format; for exampe, cn=western_region. Attributes of the group are dispayed in the Group Configuration area. Note: You can manuay enter required group attributes into text boxes in the Group Configuration area. Caution! If the group URL is not set for user directories that contain / (sash) or \ (backsash) in its node names, the search for users and groups fais. For exampe, any operation to ist the user or group fais if the group URL is not specified for a user directory in which users and groups exist in a node such as OU=chid\ou,OU=parent/ou or OU=chid/ou,OU=parent \ ou. Tabe 3 Group Configuration Screen Labe Group RDN Description The Reative DN of the group. Each component of a DN is caed an RDN and represents a branch in the directory tree. This vaue, which is reative to the Base DN, is used as the group URL. Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories 45

46 Labe Group Fiter Name Attribute Object cass Description Specify a Group RDN that identifies the owest user directory node where a the groups that you pan to provision are avaiabe. The Group RDN has a significant impact on ogin and search performance. Because it is the starting point for a group searches, you must identify the owest possibe node within which a groups for Hyperion products are avaiabe. To ensure optimum performance, the number of groups present within the Group RDN shoud not exceed 10,000. If more groups are present, use an appropriate group fiter to retrieve ony the groups you want to provision. Note: Shared Services dispays a warning if the number of avaiabe groups within the Group URL exceeds 10,000. See Using Specia Characters on page 61 for restrictions on the use of specia characters. Exampe: ou=groups An LDAP query that retrieves ony the groups that are to be provisioned with Hyperion product roes. For exampe, the LDAP query (cn=hyp*) retrieves ony groups whose names start with the prefix Hyp. The group fiter is used to imit the number of groups returned during a query. Group fiters are especiay important if the node identified by the Group RDN contains groups that need not be provisioned. Fiters can be designed to excude the groups that are not to be provisioned, thereby improving performance. The attribute that stores the name of the group. Exampe: cn Object casses of the group (the mandatory and optiona attributes that can be associated with the group). Shared Services uses the object casses isted in this screen in the search fiter. Using these object casses, Shared Services shoud find a the groups associated with the user. You can manuay add additiona object casses if needed. To add an object cass, type the object cass name into the Object cass text box and cick Add. To deete object casses, seect the object cass and cick Remove. Exampe: groupofuniquenames?uniquemember 12 Cick Finish. Shared Services saves the configuration and returns to the Defined User Directories screen, which now ists the user directory that you configured. 13 Test the configuration. See Testing User Directory Connections on page Add the user directory to the search order used by Shared Services. See Adding a User Directory to the Search Order on page 54 for detais. 15 Specify goba parameters if needed. See Setting Goba Parameters on page 56 for detais. Configuring an SAP Provider Before starting these procedures, meet a prerequisites in Prerequisites on page 23. By defaut, the timeout for resoving SAP keystore fie is set to 10 seconds. After configuring an SAP provider, you can manuay edit the CSS.xm fie to set a different timeout. See Setting Timeout to Resove SAP Keystore Fie on page 58 for detais. 46 Configuring User Directories

47 ä To configure an SAP provider: 1 Launch User Management Consoe. See Launching User Management Consoe on page Seect Administration > Configure User Directories. The Defined User Directories screen that ists a configured user directories, incuding Native Directory, opens. 3 Cick Add. 4 In the Directory Type screen, seect SAP and cick Next. The SAP Connection Information screen opens. 5 In the SAP Connection Information screen, enter the appropriate configuration parameters. Tabe 4 SAP Connection Information Screen Labe Name SAP Server Name Cient Number Description A unique configuration name for the SAP provider. You use this name to identify the SAP provider in situations where mutipe SAP providers are defined in Shared Services. Exampe: MY_SAP_DIRECTORY The host name (or the IP address) of the computer where the SAP Server is running, or the SAP router address. Exampe: myserver The cient number of the SAP system to which you want to connect. Configuring an SAP Provider 47

48 Labe Description Exampe: 001 System Number User ID Password Max Entries Poo Size Poo Name Language Location of SAP Digita Certificate SSL Enabed Trusted The system number of the SAP System to which you want to connect. Exampe: 00 The user name that Shared Services shoud use to access SAP. This user must have access permissions to use Remote Function Cas (RFC) to connect to SAP and to access user, activity groups, and their reationship data. Exampe: my_sap_user The password of the user identified in the User ID box. Exampe: my_sap_password The maximum entries that a query to the SAP provider can return. Exampe: 100 JCo connection poo size. Exampe: 10 A unique name for the connection poo that shoud be used to estabish a ink between Shared Services and SAP. Exampe: HYPERION_SAP_POOL Language for messages, for exampe error messages, from SAP. By defaut, this is read from the system ocae of the server hosting Shared Services. Exampe: EN The ocation of SAP X509 certificate. Hyperion products use this certificate to parse the SAP ogin ticket and to extract the user ID needed to support SSO. Required ony if Hyperion products are pugged into SAP Enterprise Porta. Exampe: C:\Hyperion\common\SAP\bin (Windows) or /app/hyperion/common/sap/ bin (UNIX). Check box that enabes you to use Secure Socket Layer (SSL) to communicate between Shared Services and the SAP provider. Check box that enabes you to specify that this provider is a trusted source. User credentias from trusted sources are not vaidated during SSO. If you do not seect this option, user credentias are vaidated every time user requests SSO to a different Hyperion product. 6 Cick Save. Shared Services saves the configuration and returns to the Defined User Directories screen, which now ists the SAP provider that you configured. 7 Test the SAP provider configuration. See Testing User Directory Connections on page Add the SAP provider to the search order used by Shared Services. See Adding a User Directory to the Search Order on page 54 for detais. 9 Specify goba settings if needed. See Setting Goba Parameters on page 56 for detais. 48 Configuring User Directories

49 Configuring an NTLM User Directory Before starting these procedures, meet a the prerequisites in Using NTLM to Support SSO on page 28. ä To configure an NTLM user directory: 1 Launch the User Management Consoe. See Launching User Management Consoe on page Seect Administration > Configure User Directories. The Defined User Directories screen that ists a the configured user directories, incuding Native Directory, opens. 3 Cick Add. 4 In Directory Type seect NT LAN Manager (NTLM) and cick Next. The NTLM Connection Information screen opens. 5 Enter the required configuration parameters in the NTLM Connection Information screen. Tabe 5 Labe Name Domain NTLM Connection Information Screen Description A unique configuration name for the NTLM user directory. You use this name to identify the directory in situations where mutipe NTLM directories are configured with Shared Services. Exampe: MY_NTLM_DIRECTORY The name of the NTLM domain. You may use the Fetch Domain button to retrieve the domain name. If the domain is not specified, Shared Services, at run time, detects and uses a visibe domains. This may affect performance. The search order is: oca computer, domain of oca computer, and trusted domains visibe to the oca computer. Note: Because Shared Services does not detect domains when NTLM is used with Hyperion Remote Authentication Modue (HRAM), you must specify the domain if HRAM is used. Exampe: MY_DOMAIN Configuring an NTLM User Directory 49

50 Labe Trusted Maximum Size Hostname Port Description Check box to indicate that this provider is a trusted source. User credentias from trusted sources are not vaidated during SSO. If this option is not seected, Hyperion products vaidate user credentias every time the user switches between Hyperion products. Maximum number of entries that a query to the NTLM user directory can return. Exampe: 100 Name of the Windows server where HRAM is instaed to support SSO to Hyperion products running in a UNIX environment. Required ony if Hyperion products are running in a UNIX environment. Exampe: MyHRAMServer The port number where HRAM is running. Exampe: Cick Finish. Shared Services saves the configuration and returns to the Defined User Directories screen, which now ists the NTLM provider that you configured. 7 Test the configuration. See Testing User Directory Connections on page Add the user directory to the search order used by Shared Services. See Adding a User Directory to the Search Order on page 54 for detais. 9 Specify additiona parameters, if needed, for the NTLM user directory. See Setting Goba Parameters on page 56 for detais. Configuring Reationa Databases as User Directories User and group information from the system tabes of Orace, SQL Server, and IBM DB2 reationa databases can be used to support provisioning. If group information cannot be derived from the database's system schema, Shared Services does not support the provisioning of groups from that database provider. For exampe, Shared Services cannot extract group information from IBM DB2, because the database uses groups defined on the operating system. You can, however, add these users to groups in Native Directory and provision those groups. You must configure Shared Services to connect to the database as the database administrator; for exampe, Orace SYSTEM user, to retrieve the ist of users and groups. Note: Shared Services can retrieve ony active database users for provisioning. Inactive and ocked database user accounts are ignored. ä To configure database providers: 1 Launch User Management Consoe. See Launching User Management Consoe on page Seect Administration > Configure User Directories. The Defined User Directories screen, which ists a configured user directories, incuding Native Directory, opens. 50 Configuring User Directories

51 3 Cick Add. 4 In the Directory Type screen, seect Reationa Database (Orace, DB2, SQL Server). 5 Cick Next. 6 In the Database Configuration tab, enter configuration parameters. Tabe 6 DB Connection Information Screen Labe Database Type Name Server Port Service/SID (Orace ony) Database (SQL Server and DB2 ony) User Name Description The reationa database vendor. Shared Services supports ony Orace, IBM DB2, and SQL Server databases as database providers. Exampe: Orace 9i, 10g A unique configuration name for the database provider. You use this name to identify the database provider in situations where mutipe providers are defined in Shared Services. Exampe: Orace_DB_FINANCE The host name (or the IP address) of the computer where the database server is running. Exampe: myserver The port where the database server is avaiabe to accept requests. Exampe: 1521 The system identifier (defaut is orc). Exampe: orc The database to which Shared Services shoud connect. Exampe: master The user name that Shared Services shoud use to access the database. This user must have access privieges to database system tabes. Hyperion recommends that you use the database Administrator's user name for SQL Server and IBM DB2 databases, and the system account for Orace databases. Exampe: SYSTEM Configuring Reationa Databases as User Directories 51

52 Labe Password Trusted Description The password of the user identified in the User Name box. Exampe: system_password Check box that enabes you to specify that this provider is a trusted source. User credentias from trusted sources are not vaidated during SSO. If you do not seect this option, user credentias are vaidated every time a user requests SSO to a different Hyperion product. 7 Optiona: To define the maximum database connection poo size (defaut is 10), cick Next. The Advanced Database Configuration screen opens. 8 In Max ConnectionPoo Size, enter the maximum number of connections in the database connection poo created for this provider. 9 Cick Finish. 10 Cick OK to return to the Defined User Directories screen. 11 Test the database provider configuration. See Testing User Directory Connections on page Add the database provider to the search order used by Shared Services. See Adding a User Directory to the Search Order on page 54 for detais. 13 Specify goba settings if needed. See Setting Goba Parameters on page 56 for detais. 14 Restart Shared Services. Testing User Directory Connections After configuring a user directory, test the connection to ensure that Shared Services can successfuy connect to the user directory using the current settings. Note: Estabishing a successfu test connection does not mean that Shared Services wi use the directory. Shared Services uses ony the directories that have been assigned a search order. ä To test user directory connection: 1 Launch the User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Configure User Directories. 52 Configuring User Directories

53 The Defined User Directories screen that ists a the configured user directories, incuding Native Directory, opens. 3 From the ist of user directories, seect the directory to test. 4 Cick Test. A status message indicating the resuts of the test is dispayed. 5 Cick OK. Editing User Directory Settings You can modify any of the parameters of an existing user directory configuration. Hyperion recommends not editing the configuration data of user directories that have been used for provisioning. Caution! Editing some settings, for exampe, the Base DN, in the user directory configuration invaidates provisioning data. Exercise extreme care when modifying the settings of a user directory that has aready been provisioned. ä To edit a user directory configuration: 1 Launch the User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Configure User Directories. 3 From Defined User Directories screen, seect the user directory to edit. 4 Cick Edit. 5 Modify the configuration settings as needed. For expanation of the parameters you can edit, see the foowing tabes: MSAD and other LDAP-enabed user directories: m Tabe 1, Connection Information Screen, on page 41 m Tabe 2, User Configuration Screen, on page 44 m Tabe 3, Group Configuration Screen, on page 45 SAP providers: Tabe 4, SAP Connection Information Screen, on page 47 NTLM user directories: Tabe 5, NTLM Connection Information Screen, on page 49 Database providers: Tabe 6, DB Connection Information Screen, on page 51 6 Cick Finish to save the changes. Editing User Directory Settings 53

54 Deeting User Directory Configurations You can deete a user directory configuration at any time. Deeting a directory configuration invaidates a the provisioning information for the users and groups derived from the user directory. It aso removes the directory from the search order. Tip: If you do not want to use a configured user directory that was used for provisioning, remove it from the search order so that the user directory is not searched for users and groups. This action maintains the integrity of provisioning information. It aso enabes you to use the user directory at a ater time, if needed. ä To deete a user directory configuration: 1 Launch the User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Configure User Directories. 3 From Defined User Directories screen, seect the directory to deete. 4 Cick Deete. Managing User Directory Search Order The search order associated with a configured user directory determines the position of the directory in the search order that Shared Services uses to retrieve user and group information. Shared Services ignores user directories that are not incuded in the search order. Consequenty, these user directories are not used to support authentication and provisioning. Note: Shared Services terminates the search for the user or group when it first encounters the specified user account. If a user has mutipe accounts across user directories, Shared Services retrieves the account from the user directory that is isted first in the search order. By defaut, Native Directory is set as the first directory in the search order. Additiona user directories are given the next avaiabe sequence number in the search order. You can perform these tasks to manage the search order: Adding a User Directory to the Search Order on page 54 Changing the Search Order on page 55 Removing a Search Order Assignment on page 56 Adding a User Directory to the Search Order The order in which you add a user directory to the search order is retained as the defaut search order. You must have aready configured the user directory that you want to incude in the search order. To configure a user directory, see these topics: 54 Configuring User Directories

55 Configuring Orace Internet Directory, MSAD, and Other LDAP-Enabed User Directories on page 40 Configuring an SAP Provider on page 46 Configuring an NTLM User Directory on page 49 Configuring Reationa Databases as User Directories on page 50 ä To add a user directory to the search order: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Configure User Directories. 3 From Defined User Directories screen, seect the directory to add to the search order. 4 Cick Add. This button is avaiabe ony if you have seected a user directory that is not aready used in the search order. Note: If you have NTLM and MSAD user directories configured, ensure that the MSAD user directory comes after NTLM in the search order. Shared Services assigns a defaut search order, which you may change. For more information, see Changing the Search Order on page 55. Changing the Search Order The defaut search order assigned to each user directory, incuding Native Directory, is based on the sequence in which the directory was added to the search order. ä To change the search order: 1 Launch the User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Configure User Directories. 3 From Defined User Directories screen, seect the directory whose search order you want to change. 4 Cick Move Up or Move Down as needed. Note: If you have NTLM and MSAD user directories configured, ensure that the MSAD user directory comes after NTLM in the search order. Shared Services dispays a message indicating that the search order was updated. 5 Cick OK. The Defined User Directories screen is dispayed, which ists the user directories in the updated order. Managing User Directory Search Order 55

56 Removing a Search Order Assignment Deeting a user directory from the search order does not invaidate the directory configuration. It merey removes the user directory from the ist of directories that are searched for authenticating users. A directory that is not incuded in the search order is set to Not Used status. When you remove a user directory from the search order, the search sequence assigned to the other user directories is automaticay updated. Note: You cannot remove Native Directory from the search order. ä To deete a user directory from the search order: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Configure User Directories. 3 From Defined User Directories screen, seect the directory to remove from the search order. 4 Cick Remove. Shared Services dispays a confirmation diaog box. 5 Cick OK. Shared Services dispays a message indicating that the search order was updated. 6 Cick OK to return to the Defined User Directories screen, which ists the status of the user directory as Not Used. Setting Goba Parameters These goba parameters are appicabe to a user directories incuded in the search order. Token timeout Specifies the time, in minutes, after which the SSO token issued by Hyperion products or the security agent wi expire. Users are forced to og in again after this period. Note: Token timeout is not the same as session timeout. Logging eve Sets the eve at which security issues are recorded in the Shared Services security og fie. Administrators can change the Shared Services og eve on-the-fy to capture reevant information to debug Shared Services issues. Shared Services appication server restart is not required to activate og eve change. Log fies beonging to Hyperion products are stored in <Hyperion_Home>/ogs, aowing administrators to easiy ocate og fies to monitor the appications and troubeshoot issues. Product og fies are created in a product-specific foder. For exampe, Shared Services ogs are in <Hyperion_Home>/ogs/SharedServices9. Existing og fies are not moved to the new ocation. Deegated User Management Mode Supports the distributed management of provisioning activities. 56 Configuring User Directories

57 Support for Security Agent for Singe Sign-on Indicates whether user directories are used to support SSO from security agents such as SiteMinder. ä To set goba parameters: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Configure User Directories. 3 In Defined User Directories, set goba parameters. Tabe 7 Goba Parameters for User Directories Parameter Token Timeout Logging eve Support for Security Agent for Singe Sign-on Enabe Deegated User Management Mode Description Time imit (in minutes) after which the SSO token issued by Hyperion products/security agent becomes invaid. Users wi be ogged out after token timeout period. Token timeout is set based on the server's system cock. Exampe: 480 Leve at which user directory reated issues are recorded in the Shared Services security og fies. Exampe: WARN Option enabing support for SSO from security agents such as SiteMinder. Option enabing deegated user management of Hyperion products. See Chapter 6, Deegated User Management. 4 Cick OK. Overriding Cache Refresh Interva for MSAD and other LDAP- Enabed User Directories By defaut, Shared Services uses 60 minutes as the cache refresh interva; the period after which Shared Services refreshes its interna cache of information retrieved from each LDAP-enabed user directory configured with Shared Services. Provisioning information for newy added users and groups in LDAP-enabed user directories is avaiabe to Shared Services ony after the next cache refresh. This may resut in new users and members of new groups not getting their provisioned roes for up to 60 minutes. ä To change the cache refresh interva: 1 Using a text editor, open CSS.xm fie. This fie is ocated in <HSS_home>/config. For exampe, C:\Hyperion\depoyments \WebLogic9\SharedServices9\config (WebLogic 9.1 on Windows) and /vo1/ Hyperion/depoyments/WebLogic9/SharedServices9/config (WebLogic 9.1 on UNIX). Overriding Cache Refresh Interva for MSAD and other LDAP-Enabed User Directories 57

58 2 Insert the foowing code into the definition of the LDAP-enabed user directory for which you want to modify cache refresh interva. This ine must be paced immediatey after the <authtype>simpe</ authtype> code ine. <cacherefreshinterva><interva></cacherefreshinterva> Be sure to repace <interva> with the desired cache refresh interva in minutes. For exampe, <cacherefreshinterva>10</cacherefreshinterva> to set the interva to 10 minutes. You can set the interva to 0 if you want to refresh the cache for every ca. This affects performance. Note: Cache refresh interva must be set separatey for each LDAP-enabed user directory. 3 Save and cose the CSS.xm fie. 4 Restart the appication server if it is running. Setting Timeout to Resove SAP Keystore Fie By defaut, Shared Services uses 10 seconds as the timeout for resoving the SAP keystore fie. You can override this vaue in the Shared Services configuration fie. ä To change the timeout for resoving the SAP keystore fie: 1 Using a text editor, open CSS.xm. This fie is in <HSS_home>/config. For exampe, C:\Hyperion\depoyments \WebLogic9\SharedServices9\config (WebLogic 9.1 on Windows) and /vo1/ Hyperion/depoyments/WebLogic9/SharedServices9/config (WebLogic 9.1 on UNIX). 2 Insert the foowing code into the SAP provider definition. This code must be paced immediatey after the token timeout decaration. <keystore> <timeout><interva></timeout> </keystore> Be sure to repace <interva> with the desired keystore timeout interva in seconds. For exampe, <timeout>22</timeout> to set the interva to 22 seconds. 3 Save and cose CSS.xm. 4 Restart the appication server if it is running. Connection Pooing Previous reeases of Hyperion products created connection threads to externa user directories on a need-to-use basis. To improve performance, Shared Services aows connection pooing where user directory connections use a common connection poo. 58 Configuring User Directories

59 Shared Services uses a defaut connection poo setting that is used for a configured user directories. Defaut connection poo settings are not recorded in CSS.xm. To use custom connection poo settings for a user directory, you must update the configuration settings of the user directory in CSS.xm with a connection poo definition. User directory configurations that do not contain a connection poo definition use the defaut connection poo. ä To define connection poo for a user directory configuration: 1 Using a text editor, open CSS.xm. This fie is in <HSS_home>/config. For exampe, C:\Hyperion\depoyments \WebLogic9\SharedServices9\config (WebLogic 9.1 on Windows) and /vo1/ Hyperion/depoyments/WebLogic9/SharedServices9/config (WebLogic 9.1 on UNIX). 2 In each of the user directory configuration definitions, incude a connection poo definition simiar to the foowing: <connectionpoo> <maxsize>100</maxsize> <timeout>90000</timeout> <evictinterva>60</evictinterva> <aowedideconntime>120</aowedideconntime> <growconnections>fase</growconnections> </connectionpoo> See Tabe 8 for an expanation of these attributes. A sampe CSS.xm containing a connection poo definition: <dap name="exampeldap"> <trusted>true</trusted> <ur>dap://myserver:390/dc=exampe,dc=com</ur> <userdn>cn=directory Manager</userDN> <password>{css}hagfq18y1357xxn2b0u+zq==</password> <authtype>simpe</authtype> <connectionpoo> <maxsize>100</maxsize> <timeout>90000</timeout> <evictinterva>60</evictinterva> <aowedideconntime>120</aowedideconntime> <growconnections>fase</growconnections> </connectionpoo> <user> <ur>ou=peope</ur> </user> <group> <ur>ou=groups</ur> </group> </dap> Tabe 8 Connection Poo Attributes Eement Attribute Description <connectionpoo> Connection poo definition Connection Pooing 59

60 Eement Attribute Description <maxsize> <timeout> <evictinterva> <aowedideconntime> <growconnections> Maximum number of connections in the poo. Defaut is 100 for LDAPenabed directories, incuding MSAD, and 300 for Native Directory. Timeout (in miiseconds) to get the connection from the poo. An exception is thrown after this period. Defaut is miiseconds (5 minutes). Optiona: The interva (in minutes) for running the eviction process to cean up the poo. The eviction process ceans up ide connections that have exceeded the aowedideconntime. Defaut is 60 minutes. Optiona: The time (in minutes) after which ide connections in the poo are ceaned up by the eviction process. Defaut is 120 minutes. This option indicates whether the connection poo can grow beyond <maxsize>. Defaut is fase. If you do not aow the connection poo to grow, the system throws an error if a connection is not avaiabe within the time set for <timeout>. 3 Verify that each user directory configuration contains a connection poo definition. 4 Optiona: Define socket connection timeout for user directories by incuding the <sockettimeout> parameter in the Native Directory user directory definition. For exampe, the foowing setting specifies a socket timeout of 5 seconds. <sockettimeout>60000</sockettimeout> Note: Socket timeout set for Native Directory appies to a configured user directories. Use a high socket timeout vaue in the foowing scenarios: A arge number of users and groups are defined in the user directory. The machines that host the user directories are geographicay distant from the machine that hosts Shared Services. A ow-bandwidth network connection exists between the machine that hosts Shared Services and the machine that hosts the user directory. A sampe Native Directory definition containing socket timeout definition: 60 Configuring User Directories

61 <native name="native Directory"> <startupretryinterva>5</startupretryinterva> <startupretrylimit>5</startupretrylimit> <sockettimeout>60000</sockettimeout> <connectionpoo> <maxsize>600</maxsize> <timeout>1000</timeout> <growconnections>true</growconnections> </connectionpoo> </native> 5 Save and cose CSS.xm. 6 Restart Shared Services and a Hyperion products. Using Specia Characters MSAD and other LDAP-enabed user directories aow specia characters in entities such as DNs, user names, roes, and group names. Specia handing may be required for Shared Services to understand such characters. Generay, you must use escape characters whie specifying any specia character used in user directory settings for LDAP-enabed user directories, incuding MSAD; for exampe, user and group URLs and Base DN. Native Directory and NTLM do not require specia handing of characters. Tabe 9 ists the specia characters that can be used in user names, group names, user URLs, group URLs, and in the vaue of OU in user DN. Native Directory and NTLM do not require specia handing of characters. Tabe 9 Supported Specia Characters Character Name or Meaning Character Name or Meaning ( open parenthesis $ doar ) cose parenthesis + pus quotation mark / sash ' singe quotation mark \ backsash, comma ^ caret & ampersand ; semicoon = equa to # pound < ess at > greater than Using Specia Characters 61

62 Tabe 10 Specia Characters that Shoud not Be Used in Appication IDs Character Name or Meaning Character Name or Meaning, comma ; semicoon < ess than + pus > greater than = equa to & ampersand Tabe 11 Specia Characters that Shoud not Be Used in Appication Names Character Name or Meaning [ open bracket ] cose bracket ( open parenthesis ) cose parenthesis Specia characters are not permitted in the vaue set for the Login User attribute. Asterisk (*) is not supported in user names, group names, user and group URLs, and in the name of the OU in UserDN. Attribute vaues containing a combination of specia characters are not supported. Ampersand (&) can be used without an escape character. For MSAD settings, & must be specified as &. User and group names cannot contain both a backsash (\) and sash (/). For exampe, names such as test/\user and new\test/user are not supported. Space is not supported as a specia character in Base DN. Tabe 12 Characters that Need not Be Escaped Character Name or Meaning Character Name or Meaning ( open parenthesis ' singe quote ) cose parenthesis ^ caret $ at These characters must be escaped if you use them in user directory settings (user names, group names, user URLs, group URLs and User DN). Tabe 13 Escape for Specia Characters Specia Character Escape Sampe Setting Escaped Exampe comma (,) backsash (\) ou=test,ou ou=test\,ou 62 Configuring User Directories

63 Specia Character Escape Sampe Setting Escaped Exampe sash (/) pus sign (+) equa to (=) pound (#) semicoon (;) ou=test/ou ou=test+ou ou=test=ou ou=test#ou ou=test;ou ou=test\/ou ou=test\+ou ou=test\=ou ou=test\#ou ou=test\;ou ess than (<) \&t; ou=test<ou ou=test\&t;ou greater than (>) \> ou=test>ou ou=test\>ou (quotation mark) \\ (two backsashes) ou=test ou ou=test\\ ou \ (backsash) \\\ (three backsashes) ou=test\ou ou=test\\\\ou Caution! If the user URL is not specified, users created within the RDN root must not contain / (sash) or \ (backsash). Simiary, these characters shoud not be used in the names of groups created within the RDN root if a group URL is not specified. For exampe, group names such as OU=chid\ou,OU=parent/ou or OU=chid/ ou,ou=parent\ou are not supported. This issue does not appy if you are using a unique attribute as the ID Attribute in the user directory configuration. Using Specia Characters 63

64 64 Configuring User Directories

65 5 Working with Appications and Projects In This Chapter Overview...65 Working with Projects...65 Managing Appications...67 Overview Appications and projects are two important Shared Services concepts. An appication is a reference to a singe instance of a Hyperion appication that is registered with Shared Services. The registration process makes Shared Services aware of the existence of the Hyperion appication. A provisioning activities are performed against an appication. In User Management Consoe, Hyperion appications are organized into projects. A project is a container for appications. For exampe, a project may consist of a Reporting and Anaysis appication and a Panning appication. To provision users to an appication, the appication must beong to a project. This chapter contains information on creating and managing projects. It aso provides information on working with appications. Working with Projects A project is a container for Hyperion appications. For exampe, a project may contain a Panning appication and one or more Reporting and Anaysis appications. An appication can beong to ony one project. Appications that are registered withshared Services but do not yet beong to a project are isted under Unassigned Appications in User Management Consoe. The appications that are registered with Shared Services but have not been assigned to a project are isted under the Unassigned Appications node within User Management Consoe. Appications assigned to a project are isted under the Projects node of User Management Consoe. An appication can beong to ony one project, but a project may contain mutipe appications. You can start the provisioning process ony after appications are assigned to projects. Topics covering project management tasks: Overview 65

66 Creating Projects on page 66 Modifying Project Properties on page 66 Deeting Projects on page 67 Note: You must be a Shared Services Administrator or Project Manager to create and manage projects. Shared Services Administrators can work with a registered appications but a Project Manager can work ony with the appication for which that person is the project manager. Creating Projects During the project creation process, you can aso assign appications to the new project. ä To create a project: 1 Launch the User Management Consoe, as expained in Launching User Management Consoe on page Right-cick Projects in the Object Paette, and seect New. 3 Enter a unique project name in Name text box and enter an optiona description in Description box. Note: Project names that start with the ess than symbo (<), for exampe <my_project do not appear in the Provisioning screen. Hyperion recommends that you create project names that start with a character other than the ess than symbo. 4 To assign appications to this project: a. From List Appications in Project, seect<unassigned Appications> or an existing project that contains appications that you want to assign to the project. b. Cick Update List to ist the appications in the Avaiabe Appications ist. c. From Avaiabe Appications, seect the appications to assign to the project and cick Add. The seected appications appear in the Assigned Appications ist. d. To remove an assigned appication, from Assigned Appications, seect the appication to remove from the project and cick Remove. To remove a appications from the Assigned Appications ist, cick Reset. 5 Cick Finish. 6 Cick Create Another to create another project, or OK to cose the status screen. Modifying Project Properties You can modify a properties and settings of an existing project, incuding appication assignments. 66 Working with Appications and Projects

67 Note: You can aso add appications to projects by moving them from another project or from the Unassigned Appications node. Refer to Moving Appications on page 68. ä To modify a project: 1 Launch the User Management Consoe, as expained in Launching User Management Consoe on page Seect Projects from the Object Paette. 3 On the Browse tab, right-cick the project to modify and seect Open. 4 Modify the project properties as needed. See step 4 on page 66 for information on assigning or removing appications. 5 Cick Save. Deeting Projects Deeting a project removes the association of appications with the project, removes provisioning assignments from appications within the project, and deetes the project container. Appications from deeted projects are moved to the Unassigned Appications node. ä To deete a project: 1 Launch the User Management Consoe, as expained in Launching User Management Consoe on page Seect Projects from the Object Paette. 3 In the Browse tab, right-cick the project and seect Deete. 4 Cick OK in the confirmation screen. Managing Appications User Management Consoe keeps track of a Hyperion appications that are registered with Shared Services. The registration process is competed from individua Hyperion appications and not from Shared Services. A registered appications, initiay, are isted under the Unassigned Appications node on User Management Consoe because the registration process does not automaticay assign appications to a project. Appications must be assigned to a project before users and groups can be provisioned against the roes beonging to those appications. Appications that have been assigned to a project are isted under the Project node of User Management Consoe. Topics covering appication management tasks: Assigning Access Permissions to Appications on page 68 Moving Appications on page 68 Copying Provisioning Information Across Appications on page 69 Managing Appications 67

68 Deeting an Appication on page 69 Assigning Access Permissions to Appications User Management Consoe enabes appication administrators to perform provisioning tasks, such as assigning access permissions to appication-specific objects; for exampe, reports and cacuation scripts. For exampe, for Essbase appications, users with the appropriate Orace's Essbase Administration Services permissions can assign fiter and cacuation script access to seected users and groups. Some products require that certain security tasks be performed in the product interface itsef, not through User Management Consoe. For exampe, using the Administration Services interface, you must create fiters and cacuation scripts. You can then provision these objects by assigning specific users or groups from User Management Consoe. Likewise, you must assign access permission on repository content of Reporting and Anaysis from within that product, not from User Management Consoe. You must either be a Shared Services administrator or be provisioned with the appropriate product roe (Panning Manager, for exampe) to assign access permission from the User Management Consoe. See the appropriate product appendix at the end of this guide for instructions on assigning access permission for specific products. Before starting this procedure, ensure that the required servers and appications are running. ä To assign appication-specific access permissions: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page From the Projects node in the Object Paette, expand the project containing the appication. 3 Right-cick the appication and seect the appropriate menu item for that appication. An appication-specific tab is dispayed. Note: If the appication is not running, an error message is dispayed when you seect the appication. Restart the product server and refresh the Object Paette by cicking View > Refresh to access the appication. 4 Assign access permissions as needed. Refer to the appropriate product appendix at the end of this guide for detais. Moving Appications You can move assigned appications from one project to another and from unassigned appications to existing projects. Moving an appication removes the association between the appication and the project but does not affect provisioning assignments for the appication. ä To move an appication: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page Right-cick the appication and seect Move To. 68 Working with Appications and Projects

69 3 On the Move To tab, seect the destination project for the appication. 4 Cick Save. Copying Provisioning Information Across Appications If you have mutipe products of the same type (product and product version), you can copy provisioning information from one appication to another. When you copy provisioning information, a user, group, and roe information is copied to the target appication. Productspecific access contro settings are not copied. ä To copy provisioning information across appications: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page From Projects in the Object Paette, right-cick the appication from which you want to copy provisioning information and seect Copy Provisioning. The Copy Provisioning tab opens. This tab ists the target appication to which you can copy provisioning information. 3 Seect the destination project. 4 Cick Save. Deeting an Appication Shared Services administrators can deete appications from projects or from avaiabe unassigned appications. Deeting an appication from a project moves it from the project to the Unassigned Appications node on the Object Paette. You may now assign this appication to a different project. When you deete an appication from a project, a provisioning information for that appication is removed. Deeting an appication from the Unassigned Appications node on the Object Paette deregisters the appication and removes a meta data information for that appication. Perform this process ony if there is no other way to deregister or deete the appication. ä To deete an appication: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page From existing projects or from unassigned appications, ocate the appication to deete. 3 Right-cick the appication and seect Deete. 4 Cick OK in the confirmation diaog box. Managing Appications 69

70 70 Working with Appications and Projects

71 6 Deegated User Management In This Chapter About Deegated User Management...71 Hierarchy of Administrators...71 Enabing Deegated User Management Mode...72 Creating Deegated Administrators...72 About Deegated User Management Deegated user management enabes creating a hierarchy of administrator users for Hyperion products focusing on the expertise and access needs of such users. This feature aows the Shared Services Administrator to deegate the responsibiity of managing users and groups to other administrators who are granted restricted access to manage users and groups for which they are responsibe. In deegated administration mode, a search for users and groups retrieves ony the users and groups for which an administrator is responsibe. Ony the admin or users with the Administrator Shared Services roe can view a the users and groups across deegated administrators. Hierarchy of Administrators The defaut Shared Services Administrator account (admin) is the most powerfu account in Hyperion products. Hyperion recommends that you change the password of this account after you first access Shared Services. Two tiers of administrators exist in deegated administration mode: Shared Services Administrators on page 71 Deegated Administrators on page 72 Shared Services Administrators Hyperion recommends that you create Shared Services Administrator accounts simiar to the defaut admin account to administer Shared Services and other Hyperion appications. About Deegated User Management 71

72 You can create Shared Services Administrator accounts by provisioning users and groups with the Shared Services Administrator roe, which provides unfettered access to a Shared Services functions. Deegated Administrators In contrast to Shared Services Administrators, Deegated Administrators have imited administrator-eve access to Shared Services and Hyperion products. Deegated Administrators can access ony the users and groups for which they are granted Administrator access, dividing user and group management tasks across mutipe administrators. The permissions of Deegated Administrators on Hyperion products are controed by the access rights that a Shared Services Administrator has granted them through provisioning. For exampe, assume that a Deegated Administrator is granted the Directory Manager goba roe in Shared Services, enabing the user to create new users and groups in Native Directory. Without additiona roes, this Deegated Administrator cannot view a ist of users and groups that other administrators created. If they have the permission to provision users (granted through the Provisioning Manager roe), Deegated Administrators can create other Deegated Administrators and provision them to further deegate administrative tasks. Enabing Deegated User Management Mode You must enabe Deegated User Management mode for Shared Services before you can create deegated administrators. The defaut Shared Services depoyment does not support deegated administration. Additiona screens and menu options become avaiabe after you switch to Deegated User Management mode. ä To enabe Deegated User Management mode: 1 Launch the Orace's Hyperion Shared Services User Management Consoe, as expained in Launching User Management Consoe on page From Administration, seect Configure User Directories. 3 From Defined User Directories, seect Enabe Deegated User Management Mode. 4 Cick OK. 5 Restart Shared Services. Creating Deegated Administrators Panning Steps on page 73 Provisioning Deegated Administrators on page Deegated User Management

73 Creating Deegated Lists on page 73 Viewing Deegated Reports on page 77 Panning Steps User Accounts for Deegated Administrators Shared Services Administrators create Deegated Administrators from existing user accounts in the user directories configured on Shared Services. Unike in the provisioning process, deegated administration capabiities cannot be assigned to groups. Before starting the process of deegating Shared Services administration, verify that Deegated Administrators are created as users in a configured user directory. Create a Deegation Pan The deegation pan shoud identify the eves of Deegated Administrators needed to effectivey administer Hyperion products. The pan shoud identify: Users and groups that each Deegated Administrator shoud manage. This ist can be used whie creating Deegated Lists. See Creating Deegated Lists on page 73. Shared Services and Hyperion product roes that each Deegated Administrator shoud be granted. Provisioning Deegated Administrators Shared Services Administrators provision Deegated Administrators to grant them roes based on the deegation pan. Deegated Administrators must be granted Shared Services roes depending on the activities they shoud perform. See Shared Services Roes on page 135 for a ist of Shared Services roes. Deegated Administrators can be granted roes from Hyperion products; for exampe, Provisioning Manager from Panning, to aow them to perform administrative tasks in Hyperion products. Creating Deegated Lists Deegated ists identify the users and groups that a Deegated Administrator can manage. Each ist is assigned to one or more Deegated Administrators. Deegated Administrators can: View ony the users and groups assigned to them through deegated ists. A other users and groups remain hidden from their view. Create deegated ists for other users they manage. Search and retrieve ony the users and groups that are incuded in their deegated ists. Creating Deegated Administrators 73

74 Note: Shared Services dispays the Deegated List node ony if the current user is assigned to manage deegated ists. The users and groups that a Deegated Administrator creates are not automaticay assigned to the administrator who created them. A Shared Services Administrator must add these users and groups to deegated ists before Deegated Administrators can access them. Deegated Administrators, however, can assign these users and groups to the deegated ists that they create. ä To create deegated ists: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In Native Directory in Object Paette, right-cick Deegated List, and seect New. The Create Deegated List screen opens. 3 In Name, enter a unique name for the deegated ist. 4 Optiona: In Description, type a description of the ist. 5 Optiona: To add groups to the ist, cick Next. a. In Search for Groups, enter the name of the group to assign to the ist. Leave this fied empty to retrieve a groups. Use * as the widcard for pattern searches. If you are a Deegated Administrator, ony groups assigned to you are dispayed. b. In Directory, seect the user directory from which groups are to be dispayed. c. Cick Go. d. From Avaiabe Groups, seect one or more groups. e. Cick Add. The seected groups are isted in Assigned Groups. Note: Shared Services considers Orace and SQL Server database roes as the equivaents of groups in user directories. Orace database roes can be hierarchica. SQL Server database roes cannot be nested. Because DB2 does not support roes, Shared Services does not dispay groups if you seect a DB2 database provider. f. Optiona: To unassign a group, from Assigned Groups, seect a group and cick Remove. To unassign a groups, cick Reset. 6 Optiona: To add users to the ist, cick Next. a. In Search for Users, type the name of the user to assign to the ist. Leave this fied bank to retrieve a users. Use * as the widcard for pattern searches. If you are a Deegated Administrator, ony users assigned to you are dispayed. b. In Directory, seect the user directory from which users are to be dispayed. c. Cick Go. d. From Avaiabe Users, seect one or more users. e. Cick Add. 74 Deegated User Management

75 The seected users are isted in Assigned Users. f. Optiona: To unassign a user, from Assigned Users, seect a user and cick Remove. To unassign a users, cick Reset. Note: The Deegated Administrator of the ist is automaticay added as a user. 7 Optiona: To assign Deegated Administrators for this ist, cick Next. The Managed By tab opens. a. In Search for Users, enter the name of the user to assign as the Deegated Administrator of the ist. Leave this fied bank to retrieve a users. Use * as the widcard for pattern searches. If you are a Deegated Administrator, ony users assigned to you are dispayed. b. In Directory, seect the user directory from which users are to be dispayed. c. Cick Go. d. From Avaiabe Users, seect one or more users. e. Cick Add. The seected users are isted in Assigned Users. f. Optiona: To unassign a user, from Assigned Users ist, seect the user and cick Remove. To unassign a users, cick Reset. Note: 8 Cick Finish. The user who creates the ist is automaticay added as a Deegated Administrator of the ist. Modifying Deegated Lists Deegated Administrators can modify ony the ists assigned to them. Users with Shared Services Administrator roe can modify a deegated ists. ä To modify deegated ists: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Native Directory node in the Object Paette, seect Deegated Lists. 3 Search for the deegated ist to modify. See Searching for Users, Groups, Roes, and Deegated Lists on page 34. Deegated ists that meet the search criterion are isted on the Browse tab. 4 Right-cick the deegated ist and seect Properties. The Deegated List Properties screen opens. 5 Optiona: On Genera, modify the ist name and description. 6 Optiona: To add groups, cick Group Members. Creating Deegated Administrators 75

76 a. In Search for Groups, enter the name of the group to assign to the ist. Leave this fied empty to retrieve a groups. Use * as the widcard for pattern searches. If you are a Deegated Administrator, ony groups assigned to you are dispayed. b. In Directory, seect the user directory from which groups are to be dispayed. c. Cick Go. d. From Avaiabe Groups, seect one or more groups. e. Cick Add. The seected groups are isted in Assigned Groups. f. Optiona: To unassign a group, from Assigned Groups, seect the group and cick Remove. To unassign a groups, cick Reset. 7 Optiona: To add users to the ist, cick User Members. a. In Search for Users, enter the name of the user to assign to the ist. Leave this fied bank to retrieve a users. Use * as the widcard for pattern searches. If you are a Deegated Administrator, ony users assigned to you are dispayed. b. In Directory, seect the user directory from which users are to be dispayed. c. Cick Go. d. From Avaiabe Users, seect one or more users. e. Cick Add. The seected users are isted in Assigned Users. f. Optiona: To unassign a user, from Assigned Users ist, seect the user and cick Remove. To unassign a users, cick Reset. Note: The Deegated Administrator of the ist is automaticay added as a user. 8 Optiona: To modify Deegated Administrator assignment, cick Managed By. The Managed By page opens. a. In Search for Users, enter the name of the user to assign as the Deegated Administrator of the ist. Leave this fied bank to retrieve a users. Use * as the widcard for pattern searches. If you are a Deegated Administrator, the users assigned to you are dispayed. b. In Directory, seect the user directory from which users are to be dispayed. c. Cick Go. d. From Avaiabe Users, seect one or more users. e. Cick Add. The seected users are isted in Assigned Users. f. Optiona: To unassign a user, from Assigned Users ist, seect the user and cick Remove. To unassign a users, cick Reset. Note: The user who creates the ist is automaticay added as a Deegated Administrator of the ist. 76 Deegated User Management

77 9 Cick Save. Deeting Deegated Lists ä To deete deegated ists: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Native Directory node in the Object Paette, seect Deegated Lists. 3 Search for the deegated ist to modify. See Searching for Users, Groups, Roes, and Deegated Lists on page 34. Deegated ists that meet the search criterion are isted on the Browse tab. 4 Right-cick the deegated ist and seect Deete. 5 Cick OK in the confirmation diaog box. Viewing Deegated Reports Deegated reports contain information about the users and groups assigned to the seected deegated ists and the deegated administrators to whom the ist is assigned. Shared Services Administrators can generate and view deegated reports on a deegated ists. Deegated Administrators can generate reports on the deegated ists they created and the deegated ists assigned to them. ä To view deegated reports: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In Native Directory in Object Paette, right-cick Deegated List, and seect View Deegated Reports. The View Deegated Report screen opens. 3 In Deegated List Name, enter the name of the ist for which the report is to be generated. Use * as widcard for pattern searches. 4 In Managed By, enter the user ID of the Deegated Administrator whose assignments in the specified ist are to be reported. Use * as widcard for pattern searches. 5 Cick Create Report. 6 Cick Cance to cose the report or Print Preview to preview the report. If you preview the report: a. Cick Print to print the report. b. Cick Cose to cose the View Report window. Creating Deegated Administrators 77

78 78 Deegated User Management

79 7 Managing Native Directory In This Chapter About Native Directory...79 Managing Native Directory Users...81 Managing Native Directory Groups...84 Managing Roes...88 Changing Native Directory root User Password...91 Backing Up the Native Directory Database...91 Synchronizing Native Directory Database with the Shared Services Repository...93 Recovering Native Directory Data...93 Setting Up Native Directory for High Avaiabiity and Faiover...94 Migrating Native Directory...99 About Native Directory Shared Services uses Native Directory to store user provisioning data and a reationa database to store product registration data. After the initia ogon to a Hyperion product, the product directy queries Native Directory for user provisioning information. Hyperion products can function normay ony if Native Directory is running. User Management Consoe dispays a ist of users and groups for each configured user directory, incuding Native Directory. These ists are used to provision users and groups against appication roes. User Management Consoe is the centra administration point for Native Directory, the defaut user directory that is instaed with Shared Services. Other user directories are administered through their own administration screens. Instaation Location By defaut, Native Directory is instaed to <Hyperion_Home>/SharedServices/ <HSS_version>/openLDAP. Exampes: C:\Hyperion\SharedServices\9.3.1\openLDAP (Windows) About Native Directory 79

80 /vo1/hyperion/sharedservices/9.3.1/openldap (UNIX) The insta ocation of Native Directory is referred to as <openldap_home> throughout this document. Native Directory data is stored in <openldap_home>/var/opendap-data, and utiities are stored in <openldap_home>/bdb/bin. By defaut, Native Directory is depoyed to port as a process (UNIX) or a service (Windows). Defaut Users and Groups Native Directory, by defaut, contains one user account (admin, with password as the defaut password). Using this account, you can perform a Native Directory and Shared Services administration tasks. A Shared Services users beong to the WORLD group, the ony defaut Native Directory group. WORLD is a ogica group. A Shared Services users inherit any roe assigned to this group. A user gets the sum of a permissions assigned directy to that user as we as those assigned to the user's groups (incuding WORLD group). If Shared Services is depoyed in deegated mode, the WORLD group contains groups as we as users. If the deegated ist of a user contains the WORLD group, then the user can retrieve a users and groups during search operations. Starting Native Directory By defaut, Native Directory is instaed as a Windows service or UNIX process. Starting Native Directory in Norma Mode On Windows, you can start Native Directory by starting Hyperion S9 OpenLDAP service from the Services window, or by executing <openldap_home>startservice.bat. On UNIX systems, run <openldap_home>/startopenldap script to start the process. Starting Native Directory in Debug Mode ä To start Native Directory in debug mode: 1 Using a command prompt window, navigate to <openldap_home>. 2 Execute the foowing command: sapd d Managing Native Directory

81 Stopping Native Directory On Windows, you can stop Native Directory by stopping Hyperion S9 OpenLDAP service from the Services window, or by executing <openldap_home>stopservice.bat. On UNIX systems, run <openldap_home>/stopopenldap script to stop the Native Directory process. Managing Native Directory Users Shared Services Administrators or Directory Managers can perform the foowing tasks to manage Native Directory user accounts: Creating Users on page 81 Modifying User Accounts on page 82 Deactivating User Accounts on page 83 Deeting User Accounts on page 84 Provisioning Users and Groups on page 101 Deprovisioning Users and Groups on page 102 Generating Provisioning Reports on page 102 Note: Users in externa user directories cannot be managed from User Management Consoe. Creating Users ä To create users: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Native Directory node in the Object Paette, right-cick Users, and seect New. 3 In the Create User screen, enter the required information. Tabe 14 Labe Create User Screen Description User Name First Name Last Name A unique user identifier as per the naming conventions of your organization (for exampe, first name initia foowed by ast name, as in jyoung) User names can contain any number or combination of characters. You cannot create identica user names, incuding names that are differentiated ony by number of spaces. For exampe, you cannot create user names user 1 (with one space between user and 1) and user 1 (with two spaces between user and 1). First name of the user (optiona) Last name of the user (optiona) Managing Native Directory Users 81

82 Labe Description Emai Address Password Confirm Password Description Description of the user (optiona) Emai address of the user (optiona) The password for this user account. Passwords are case-sensitive and can contain any combination of characters. The entry in the Password text box 4 Optiona: To add the user to one or more groups, cick Next. a. On the Group Membership page, in Search for Groups, type the name of the group to assign to the user (type * to ist a avaiabe groups). b. Cick Go. c. From Avaiabe Groups, seect one or more groups. d. Cick Add. The seected groups are isted in Assigned Groups ist. e. Optiona: To unassign a group, from Assigned Groups ist, seect the group and cick Remove. To unassign a groups, cick Reset. 5 Cick Finish. 6 Cick Create Another to create another user or OK to cose the Create User screen. Modifying User Accounts For the defaut admin account, you can ony modify e-mai address, password, and group membership. For a other user accounts, you can modify any property. ä To modify user accounts: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Native Directory node in the Object Paette, seect Users. 3 Search for user account. See Searching for Users, Groups, Roes, and Deegated Lists on page 34. A ist of users that meet the search criterion is dispayed on the Browse tab. 4 Right-cick the user account and seect Properties. The User Properties screen opens. Note: The User Properties screen dispays the Managed By tab if Shared Services is depoyed in Deegated Administration mode. 5 On the Genera tab, modify one or more user properties. See Tabe 14 for descriptions of the properties that you can modify. 6 Optiona: Modify the user's associations with Native Directory groups. 82 Managing Native Directory

83 a. In Search for Groups box on the Member Of tab, type the name of the group to assign to this user (type * to ist a avaiabe groups), and cick Go. b. From Avaiabe Groups, seect one or more groups to assign to the user, and cick Add. The seected groups are isted in Assigned Groups. To remove an assigned group, from Assigned Groups, seect the group to remove, and cick Remove. 7 To view the deegated administrators assigned to the user, open the Managed By tab, which is avaiabe ony if Shared Services is depoyed in Deegated Administration mode. 8 Cick Save. Deactivating User Accounts You can deactivate user accounts that shoud not have access to Hyperion appications. Account deactivations are, typicay, temporary suspensions where the Native Directory administrator hopes to reactivate the accounts in the future. Inactive user accounts cannot be used to og on to Hyperion appications, incuding User Management Consoe. Group associations of inactive accounts are maintained and remain visibe to Native Directory administrators. Roe associations of inactive accounts are maintained. Inactive user accounts are not dispayed on the product-specific access-contro screens of items for which access is disabed. Inactive user accounts are not deeted from Native Directory. Note: The admin account cannot be deactivated. ä To deactivate user accounts: 1 Launch the User Management Consoe, as expained in Launching User Management Consoe on page In the Native Directory node in the Object Paette, right-cick Users, and seect Show Active to ist a user accounts you can deactivate. To search for a specific user account to deactivate, see Searching for Users, Groups, Roes, and Deegated Lists on page Right-cick the user account, and seect Deactivate. Managing Native Directory Users 83

84 Activating Inactive User Accounts Activating inactive user accounts reinstates a associations that existed before the accounts were deactivated. If a group of which the inactive user account was a member was deeted, the roes granted through the deeted group are not reinstated. ä To activate deactivated user accounts: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Native Directory node of the Object Paette, right-cick Users, and seect Show Inactive to ist a inactive user accounts you can activate. To search for a specific user account to activate see Searching for Users, Groups, Roes, and Deegated Lists on page Right-cick the user account, and seect Activate. Deeting User Accounts Deeting a user account removes the user s associations with Native Directory groups, the roe assignments of the user, and the user account from Native Directory. Note: The admin account cannot be deeted. ä To deete user accounts: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page From the Native Directory node of the Object Paette, cick Users. 3 Search for a user account. See Searching for Users, Groups, Roes, and Deegated Lists on page 34. A ist of users that meet the search criterion is dispayed on the Browse tab. 4 Right-cick the user account, and seect Deete. Managing Native Directory Groups Native Directory users can be grouped based on common characteristics. For exampe, users can be categorized into groups such as staff, managers, and saes based on function, and Saes_West and Managers_HQ, based on ocation. A user can beong to one or more groups. Native Directory groups can contain other groups and users from user directories configured on Shared Services. Group affiiations of a user are important considerations in the authorization process. Typicay, groups, rather than individua user accounts, are used to faciitate the provisioning process. Tasks performed by Shared Services administrators or directory managers: Creating Groups on page Managing Native Directory

85 Modifying Groups on page 86 Deeting Groups on page 88 Provisioning Users and Groups on page 101 Deprovisioning Users and Groups on page 102 Generating Provisioning Reports on page 102 Note: Groups on externa user directories cannot be managed from User Management Consoe. Creating Groups Native Directory groups can contain users and groups from any user directories configured on Shared Services, incuding Native Directory. Groups that contain other groups are known as nested groups. Each component group of a nested group used in provisioning inherits a roes assigned to the nested group. Simiary, users assigned to a group inherit the roes assigned to the group. When a group from an externa user directory is added to a Native Directory group, Shared Services creates a reference in the database to estabish the reationship. ä To create Native Directory groups: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Object Paette, right-cick Groups, and seect New. 3 For Name in the Create Group screen, enter a unique group name. Group names are not case-sensitive. 4 Optiona: Enter a group description. 5 Perform an action: To create the group without adding groups or users, cick Finish, and go to step 10. To create a nested group or assign users to the group, cick Next. The Group Members tab is dispayed. 6 Create a nested group. To skip this step, cick Next. a. In Search for Groups, enter the criterion for retrieving groups. Use * (asterisk) as the widcard to retrieve a avaiabe groups. b. In Directory, seect the user directory from which to retrieve groups. A configured user directories are isted in the Directory ist. c. Cick Go. Groups that match the search criterion are isted under Avaiabe Groups. d. From Avaiabe Groups, seect the groups to nest within the new group. e. Cick Add. Managing Native Directory Groups 85

86 The seected groups are isted under Assigned Groups ist. To remove an assigned group, from Assigned Groups, seect the group to remove and cick Remove. To remove a assigned groups, cick Reset. f. Optiona: To retrieve and assign groups from other user directories, repeat Steps a-e. 7 To create the group without adding users, cick Finish. To add uses to the group, cick Next. The User Members tab is dispayed. 8 To assign users to the group: a. In Search for Users, enter the search criterion. Use * (asterisk) as the widcard to retrieve a users. b. In Directory, seect the user directory from which to retrieve users. A configured user directories are isted under Directory. c. Cick Go. User accounts matching the search criterion are isted under Avaiabe Users. d. From Avaiabe Users, seect one or more users to add to the group. e. Cick Add. The seected user accounts are isted under Assigned Users. To remove a seected user, from Assigned Users, seect the user to remove and cick Remove. To remove a seected users, cick Reset. f. Optiona: To retrieve and assign users from other user directories, repeat Steps a-e. 9 Cick Finish. 10 From the confirmation screen, seect Create Another (to create another group) or seect OK (to return to the Browse tab). Modifying Groups You can modify the properties of a Native Directory groups except WORLD (the container for a users and groups within Native Directory). If you remove a subgroup from a nested group, the roe inheritance of the subgroup is updated. Simiary, if you remove a user from a group, the roe inheritance of the user is updated. Note: You cannot modify the settings of the WORLD group. ä To modify groups: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Native Directory node of the Object Paette, seect Groups. 3 Search for a group. See Searching for Users, Groups, Roes, and Deegated Lists on page 34. A ist of groups that meet the search criterion is dispayed on the Browse tab. 86 Managing Native Directory

87 4 Right-cick a group, and seect Properties. The Group Properties screen is dispayed. Note: The Group Properties screen dispays the Managed By tab if Shared Services is depoyed in Deegated Administration mode. 5 If you want to modify genera properties of the group, on the Genera tab, edit the name and description. 6 If you want to modify group assignments, open the Group Members tab and perform one or both actions: a. To add groups to the group: In Search for Groups, enter the search criterion. Use * (asterisk) as the widcard to retrieve a groups. In Directory, seect the user directory from which to retrieve groups. Cick Go. From Avaiabe Groups, seect one or more groups, and cick Add. Seected groups are isted in the Assigned Groups ist. To remove a seected group, from Assigned Groups, choose the group and cick Remove. To undo a your actions in this tab, cick Reset. Optiona: To retrieve and assign groups from other user directories, repeat this procedure. b. To remove groups from the group: From Assigned Groups, seect one or more groups. Cick Remove. Removed groups are isted in the Avaiabe Groups ist. 7 If you want to modify user assignments, open the User Members tab and perform one or both actions: a. To add users to group: In Search for Users, enter the search criterion. Use * (asterisk) as the widcard to retrieve a avaiabe user accounts. In Directory, seect the user directory from which to retrieve user accounts. A configured user directories are isted in the Directory ist. Cick Go. From Avaiabe Users, seect one or more users to assign to the group. Cick Add. The seected users are isted in Assigned Users ist. To remove an assigned user, from Assigned Users, seect the user and cick Remove. To undo a your actions in this tab, cick Reset. Optiona: To retrieve and assign users from other user directories, repeat this procedure. b. To remove users from the group: Managing Native Directory Groups 87

88 From Assigned Users, seect one or more users. Cick Remove. 8 To view the deegated administrators assigned to the group, open the Managed By tab, which is avaiabe ony if Shared Services is depoyed in Deegated Administration mode. 9 Cick Save. Deeting Groups Deeting a group removes the group s associations with users and roes and removes the group s information from Native Directory but does not deete the users or subgroups assigned to the deeted group. ä To deete groups: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page From the Object Paette, seect Groups. 3 Search for the group to deete. See Searching for Users, Groups, Roes, and Deegated Lists on page 34. A ist of groups that meets the search criterion is dispayed on the Browse tab. 4 Right-cick the group, and seect Deete. Managing Roes Roes define the operations that users can perform in specific appications. Appication roes from a registered Hyperion appications can be viewed but not updated or deeted from User Management Consoe. Tasks performed by Shared Services Administrators: Creating Aggregated Roes on page 89 Modifying Aggregated Roes on page 89 Deeting Aggregated Roes on page 90 Generating Provisioning Reports on page 102 Note: You can provision newy created users and groups from LDAP-enabed user directories, incuding MSAD. However, the roes provisioned to the new users and groups are avaiabe to the users (become effective) ony after Shared Services refreshes its cache. By defaut, the cache refresh interva is set to 60 minutes, which can be modified. See Overriding Cache Refresh Interva for MSAD and other LDAP-Enabed User Directories on page Managing Native Directory

89 Creating Aggregated Roes To faciitate administration and provisioning, Shared Services Administrators can create aggregated roes that associate mutipe product-specific roes with a custom Shared Services roe. Users with Shared Services Provisioning Manager roe can create aggregated roes for the product for which they are Provisioning Managers. Shared Services Administrators can create aggregated roes for a Hyperion products. For information on aggregated roes, see Aggregated Roes on page 17. Note: You can create roes ony after at east one Hyperion appication has been registered with Shared Services. ä To create aggregated roes: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page From the Object Paette, right-cick Roes, and seect New. The Create Roe screen is dispayed. 3 For Name, enter a roe name. Roe names that contain specia characters are not supported. Roe names shoud not start or end with a \ (backsash). See Using Specia Characters on page 61 for more information. 4 Optiona: For Description, enter a roe description. 5 From Product Name, seect the product for which to create the roe. This ist incudes a Hyperion appications registered with Shared Services. 6 Cick Next. 7 On the Roe Members tab, find the roes to add. To retrieve a roes from the seected appication, cick Go. To search for a roe, enter the roe name in Search for Roes and cick Go. Use * (asterisk) as the widcard in pattern searches. 8 From Avaiabe Roes, seect the appication roes to assign. 9 Cick Add. The seected roes are isted in Assigned Roes ist. To remove a seected roe, from Assigned Roes, seect the roe and cick Remove. To undo a your actions in this tab, cick Reset. 10 Cick Finish. Modifying Aggregated Roes You can modify ony aggregated roes; defaut appication-specific roes cannot be modified from Shared Services. You may change a roe properties except the product name. Managing Roes 89

90 ä To modify aggregated roes: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Object Paette, seect Roes. 3 Retrieve an aggregated roe. See Searching for Users, Groups, Roes, and Deegated Lists on page Right-cick the roe, and seect Properties. The Roe Properties screen is dispayed. 5 If you want to modify genera properties of the roe, on the Genera tab, edit the name and description. 6 If you want to modify roe member assignments, open the Roe Members tab, and perform one or both actions: a. To add roe members: Retrieve the roes to add. m m To retrieve a roes, cick Go. To retrieve a specific roe, enter the roe name in Search for Roes and cick Go. Use * (asterisk) as the widcard in pattern searches. From Avaiabe Roes, seect one or more roes. Cick Add. The seected roes are isted under Assigned Roes. To remove a seected roe, from Assigned Roes, seect one or more roes and cick Remove. To undo your actions in this tab, cick Reset. b. To remove roe assignments: 7 Cick Save. From Assigned Roes, seect one or more roes to remove. Cick Remove. Deeting Aggregated Roes You can deete aggregated roes that are created from Shared Services. You cannot deete appication-specific roes. ä To deete aggregated roes: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Object Paette, seect Roes. 3 Retrieve an aggregated roe. See Searching for Users, Groups, Roes, and Deegated Lists on page 34. A ist of roes that meet the search criterion is dispayed on the Browse tab. 4 Right-cick a roe, and seect Deete. 5 In the confirmation diaog box, cick OK. 90 Managing Native Directory

91 Changing Native Directory root User Password Shared Services Administrators can change the password of the Native Directory root user account, which provides compete contro over Native Directory. The defaut root password is hard-coded in a fie and is not visibe to users. root, the most powerfu Native Directory user account, provides compete contro over Native Directory. The password of the root user account is stored in a fie. Native Directory does not provide an interface to change this password. To improve security, Shared Services provides a screen to change the root password. If you update the password, Shared Services stores an encrypted version of the password in CSS.xm. The updated password takes effect after you restart Native Directory and Shared Services. Note: Ony a user provisioned with Shared Services Administrator roe can change the root password. ä To update Native Directory root password: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page From Administration, seect Change Native Directory Password. 3 In Current Password, enter the existing root account password. This fied is automaticay popuated if the defaut password has not been changed previousy. 4 In New Password and Confirm Password, enter the new password for root account. 5 Cick Finish. 6 Restart Native Directory by restarting the Hyperion S9 OpenLDAP Windows service or UNIX process. 7 Restart Shared Services. Backing Up the Native Directory Database The Native Directory database must be backed up periodicay to recover from oss of provisioning data due to media faiures, user errors, and unforeseen circumstances. Hyperion recommends that you reguary back up this database. Best Practices Hyperion recommends monthy cod backups of the Native Directory database and Shared Services repository. Perform hot backups daiy to suppement the cod backups. Schedue hot backups when database usage is at its owest. Back up the Shared Services repository and Native Directory database at the same time so that backup is in sync. Store backup for disaster recovery. Test backup and recovery procedures to ensure that the process works. Changing Native Directory root User Password 91

92 Hot Backup Reguar incrementa backups of the Native Directory database can be performed without shutting down Native Directory. Known as hot backups, they do not interfere with the avaiabiity of Shared Services. Use backup.bat (Windows) or backup.sh (UNIX) to schedue daiy hot backups. This Hyperion-suppied backup fie is stored in <Hyperion_Home>/SharedServices/ <hss_version>/server/scripts; for exampe C:\Hyperion\SharedServices\9.3. 1\server\scripts (Windows) or /vo1/hyperion/sharedservices/9.3.1/server/ scripts (UNIX). See Hyperion Shared Services Instaation Guide for information on the fies and directories that are backed up. Note: This procedure backs up Shared Services configuration fies and Native Directory. ä To run a hot backup: 1 Using a command prompt window, navigate to <Hyperion_Home>/SharedServices/ <hss_version>/server/scripts. 2 Execute the foowing command. Windows: backup.bat <backup_directory> UNIX: backup.sh <backup_directory> where backup_directory indicates the path of the directory where the backup is to be stored. 3 Monitor the backup process to ensure that it runs successfuy. Cod Backup Cod backups are performed after shutting down Native Directory. Note: Data in the Native Directory database is synchronized with the data avaiabe in the Shared Services repository. Hyperion recommends that you back up the Shared Services repository aong with the Native Directory database. ä To back up Native Directory database: 1 Stop Native Directory service or process. 2 Copy <openldap_home> into a secure ocation. 92 Managing Native Directory

93 Synchronizing Native Directory Database with the Shared Services Repository The database configured with Shared Services stores information reated to product registration. The Native Directory database contains provisioning data for a products. These databases work in tandem to support Hyperion products. Data inconsistencies between the databases impact norma operations. Inconsistencies coud occur during manua database update or database upgrades or in repicated Native Directory environments in which the Native Directory save has taken over for a faied Native Directory master. (See Setting Up Native Directory for High Avaiabiity and Faiover on page 94 for detaied information on Native Directory repication.) To remove inconsistencies, the Native Directory database must be synchronized with the Shared Services database. The synchronization process uses the Shared Services database as the master database to resove data inconsistencies. Messages (errors as we as information) reated to the operation are recorded in the SharedServices_syncOpenLDAP.og fie. See Chapter 10, Troubeshooting. ä To synchronize the Native Directory database with the Shared Services repository: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page Seect Administration > Sync Native Directory. The Sync Native Directory tab dispays the status of the synchronization operation. 3 Optiona: Cick Refresh to update the status. 4 Optiona: Cick View Log to dispay a og fie that detais the operations that were performed during the synchronization process. Recovering Native Directory Data To enabe SSO and provisioning, Native Directory must be running. If Native Directory service (Windows) or process (UNIX) fais, causing Native Directory to crash, you must recover the provisioning data before users can access Hyperion products, incuding Shared Services. ä To recover provisioning data after a Native Directory crash: 1 Verify that the Native Directory service (Windows) or process (UNIX) is not running. 2 Open a command prompt (Windows) or consoe (UNIX) window. 3 Navigate to <openldap_home>\bdb\bin. For exampe, <Hyperion_Home>\SharedServices \<HSS_version>\openLDAP\bdb\bin (Windows) or <Hyperion_Home>/SharedServices/ <HSS_version>/openLDAP/bdb/bin (UNIX) 4 Run the db_recover utiity, using the foowing command: db_recover h <Path_Native_Directory_data_fie> For exampe, db_recover h../../var/opendap-data Synchronizing Native Directory Database with the Shared Services Repository 93

94 Where opendap-data indicates the name of Native Directory data fie. 5 Monitor the utiity to ensure that it runs successfuy. 6 Restart the Hyperion S9 OpenLDAP service or process. 7 On the appication server, restart Shared Services. Setting Up Native Directory for High Avaiabiity and Faiover Native Directory high avaiabiity and faiover can be achieved through various scenarios. Out of the Box Depoyment on page 94 Cod Standby Depoyment on page 96 Hot Standby Depoyment on page 98 Out of the Box Depoyment The out of the box faiover scenario invoves estabishing a master-save reationship between two fuy synchronized instaations of Native Directory running on separate machines. ä To set up a repicated Native Directory environment: 1 Insta and configure Shared Services on two server machines (for exampe, machine1 and machine2). See the Hyperion Shared Services Instaation Guide for instructions. 2 On the server machines, stop the Hyperion S9 OpenLDAP service or process. 3 On the master server (for exampe, machine1), create a directory (for exampe, C:\OpenLDAP\ogs in Windows or /apps/openldap/ogs in UNIX) to store the repication og fies. 4 On the master server, update the <openldap_home>\sapd.conf fie with the foowing directives. repica directive. repica uri=dap://<save_host_name>:58089 binddn= cn=repicator,dc=css,dc=hyperion,dc=com bindmethod=simpe credentias=security 94 Managing Native Directory

95 Where <save_host_name> is the name of the save host machine (for exampe, machine2). You can use the IP address of the save host instead of the DNS name. You must specify one repica directive for each save. Caution! repogfie directive: The second and third ines of the repica directive must be preceded by at east one white space, to denote that the ine is a continuation of the previous ine. repogfie <path_to_sdap.repog> Exampes: m m repogfie C:\\OpenLDAP\\ogs\\sdap.repog (Windows) repogfie /apps/openldap/ogs/sdap.repog (UNIX) 5 On the save server (for exampe, machine2), update the <HSS_home>\openLDAP\sapd.conf fie: a. Add an updatedn entry. The vaues and the binddn entry (in the master sapd.conf fie) must be the same. Exampe: updatedn= cn=repicator,dc=css,dc=hyperion,dc=com b. Add the foowing updateref entry that provides the URI to the Native Directory master. updateref dap://<master_host_name> For exampe, updateref dap://machine1. You can use IP address instead of the DNS name; for exampe, updateref dap:// c. Update the rootdn vaue to be identica to the updatedn (repicator) vaue: rootdn cn=repicator,dc=css,dc=hyperion,dc-com 6 Copy Native Directory data from the master server to the save server. The defaut ocation of Native Directory data is <openldap_home>/var/openldap-data. 7 On the master server, update the CSS.xm fie, which is ocated in the <HSS_home>\config. You shoud incude the foowing save definition immediatey after the <native name= Native Directory > decaration: <saves> <save> <ur>dap://<save_host_name>:58089</ur> <type>faiover</type> </save> </saves> Where <save_host_name> is the name of the save server machine and is the Native Directory port. 8 On the master server and then on the save server, start the Hyperion S9 OpenLDAP service or process. Setting Up Native Directory for High Avaiabiity and Faiover 95

96 9 On the master server, start the surpd repication service or process by performing an action: On Windows, execute the foowing command from a command prompt window. <openldap_home>\surpd -f <master_sapd_config_fie> Exampe: C:\Hyperion\SharedServices\9.3.1\OpenLdap\surpd -f sapd.conf On UNIX, execute the foowing command after navigating to <openldap_home>/usr/ oca/ibexec:./surpd -f <openldap_home>/usr/oca/etc/opendap/sapd.conf -t <openldap_home>/usr/oca/var/opendap-surp d 1 Exampe:./surpd -f /var/hyperion/sharedservices/9.3.1/openldap/ usr/ oca/etc/opendap/sapd.conf -t /app/hyperion/sharedservices/9.3.1/ openldap/usr/oca/var/opendap-surp d 1 Note: surpd must aways be running to synchronize data between the master and save servers. Cod Standby Depoyment In cod standby depoyment (see foowing iustration), the primary environment consists of Shared Services (1) incuding Native Directory (2) and one or more Hyperion products (3). The standby environment consists of an inactive Native Directory (5) instance. The instances in primary and standby environments connect to a Native Directory database (6) hosted on the same physica hard drive that is dua attached to the primary and standby environments. This depoyment uses a hardware oad baancer (4) to perform these tasks: Detect the faiure of the Native Directory instance in the primary environment Start the Native Directory service (Windows) or process (UNIX) in the standby environment Route a requests to the standby Native Directory instance 96 Managing Native Directory

97 Note: Native Directory in the standby environment handes a cas unti the primary environment is brought back onine and the oad baancer is configured to route cas to the primary environment. ä To depoy Native Directory for faiover in cod standby mode: 1 Insta Shared Services in the primary and standby environments. Refer to the Hyperion Shared Services Instaation Guide for instructions. 2 Configure and depoy Shared Services in the primary environment. You need not configure or depoy Shared Services in the standby environment. 3 Verify that Hyperion S9 OpenLDAP service or process is running in the primary and secondary environments. 4 Stop the Hyperion S9 OpenLDAP service or process in the secondary environment. 5 Move Native Directory data to the shared drive or voume. This drive or voume must be visibe to the computers hosting Native Directory instances in primary and secondary environments. a. Create the var/opendap-data directory structure to store Native Directory data. b. Move the contents of <openldap_home>/var/opendap-data from the primary environment to the var/opendap-data directory on the shared drive or voume. 6 Modify sapd.conf in both primary and secondary environments. a. Using a text editor, open <openldap_home>/sapd.conf. b. Modify the directory parameter so that it points to the directory where Native Directory data is stored on the shared drive. c. Save and cose the fies. 7 Configure the oad baancer and monitoring appication. The oad baancer must host a monitoring appication capabe of checking if Native Directory is running in the primary environment. This can be achieved by using the LDAP ping mechanism or by using corporate process monitoring toos (for exampe, Tivoi and UniCenter). a. Configure the monitoring appication to perform these tasks: Use the foowing directive (embedded in a batch or she fie) to ook for an active Native Directory instance in the primary environment. dapsearch H dapur cn=*. For exampe, dapsearch H dap:// myserver:58089/dc=css,dc=exampe,dc=com cn=* Using the foowing command, start Native Directory in the standby environment if Native Directory is not active in the primary environment. You must create custom scripts to start Native Directory. net start Hyperion S9 OpenLDAP (Windows). b. Configure the oad baancer to reroute a requests to the standby environment upon detecting a faiure in the primary environment. You can use DNS name or IP address redirection for this purpose. See documentation from the oad baancer vendor for information on how to compete this step. Setting Up Native Directory for High Avaiabiity and Faiover 97

98 8 Start Hyperion S9 OpenLDAP service or process on primary and standby environments. 9 Test your depoyment. A simpe test woud be to stop the Hyperion S9 OpenLDAP service or process in the primary environment. The monitoring appication on the oad baancer shoud restart the process or service in the standby environment. Hot Standby Depoyment In hot standby depoyment (see foowing iustration), the primary environment consists of Shared Services (1) incuding Native Directory (2), and one or more Hyperion products (3). The standby environment consists of an active Native Directory (5) instance. Each Native Directory instance connects to its own database (6). A sync agent (7) backs up Native Directory in the primary environment and updates it in the standby environment to synchronize the databases at schedued intervas. The sync agent is not a part of Hyperion software distribution. The sync agent is simiar to a corporate scheduing agent or workfow too that enabes executing and monitoring jobs. Customers must use their own sync agent to initiate backup and restore processes. Hot Standby Depoyment uses a hardware oad baancer (4) to perform these tasks: Detect the faiure of the Native Directory instance in the primary environment Route a requests to the standby Native Directory instance upon detecting a faied instance in the primary environment. Note: Native Directory in the standby environment handes a cas unti the primary environment is brought back onine and the oad baancer is configured to route cas to the primary environment. ä To depoy Native Directory for faiover in hot standby mode: 1 Insta Shared Services in the primary and standby environments. Refer to the Hyperion Shared Services Instaation Guide for instructions. 98 Managing Native Directory

99 2 Configure and depoy Shared Services in the primary environment. You need not configure or depoy Shared Services in the standby environment. 3 Verify that Hyperion S9 OpenLDAP service or process is running in the primary and secondary environments. 4 Configure the process monitoring appication with the foowing directive to check if Native Directory service (Windows) or process (UNIX) is running in the primary environment: dapsearch H dapur cn=*. For exampe, dapsearch H dap://myserver: 58089/dc=css,dc=exampe,dc=com cn=* 5 Configure the oad baancer to reroute a requests to the standby environment on detecting a faiure in the primary environment. You can use DNS name or IP address redirection for this purpose. See documentation from the oad baancer vendor for information on how to compete this step. 6 Configure the sync agent (scheduer) to back up Native Directory data from the primary environment and to update the standby environment. 7 Test the configuration. Migrating Native Directory The Native Directory database stores security-reated data. You must migrate Native Directory data as a part of migrating Shared Services. See Hyperion Shared Services Instaation Guide for detais. Migration is the process of copying an appication instance from one operating environment to another; for exampe, from deveopment to testing or from testing to production. You use the Import/Export utiity to migrate Native Directory. ä To migrate Native Directory: 1 On the computer that hosts the source Shared Services server, perform the foowing actions: a. Insta the Import/Export utiity. See Instaing the Import/Export Utiity on page 105. b. Create the importexport.properties fie. Preparing the Property Fie on page 107. c. Execute the Import/Export utiity to export Native Directory data into an export fie. See Running the Utiity on page 113. d. Verify that the export fie has been created. 2 On the computer that hosts the target Shared Services server, perform the foowing actions: a. Stop Hyperion Shared Services OpenLDAP service or process. b. Back up <openldap_home>, for exampe, C:\Hyperion\SharedServices\9.3. 1\opneLDAP (Windows) or /app/hyperion/sharedservices/9.3.1/openldap (UNIX). c. Back up the Shared Services repository. Migrating Native Directory 99

100 d. Copy the export fie from the computer that hosts the source Shared Services server. e. Insta the Import/Export utiity. See Instaing the Import/Export Utiity on page 105. f. Create the importexport.properties fie or copy it from the computer that hosts the source Shared Services server. Ensure that the export fie name matches the vaue of import.fie property. See Preparing the Property Fie on page 107. g. Vaidate the export fie. If any errors are indicated, fix them and vaidate the export fie again unti it is error free. h. Execute the Import/Export utiity to import Native Directory data from the export fie. See Running the Utiity on page Managing Native Directory

101 8 Managing Provisioning In This Chapter Provisioning Users and Groups Deprovisioning Users and Groups Generating Provisioning Reports Importing and Exporting Native Directory Data Provisioning Users and Groups Provisioning is the process of granting roes from Hyperion appications to the users and groups that are avaiabe in the configured user directories. Provisioning is managed at the user or group eves by Provisioning Managers or Shared Services Administrators assigning one or more Hyperion appication roes to a user or group. See Provisioning (Roe-Based Authorization) on page 14 for detaied information on how provisioning works. Note: Provisioning managers cannot modify their own provisioning data. Tip: To faciitate administration, Hyperion recommends that you provision groups rather than users and that you use aggregated roes. ä To provision users or groups: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page Find a user or group to provision. See Searching for Users, Groups, Roes, and Deegated Lists on page Right-cick the user or group, and seect Provision. The Provisioning tab is dispayed. 4 Optiona: Seect a view. Roes can be dispayed in a hierarchy (tree) or a ist. You must dri down the hierarchy to dispay avaiabe roes. The ist view ists a avaiabe roes but does not show their hierarchy. 5 Seect one or more roes, and cick Add. The seected roes appear in Seected Roes. Provisioning Users and Groups 101

102 6 Cick Save. A diaog box, which indicates that the provisioning process is successfu, is dispayed. 7 Cick OK. Deprovisioning Users and Groups Deprovisioning removes a the roes the user or group is assigned from an appication. Shared Services administrators can deprovision roes from one or more appications. Provisioning managers of appications can deprovision roes from their appications. For exampe, assume that the group Saes_West is provisioned with roes from Panning and Financia Management. If this group is deprovisioned by a Panning Provisioning Manager, ony the roes from Panning are removed. ä To deprovision users or groups: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page Find a user or group to deprovision. See Searching for Users, Groups, Roes, and Deegated Lists on page Right-cick the user or group, and seect Deprovision. The Deprovision tab is dispayed. 4 Seect one or more appications, or seect a avaiabe appications by seecting Check A. 5 Cick OK. 6 Cick OK in the confirmation diaog box. 7 Cick OK in the Deprovision Summary screen. Generating Provisioning Reports Shared Services Administrators and Provisioning Managers can use the reporting capabiities of User Management Consoe to review the provisioning data of users, groups, and roes. Provisioning reports can contain information on users and groups assigned to roes from seected appications and roes from seected appications assigned to one or more users. Provisioning reports enabe administrators to review the access rights and permissions granted to users and groups across Hyperion appications. Thus, provisioning reports are usefu audit toos, to track user access for compiance reporting. ä To generate provisioning reports: 1 Launch User Management Consoe, as expained in Launching User Management Consoe on page In the Object Paette, seect a user, group, or roe. See Searching for Users, Groups, Roes, and Deegated Lists on page Seect Administration > View Report. 102 Managing Provisioning

103 4 Enter report generation parameters. Tabe 15 Labe Find A View Report Screen Description Seect the object type (user, group, or roe) for which the report is to be generated. For User or For Roe Show Effective Roes Group By In Appication The abe of this changes depending on what is seected in Find A. Enter the name of the user, group, or roe for which the report is to be generated. Use * (asterisk) as the widcard to specify a pattern. Seect Yes to report on a effective roes (inherited as we as directy assigned). Inherited roes (as opposed to directy assigned roes) are assigned to groups to which the user or group beongs. Seect No to report on ony directy assigned roes. Seect how to group the data in the report. Avaiabe grouping criteria depend on the seection in Find A. Seect the appications from which provisioning data is to be reported or seect Seect A to report on a appications. Note: You can report ony on the appications beonging to a project. 5 Cick Create Report. The report is dispayed on the Provision Report tab. 6 To print the report: a. Cick Print Preview. The report is dispayed in View Report window. b. Cick Print. c. Seect a printer, and cick Print. d. Cick Cose. Importing and Exporting Native Directory Data This section contains the foowing topics: Overview on page 104 Use Scenarios on page 104 Instaing the Import/Export Utiity on page 105 Before Starting Import/Export Operations on page 106 Sampe importexport.properties Fie on page 106 Preparing the Property Fie on page 107 Product Codes on page 111 Considerations for Setting Fiters on page 112 Sequence of Operations on page 107 Importing and Exporting Native Directory Data 103

104 Preparing the Property Fie on page 107 Considerations for Setting Fiters on page 112 Prerequisites for Running Import/Export Utiity from a Remote Host on page 113 Running the Utiity on page 113 Import Fie format on page 114 m XML Fie Format on page 114 m CSV Fie Format on page 118 Overview The Import/Export utiity, a standaone, command-ine utiity, is primariy a too to manage provisioning by faciitating the buk-provisioning of user and groups with Hyperion product roes. It aows Shared Services Administrators to use an XML or CSV fie as the source fie to create Native Directory users, groups, and provisioning information. Shared Services Administrators can use the Import/Export utiity to export, import, and vaidate data reated to various entities: Users Groups and their reationships Roes and their reationship with other roes User and group provisioning data Deegated ists Interna identities of users and groups defined in Native Directory The utiity can be used to export data from a source Native Directory into an export fie, which can then be updated imported into a target Native Directory. This utiity cannot be used to import data into externa user directories. Hyperion recommends that you run the utiity on the computer that hosts Shared Services. You can use the Import/Export utiity to create, update, repace, and deete users, groups, and roes that originate from Native Directory. You can aso use it to modify groups and roe reationships. The utiity aso vaidates the quaity of the fies used for import operations. Components of the Import/Export utiity: Batch (Windows) or she (UNIX) fie to invoke the operation Properties fie to configure the utiity Sampe XML data fie Sampe CSV (comma-separated vaues) data fie Use Scenarios Move Provisioning Data Across Environments on page Managing Provisioning

105 Manage Users and Groups in Native Directory on page 105 Buk Provision Users and Groups on page 105 Move Provisioning Data Across Environments Shared Services Administrators can use Import/Export utiity to move users, groups and provisioning data across environments, for exampe from a deveopment environment to a production environment. Moving data across environments invoves these steps: Exporting the data from the source environment into an XML or CSV fie Modifying the XML or CSV fie, if needed Vaidating the updated XML or CSV fie Importing the XML or CSV fie into the target environment Manage Users and Groups in Native Directory Shared Services Administrators can create an XML or CSV fie containing user and group data, which can then be imported into a target Native Directory to manage users and groups. Buk creation of users and groups invoves these steps: Creating a propery formatted XML or CSV fie that defines users and groups. See Preparing the Property Fie on page 107. Vaidating the XML or CSV fie Importing the XML or CSV fie into the target environment Buk Provision Users and Groups Shared Services Administrators can buk-provision users and groups using the Import/Export utiity. Buk provisioning invoves these steps: Exporting the data from Native Directory into an XML or CSV fie or creating a propery formatted XML or CSV fie Modifying the XML or CSV fie to incude information on roe assignment to users and groups Vaidating the XML or CSV fie Importing the XML or CSV fie back into the Native Directory to update it Instaing the Import/Export Utiity An archive containing the utiity is instaed into <Hyperion_Home/common/utiities/ CSSImportExportUtiity. Extract the contents of the archive into a directory to which the user who performs the import/export operation has read, write, and execute permissions. The Importing and Exporting Native Directory Data 105

106 extraction process creates the importexport directory and copies the required fies into it. This directory is referred to as <ImpEx_home> in this discussion. Before Starting Import/Export Operations Create a back up of the source Native Directory by exporting data to an LDAP Data Interchange Fie (LDIF). Ensure that a user directories configured in Shared Services (incuding Native Directory) are running. Ensure that Shared Services is running. If you are running the Import/Export utiity from a server that does not host Shared Services, verify that the prerequisites indicated in Prerequisites for Running Import/Export Utiity from a Remote Host on page 113 are met. Sampe importexport.properties Fie #import export operations importexport.css=fie:/c:/hyperion/depoyments/tomcat5/sharedservices9/ config/css.xm importexport.cmshost=ocahost importexport.cmsport=58080 importexport.username=admin importexport.password={css}mrcyv323uzxgr8rfdvqlca== importexport.enabe.consoe.traces=true importexport.trace.events.fie=trace.og importexport.errors.og.fie=errors.og importexport.ocae=en # importexport.ss_enabed = true # export operations export.fieformat=xm export.fie=c:/exportnew.xm export.interna.identities=true export.native.user.passwords=true export.provisioning.a=true export.deegated.ists=fase export.user.fiter=*@native Directory export.group.fiter=*@native Directory export.roe.fiter=* export.producttype=hub #export.provisioning.apps=(hub=goba Roes) # import operations import.fieformat=xm import.fie=c:/exportnew.xm import.operation=update import.faied.operations.fie=c:/faied.xm import.maxerrors=0 106 Managing Provisioning

107 Sequence of Operations Preparing the Property Fie on page 107 Exporting the data into an export fie. Running the Utiity on page 113. (Optiona): Modifying the data in the export fie. See XML Fie Format on page 114 and CSV Fie Format on page 118. Vaidating the import fie. See Running the Utiity on page 113. Importing the data. See Running the Utiity on page 113 Preparing the Property Fie The importexport.properties fie is a Java properties fie that the Import/Export utiity uses during runtime to identify the system components to use for the operation. The importexport.properties fie contains three sections: Import export operations: The settings in this section are used during import and export operations. These settings identify the Shared Services instance and the user credentias. Import operations: This section contains the parameters for import operations. Export operations: This section contains the parameters for export operations. ä To prepare importexport.properties fie: 1 Make a backup copy of the importexport.properties fie. This fie is avaiabe in the <ImpEx_home>/sampes directory; for exampe, C:\hyperion\common\utiities \CSSImportExportUtiity\importexport\sampes (Windows) or apps/hyperion/ common/utiities/cssimportexportutiity/importexport/sampes (UNIX). Note: Hyperion recommends that the importexport.properties fie used for the operation be stored in <ImpEx_home>. 2 Using a text editor, open the importexport.properties fie. See Sampe importexport.properties Fie on page Update properties. Typicay, you shoud update the properties in import export operations and one other section, depending on the operation you want to perform: Update import operations to import data into Native Directory or to vaidate an import fie Update export operations to export data into an.xm or.csv fie. Tabe 16 Properties for Import Export Operations Property Description import export operations Importing and Exporting Native Directory Data 107

108 Property importexport.css Description The URI where the Shared Services configuration fie is stored. For import operations, use the configuration fie of the Shared Services instance that manages the Native Directory instance into which data is to be imported. For export operation, use the configuration fie of the Shared Services instance that manages the Native Directory instance from which data is to be exported. Note: The CSS.xm fie used by Shared Services server is preferred. However, a oca copy in any directory can be used. Exampes: getcssconfigfie Note: If Shared Services is depoyed in SSL-enabed environment, specify the secure URL fie:/<hss_home>/config/css.xm importexport.cmshost importexport.cmsport importexport.username importexport.password importexport.enabe.consoe.traces importexport.trace.events.fie importexport.errors.og.fie The DNS name or IP address of the machine that hosts Shared Services. Exampe: myserver The Shared Services port number. Exampe: User account with which to access Shared Services. This user must be abe to perform update operations in Native Directory. Exampe: admin Password of the user identified in importexport.username. The utiity encrypts this password if you enter a pain text password. Exampe: password Indicates whether trace information shoud be dispayed in the consoe where the Import/Export utiity is executed. Set this property to true to dispay trace information in the consoe. Exampe: true The name and ocation of the trace og fie. If you do not pan to capture trace information in a fie, do not set this vaue. Exampe: impextrace.og The name and ocation of the error og fie that shoud capture information on faied transactions during the import or export operation. Note: Import/Export utiity does not create the error og if you do not specify a fie name. 108 Managing Provisioning

109 Property Description Exampe: impexerror.og importexport.ocae importexport.ss_enabed Locae (two-etter anguage code) to use for the operation. Supported ocaes are en, fr, it, de, es, pt_br, n, ja, ko, zh_cn, zh_tw, ru, tr. The utiity attempts to retrieve ony data in the specified ocae. If data in the specified ocae is not avaiabe, Native Directory data in the defaut ocae of the server where the utiity is run is exported or imported. Exampe: en Indicates if the import/export operation uses SSL connection. Set the vaue of this property to true for SSL connections. Exampe: true Note: If using SSL connection, make sure that the vaue of importexport.cmsport indicates the SSL port where Shared Services is avaiabe. export operations export.fieformat export.fie export.interna.identities export.native.user.passwords The format of the export fie. You can export data into XML or CSV fies. Exampe: xm Location of the fie into which the data is to be exported. Import/Export utiity creates the fie as part of the export process. Exampe: C:/hyperion/common/utiities/ CSSImportExportUtiity/importexport/ export.xm Indicates whether to export the interna identities of Native Directory users and groups. Interna identity, a component of user and group DN, is unique to each user and group. Shared Services uses an auto-generated identifier as the interna identity. Hyperion products utiize the DN for provisioning purposes. Provisioning information becomes invaid if interna identity is not avaiabe, or if it was changed. If you are migrating users from one system to another, you must export the interna identity of users and groups to preserve provisioning information. Exampe: true Indicates whether to export the encrypted passwords of the Native Directory users. Note: You cannot perform the CREATE import operation if passwords are not specified in the source fie. Exampe: true Importing and Exporting Native Directory Data 109

110 Property export.provisioning.a export.deegated.ists export.user.fiter export.group.fiter export.roe.fiter export.producttype export.provisioning.apps Description Indicates whether to export a provisioning data. Set this property to fase to export a subset of the provisioning data by using these properties in tandem: export.projectnames export.appicationnames Aternativey, you can seect a subset by setting export.provisioning.apps. Note: The vaues of these properties are ignored if export.provisioning.a is set to true. Exampe: true Indicates whether to export deegated ists. Exampe: true (Optiona.) Fiter to use to seect users for export. See Considerations for Setting Fiters on page 112. Exampe: * (Optiona.) Fiter to use to seect groups for export. See Considerations for Setting Fiters on page 112. Exampe: * (Optiona.) Fiter to use to seect roes for export. See Considerations for Setting Fiters on page 112 for more information. Exampe: * (Optiona.) A comma-separated ist of product types for which roes are to be exported (must be specified as <product code>-<product version>). See Product Codes on page 111. Exampe: HAVA A ist of appications (in (projectname=appication name) format) from which provisioning data is to be exported. Appications names are isted in the User Management Consoe. Exampe: ((Panning_Project=Pannig_ Appication_Name)(Hyperion_BI+_Project_ Name=Hyperion System 9 BI+ Apppication1)) import operations import.fieformat import.fie The format of the import fie. You can import data from XML or CSV fies. Exampe: xm Location of the fie to import or vaidate. 110 Managing Provisioning

111 Property import.operation Description You can import data from XML or CSV fies, created through an export operations. If you manuay create the fie, be sure to format it correcty. Use the sampe CSV and XML fies avaiabe in <ImpEx_home>/sampes as reference. Exampe: C:/hyperion/common/utiities/ CSSImportExportUtiity/importexport/ import.xm The option for the import operation. Vaid options are: create Users, groups, and roes are created. Group, roe, and provisioning reationships are augmented. update Users, groups, and roes are updated. Group, roe, and provisioning reationships are repaced. create/update A create operation is attempted on each entity in the fie. If the operation fais, an update operation is attempted. deete Deetes users, groups, and roes. Group, roe, and provisioning reationships are deeted. Exampe: create import.faied.operations.fie import.maxerrors The name and ocation of the fie where the Import/Export utiity shoud record information on faied transactions. Exampe: impfaiedops.og (Optiona.) The maximum number of aowabe errors during the import operation. The import operation aborts after the imit is reached. Exampe: Save and cose the fie. Product Codes Tabe 17 Hyperion Product Codes Product Code EDS ESB ESBAPP ESVP HAVA HBR HFM Product Name Anaytic High Avaiabiity Services Essbase Server Essbase Appication Orace's Hyperion Smart View for Office Reporting and Anaysis Orace's Hyperion Business Rues Financia Management Importing and Exporting Native Directory Data 111

112 Product Code HP Product Name Panning HPS Orace's Hyperion Performance Scorecard System 9 HSF HTM HUB Orace's Hyperion Strategic Finance Orace's Hyperion Transation Manager Shared Services Considerations for Setting Fiters The Import/Export utiity uses the settings specified in importexport.properties to identify the components (Shared Services, Native Directory, and other user directories) to use for the import or export operation. During an export operation, Import/Export utiity exports users, groups, and roes based on the fiters set for each. The fiters are independent of each other. If a user directory is not specified in the export.user.fiter or export.group.fiter vaue, the fiter is appicabe to ony the user directory where the fiter condition is first encountered; other user directories are ignored. User directories are searched (encountered) in the order specified in the Shared Services configuration fie (CSS.xm). Because roes are avaiabe ony in Native Directory, directory specification is irreevant to roe fiters. Note: If a fiter is not specified, data is not exported. *, which is the defaut fiter, exports a data. Exampes: Setting the vaue of export.user.fiter, export.group.fiter, and export.roe.fiter to k*@native Directory exports a Native Directory users, groups, and roes that have names starting with k. Setting the vaue of export.user.fiter, export.group.fiter, and export.roe.fiter to * exports a users and groups from the first user directory in the search order (see Managing User Directory Search Order on page 54) and a roes from Native Directory. To export users and groups from a specific user directory, set the vaue of export.user.fiter and export.group.fiter to specify the user directory. For exampe, to export a users and groups from an LDAP-enabed user directory caed LDAP-West, set the vaue of these fiters to *@LDAP-West. Whie updating importexport.properties, you can specify how you want to access trace information. You can view trace information in the consoe where the Import/Export utiity is executed or store the information in a trace og fie, or choose not to generate trace information. You can aso view trace information in the consoe and record it in a fie. 112 Managing Provisioning

113 The trace og fie can be vouminous. Generate a trace fie ony if you need to debug the import or export operation. Use the information in the error og to identify faied transactions in the trace fie. Note: Generating trace information wi impact the performance of the Import/Export utiity Prerequisites for Running Import/Export Utiity from a Remote Host If the Import/Export utiity is being run from a remote host that does not host Shared Services server: Verify that Sun JDK 1.5 is instaed on the machine from which the Import/Export utiity is run. Update the JAVA_HOME decaration in CSSExport, CSSImport, and CSSVaidate batch fies (Windows) or scripts (UNIX) with the ocation of Sun JDK 1.5 on the machine from which the Import/Export utiity is run. Running the Utiity The Import/Export utiity comprises three batch fies (Windows) or scripts (UNIX). CSSExport CSSImport CSSVaidate Before running the utiity verify that Shared Services is running. ä To run the Import/Export utiity: 1 Open a command prompt (Windows) or consoe (UNIX) window. 2 Navigate to <ImpEx_home>, for exampe, C:\hyperion\common\utiities \CSSImportExportUtiity\importexport (Windows) or apps/hyperion/common/ utiities/cssimportexportutiity/importexport (UNIX). 3 Execute a command: To export data, run CSSExport.bat importexport.properties (Windows) or CSSExport.sh importexport.properties (UNIX) To import data, run CSSImport.bat importexport.properties (Windows) or CSSImport.sh importexport.properties(unix) To vaidate data, run Importing and Exporting Native Directory Data 113

114 CSSVaidate.bat importexport.properties (Windows) or CSSvaidateaidate.sh importexport.properties(unix) Note: If the importexport.properties fie is not in the directory from which the command is being executed, be sure to use the appropriate path in the commands. Summary information about the operations is dispayed in the consoe. If transactions fai, review the error og and trace og to determine the cause of the probem and make necessary corrections. Import Fie format Import source fie can be an XML fie or a CSV fie. XML Fie Format on page 114 CSV Fie Format on page 118 XML Fie Format The data to be imported or vaidated using the Import/Export utiity can be formatted using XML eements and attributes. Sampe XML fie: <?xm version="1.0" encoding="utf-8"?> <css_data> <user id="test1" provider="native Directory"> <ogin_name>test1</ogin_name> <first_name>test</first_name> <ast_name>user1</ast_name> <description>test user 1</description> <emai>[email protected]</emai> <interna_id>39e706a46ad531be:-49fd959f: bb52e:-8000</interna_id> <password>{sha}d1e0scevjhynl3ukawdcwrjcg4=</password>> </user> <group id="mygroup01" provider="native Directory"> <name>mygroup01</name> <description>mygroupdescr</description> <interna_id>39e706a46ad531be:-48fd959f: bb52e:-8000 </interna_id> </group> <group_members group_id="g1"> <group id="connect" provider="orc"> <name>connect</name> <user id= myuser provider="orc"> <ogin_name>myuser</ogin_name"> </user> </group_members> <roe id="administrator" product_type="hub-9.0.0"> 114 Managing Provisioning

115 <name>administrator</name> <description>have unrestricted access</description> </roe> <roe_members roe_id="administrator" product_type="hub-9.0.0"> <roe id="provisioning Manager" product_type="hub-9.0.0"> <name>provisioning Manager</name> </roe> </roe_members> <provision project_name="hub" appication_name="goba Roes"> <roes> <user id="test1" provider="native Directory"> <ogin_name>test1</ogin_name> </user> <roe id=administrator" product_type="hub-9.0.0"> <name>administrator</name> <description>compete access</description> </roe> </roes> </provision> <deegated_ist id="test2"> <name>test2</name> <description>list description</description> <manager> <user id="admin" provider="native Directory"> <ogin_name>admin</ogin_name> </user> </manager> <user id="admin" provider="native Directory"> <ogin_name>admin</ogin_name> </user> <group id="g1" provider="native Directory"> <name>g2</name> </group> <deegated_ist> </css_data> Tabe 18 XML Schema for Import Fies Eement Attribute Description and Exampe css_data Root eement of the fie (a container for a other eements). user A container for attributes of a user. id provider ogin_name A unique user id on the user directory (typicay, the same as ogin_ name) Exampe: pturner Name of the source user directory Exampe: Native Directory Login name of the user Exampe: pturner Importing and Exporting Native Directory Data 115

116 Eement Attribute Description and Exampe first_name ast_name description emai interna_id password First name of the user Exampe: Pau Last name of the user Exampe: Turner User description Exampe: Administrative User Emai address of the user. Exampe: The auto-generated interna identity of the Native Directory user. Exampe: 911 Encrypted password of the user. Exampe: {SHA}W6ph5Mm5Pz8GgiULbPgz G37mj9g= group_members A container for the definitions of groups that contain subgroups or users. group_id Name of the nested group. Exampe: test-group group A container for group attributes. id provider name description interna_id Group identifier. Same as group name Exampe: testgroup Source user directory for the group Exampe: LDAP-West Group name Exampe: testgroup Group description Exampe: Test group The auto-generated interna identity of the Native Directory group. Exampe: 611 roe A container for the attributes of a roe 116 Managing Provisioning

117 Eement Attribute Description and Exampe id product_type Unique roe identifier Exampe: Basic User Product type to which the roe beongs (specified as <product code>-<product version>) Exampe: HAVA name description Unique roe name Exampe: Basic User Roe description Exampe: Launch and view business rues and objects. roe_members A container for attributes of aggregated roes. id product_type Unique roe identifier Exampe: Basic User Product type to which the roe beongs (specified as <product code>-<product version>) Exampe: HAVA name Unique roe name Exampe: Basic User provision A container for provisioning information for a project-appication combination. This eement contains a definition for each user and/or group who is provisioned to a roe in a specific appication that beongs to a project. project_name appication name The project to which the appication beongs Exampe: Business Rues The appication to which the roe beongs. Exampe: oca host Deegated List Container for deegated ists. The users and groups that are managed through a ist must aso be defined within this container. Importing and Exporting Native Directory Data 117

118 Eement Attribute Description and Exampe id name description manager Unique ist identifier, typicay the same as the deegated ist name. Exampe: Basic User Name of the deegated ist. Exampe: MyList1 List description Exampe: Deegated ist for appication creators Users and groups who manage the ist. Each manager definition may contain user and group definitions. The provider identified must be the user directory that contains the manager's account. CSV Fie Format The CSV fie format is a tabuar data format that contains fieds separated by commas and encosed in doube quotation marks. The Import/Export utiity supports ony Exce-compiant CSV fies. The CSV fies that Exce outputs differ from the standard CSV fies: Leading and traiing white space is significant. Backsashes are not specia characters and do not escape anything. Quotes inside quoted strings are escaped with doube quotes rather than backsashes. Exce converts data before putting it in CSV format. Conversions that Exce performs on CSV fies: Tabs are converted to singe spaces. New ines are aways represented as the UNIX new ine ("\n"). Numbers greater than 12 digits are represented in truncated scientific notation form. The Import/Export utiity categorizes the CSV fie into the foowing entities: User Group Roe Group_chidren Roe_chidren Provisioning Deegated ist 118 Managing Provisioning

119 Each section is identified by two mandatory ines: entity and header. The entity ine is identified by a predefined entity name preceded by the # character. The header ine foows the entity ine. The header ine is a comma-separated ist of predefined attributes for the entity. The order of attributes in the header ine is not significant. However, the data ines, which foow the header ine, must present data in the order in which the header ine presents attributes. If data is not to be specified, you use a comma to indicate that a vaue is not to be set. The entity ine, header ine, and data ines provide the information required for processing. Boundaries appied to create, update, and deete operations on CSV fies: Users, groups, and roes are processed one data ine at a time. Group members are processed with mutipe data ines under one header and one parent group. Roe members are processed with mutipe data ines under one header and one parent roe. User provisioning is processed with mutipe data ines under one header and one group or user. Error handing is based on the process boundaries. One error is counted for each faiure in a process boundary. Sampe CSV fie: #user id,provider,ogin_name,first_name,ast_name,description,emai,interna_id,p assword admin,native Directory,admin,admin,none,Administrative User,,911,{SHA}**= MyDemoTest,Native Directory,MyDemoTest,admin,none,Administrative User,-,MyDemoTest222,{SHA}** #group id,provider,name,description,interna_id G1,Native Directory,G1,,39e71be:-4859f:11252e:-8000 WORLD,Native Directory,WORLD,A users are members of this group,611 #group_chidren id,group_id,group_provider,user_id,user_provider G1,CONNECT,orc,, G1,,,myUser,orc #group_chidren id,group_id,group_provider,user_id,user_provider G2,G1,Native Directory,, #group_chidren id,group_id,group_provider,user_id,user_provider G2Test,,,, #group_chidren id,group_id,group_provider,user_id,user_provider G3,G2,Native Directory,, #roe id,product_type,name,description Administrator,HUB-9.0.0,Administrator,Administrators have unrestricted access #roe_chidren id,product_type,roe_id,member_product_type Administrator,HUB-9.0.0,Provisioning Manager,HUB #provisioning project_name,appication_name,roe_id,product_type,user_id,user_provider,gr Importing and Exporting Native Directory Data 119

120 oup_id,group_provider HUB,Goba Roes,Administrator,HUB-9.0.0,TestUser1,Native Directory,, #deegated_ist id,name,description,manager_id,manager_provider,user_id,user_provider,group _id,group_provider test2,test2,testdescription,admin,native Directory,admin,Native Directory,, test2,test2,testdescription,admin,native Directory,,,G2,Native Directory Tabe containing attribute descriptions: Tabe 19, User Entity Attributes, on page 120 Tabe 20, Group Entity Attributes, on page 121 Tabe 21, Roe Entity Attributes, on page 122 Tabe 22, Group_Chidren Entity Attributes, on page 122 Tabe 23, Roe_Chidren Entity Attributes, on page 123 Tabe 24, Provisioning Entity Attributes, on page 123 Tabe 25 on page 124 The foowing user deineation in an import CSV fie can be used to create the user Test_1 in a Native Directory with the ogin name Test_1,first name New1, ast name User1, description Test User, e-mai id [email protected], interna id 39e706a46ad531be:-48fd959f: bb52e:-8001, and encrypted password mypwd: id,provider,ogin_name,first_name,ast_name,description,emai,interna_id,p assword Test_1,,Test_1,New1,User1,Test User,[email protected], 39e706a46ad531be:-48fd959f:112005bb52e:-8001,mypwd Note: The utiity encrypts pain text passwords specified in the import fie. Tabe 19 Attribute id User Entity Attributes Description and Exampe A user id Exampe: admin provider ogin_name first_name ast_name (Optiona.) Name of the source user directory Exampe: Native Directory Login name of the user Exampe: admin (Optiona.) First name of the user Exampe: admin (Optiona.) Last name of the user Exampe: none 120 Managing Provisioning

121 Attribute description emai interna_id password Description and Exampe (Optiona.) User description Exampe: Administrative User (Optiona.) Emai address of the user Exampe: The auto-generated interna identity of the Native Directory user. Exampe: 911 The password of the user. Exampe: password The foowing group deineation in an import CSV fie can be used to create the WORLD in a Native Directory with the group id WORLD, description Contains a users, and interna id 611: id,provider,name,description, interna_id WORLD,,WORLD,Contains a users,611, Tabe 20 Attribute id Group Entity Attributes Description and Exampe Group identifier Exampe: testgroup provider name description interna_id Source user directory for the group Exampe: LDAP-West Group name Exampe: testgroup (Optiona.) Group description Exampe: Test group The auto-generated interna identity of the Native Directory group. Exampe: 911 The foowing roe deineation in an import CSV fie can be used to create an aggregated roe in Native Directory with roe id Designer_rep for product hava (Reporting and Anaysis, version 9.3.1), roe name Designer_rep, and description Report Designer. Product type indicates the product to which the aggregated roe beongs. id,product_type,name,description Designer_rep,hava 9.3.1,Designer_rep,Report Designer Importing and Exporting Native Directory Data 121

122 Tabe 21 Attribute id Roe Entity Attributes Description and Exampe Roe identifier Exampe: Basic User product_type name description Product type (specified as <product code>-<product version>) to which the roe beongs Exampe: HBR Roe name Exampe: Basic User (Optiona) Roe description Exampe: Launch and view Business rues and objects. The foowing chid group deineation in an import CSV fie can be used to create the nested group chidgp1 with group id chidgp1. User member of this group is Test1. Both the user and group are defined in Native Directory: id,group_id,group_provider,user_id,user_provider chidgp1,chidgp1,native Directory,Test1,Native Directory Tabe 22 Attribute id Group_Chidren Entity Attributes Expanation Identifier of the nested group Exampe: test-group group_id group_provider user_id user_provider Name of the nested group Exampe: test-group The source user directory of the group. Exampe: Native Directory Unique identifier of a user who beongs to this group Exampe: pturner The source user directory of the user assigned to the group. Exampe: LDAP-West The foowing chid roe deineation in an import CSV fie can be used to create the nested roe Designer_rep, which beongs to the product hava (Reporting and Anaysis, version 9.3.1), and is assigned to the user Test1: id,product_type,roe_id,member_product_type Test1,hava 9.3.1,Designer_rep,hub Managing Provisioning

123 Tabe 23 Attribute id Roe_Chidren Entity Attributes Expanation and Exampe Unique identifier of a user to whom the roe is assigned Exampe: Test1 product_type roe_id member_product_ type Product type (specified as <product code>-<product version>) to which the roe beongs Exampe: hava Unique roe identifier Exampe: Designer_rep The product type (specified as <product code>-<product version>) to which the chid roe beongs. Exampe: hava The foowing provisioning deineation in an import CSV fie can be used to create a roe assignment for appication name Goba Roes that is assigned to the project test_proj. The roe id is Administrator, which beongs to product type HUB User Test1 and group Group1 defined in Native Directory are provisioned with this roe. project_name,appication_name,roe_id,product_type,user_id,user_provider,gr oup_id,group_provider HUB,Goba Roes,Administrator,HUB-9.0.0,Test1,Native Directory,Group1,Native Directory Tabe 24 Attribute app_id Provisioning Entity Attributes Description and Exampe The appication to which the roe beongs Exampe: WebAnaysis product_type roe_id user_id group_id Product type (specified as <product code>-<product version>) to which the roe beongs Exampe: hava Unique roe identifier Exampe: Provisioning Manager Unique identifier of a user who is provisioned to the roe Exampe: pturner Unique identifier of a group that is provisioned to the roe. Exampe: testgroup The foowing deegated ist definition in an import CSV fie can be used to create deegated ist with ist id and name testist, and description my_ist. Users admin and Test1 defined in Native Directory are deegated administrators of this ist which aows them to manage group testgroup defined on Native Directory. Importing and Exporting Native Directory Data 123

124 id,name,description,manager_id,manager_provider,user_id,user_provider,group _id,group_provider testist,testist,my_ist,admin,native Directory,,testGroup,NativeDirectory testist,testist,my_ist,test1,native Directory,,testGroup,NativeDirectory Tabe 25 Attribute id name Deegated List Entity Attributes Description and Exampe The ist identifier. Typicay, the same as the ist name. Exampe: testist Deegated ist name. Exampe: testist description manager_id manager_provider user_id manager_provider group_id group_provider Deegated ist description. Exampe: my_ist Unique identifier of a user or group who manages the ist. Each manager must be identified in a separate definition. Exampe: admin The user directory that stores the manager's account. Exampe: Native Directory Unique identifier of a user member of the ist. Each member must be identified in a separate definition. Exampe: pturner The user directory that stores the user member's account. Exampe: Native Directory Unique identifier of a group that is a member of the ist. Each member must be identified in a separate definition. Exampe: mygroup The user directory that stores the group's account. Exampe: Native Directory 124 Managing Provisioning

125 9 Using the Update Native Directory Utiity to Cean Stae Native Directory Data In This Chapter About the Update Native Directory Utiity Instaing the Update Native Directory Utiity Running the Update Native Directory Utiity Product-Specific Updates About the Update Native Directory Utiity If the externa user directory configuration in Shared Services uses an identity attribute that refects the ocation of users and groups (for exampe, DN), inter-ou move of users and groups can cause stae data within Native Directory because the Hyperion security system is not synchronized to be aware of such changes. Hyperion provides the Update Native Directory Utiity to synchronize Native Directory data with the data in configured LDAP-enabed user directories. Running this utiity makes the stae provisioning data usabe. Caution! If your Native Directory contains stae data, you must run the Update Native Directory Utiity before migrating users and groups to use the unique identity attribute. The sequence of action for migrating to the unique identity attribute is as foows: Run the Update Native Directory Utiity to synchronize user and group identities between Native Directory and user directories. See Running the Update Native Directory Utiity on page 126. Reconfigure externa user directories to use the unique identity attribute. See Using the Unique Identity Attribute to Hande Inter-OU Moves in LDAP-Enabed User Directories on page 38. Restart Shared Services. The Update Native Directory Utiity performs these actions: Deetes the user from Native Directory if the user account is not avaiabe in the externa user directory Deetes user accounts derived from the externa user directory if the user directory is removed from the Shared Services search order About the Update Native Directory Utiity 125

126 Updates Native Directory if the user or group in the externa user directory is moved from one OU to another (the OU to which the user or group is moved must be configured in Shared Services) Update Native Directory Utiity does not update Native Directory if the externa user directory cannot be reached because of configuration or connection probems. Note: After migrating user and group information in Native Directory, you must migrate the user and group information in Hyperion product repositories. See Product- Specific Updates on page 128 for detaied procedures. Instaing the Update Native Directory Utiity The UpdateNativeDir.zip archive containing the Update Native Directory Utiity is instaed in <Hyperion_Home>/common/utiities/SyncOpenLdapUtiity. ä To insta the Update Native Directory Utiity: 1 Extract UpdateNativeDir.zip to a convenient ocation, preferaby to <Hyperion_Home>. This creates the updatenativedir foder. 2 Using a text editor, open updatenativedir.bat (Windows) or updatenativedir.sh (UNIX). a. Verify that JAVA_HOME points to Sun Java version or above is avaiabe (for exampe, <Hyperion_Home>/common/JRE/Sun/1.5.0/bin). b. Save and cose updatenativedir. Running the Update Native Directory Utiity The Update Native Directory Utiity synchronizes the data reated to a the externa user directories incuded in the search order in CSS.xm. ä To run the Update Native Directory Utiity: 1 Using a command prompt or consoe window, navigate to the directory where the Update Native Directory Utiity is instaed. 2 Execute the foowing command: updatenativedir -csslocation <ocation_of _CSS.XML> [-options] (Windows) updatenativedir.sh -csslocation <ocation_of _CSS.XML> [-options] (UNIX) Where <ocation_of _CSS.XML> identifies the directory or appication server ocation where the CSS.xm configuration fie is stored. Methods to specify this ocation: 126 Using the Update Native Directory Utiity to Cean Stae Native Directory Data

127 As an absoute path; for exampe, C:\Hyperion\depoyments \WebLogic9\SharedServices9\config (Windows) and updatenativedir /app/ Hyperion/depoyments/WebLogic9/SharedServices9/config (UNIX) As a fie ocated on the appication server; for exampe, <SharedServices URL>/ framework/getcssconfigfie, where <SharedServices URL> is: m m (non-ssl depoyment); for exampe, (SSL depoyment); for exampe, updatenativedir getcssconfigfie. Update Native Directory Utiity options are discussed in Update Native Directory Utiity Options on page 127. The utiity ists the user providers specified in the search order and queries whether to continue with the operation. 3 Enter 1 to continue running the utiity and 0 to cance the operation. 4 Monitor the og fies to verify the progress. 5 If you pan to migrate to the unique identity attribute, update the externa user directory configuration, see Using the Unique Identity Attribute to Hande Inter-OU Moves in LDAP-Enabed User Directories on page Restart Shared Services to refresh the cache so that the updates done by the utiity are visibe to Shared Services. Update Native Directory Utiity Options Tabe 26 Option -nodeete -noprompt Description Optiona: Use this option to generate CSSMigration-Deeted*.og that ists a the users and groups that must be deeted from Native Directory because the corresponding identities were removed from the user directory. If this option is not set, the utiity automaticay deetes the user and group information from Native Directory. Exampe: updatenativedir -csslocation D:\CSS.xm nodeete creates CSSMigration-Deeted_<time_stamp>.og. updatenativedir -csslocation D:\CSS.xm creates CSSMigration-Deeted_ <time_stamp>.og and aso deetes from Native Directorythe users and groups whose identities are not avaiabe in externa user directories. Optiona: Use this option to invoke sient mode operation. Used for schedued jobs because no operator interaction is required. Exampe: updatenativedir -csslocation D:\CSS.xm noprompt updates Native Directory in sient mode. Running the Update Native Directory Utiity 127

128 Option -noupdate Description Optiona: Use this option if you ony want to generate CSSMigration-Update_<time_ stamp>.og that ists the users and groups that needs to be updated in Native Directory. User and group information in Native Directory is not updated if you use this option. Exampe: updatenativedir -csslocation D:\CSS.xm noupdate creates CSSMigration-Update_<time_stamp>.og. updatenativedir -csslocation D:\CSS.xm creates CSSMigration-Update_<time_ stamp>.og and updates the user and group information in Native Directory. Update Native Directory Utiity Log Fies By defaut, Update Native Directory Utiity og fies are created in updatenativedir/ogs. If the utiity cannot create updatenativedir/ogs, the og fies are created in $TMP \Hyperion-ogs or %TEMP%\Hyperion-ogs. CSSMigration-Ambiguous_<time_stamp>.og that ists the identities that were not updated because more than one simiar identities were detected by the utiity. Identities isted in this fie must be manuay updated. CSSMigration-Deeted_<time_stamp>.og that ists the deeted externa user directory entries that must be deeted from Native Directory. These entries are automaticay removed from Native Directory if the nodeete option is not set when executing the utiity. CSSMigration-Updated_<time_stamp>.og that ists the Native Directory identities that needs to be updated. If the -noupdate option is not set when executing the utiity, the utiity updates these entries in Native Directory. CSSMigration-ignored_<time_stamp>.og that ists a the entries on which no action was taken because they need not be updated. Product-Specific Updates Hyperion products must perform steps to update their interna repositories in the foowing scenarios: Native Directory is updated using Update Native Directory Utiity Shared Services is reconfigured to use the unique identity attribute. See Using the Unique Identity Attribute to Hande Inter-OU Moves in LDAP-Enabed User Directories on page 38 The foowing Hyperion products must update their interna repositories: Essbase on page 129 Panning on page 129 Financia Management on page 130 Reporting and Anaysis on page 130 Strategic Finance on page Using the Update Native Directory Utiity to Cean Stae Native Directory Data

129 The foowing Hyperion products do not need to perform any migration procedures: Performance Scorecard Hyperion System 9 Anaytic High Avaiabiity Services Orace's Essbase Integration Services Orace's Hyperion Provider Services Anaytic Depoyment Services Essbase Caution! Hyperion recommends that you back up Essbase security fie and the data in Native Directory before starting the migration process. After migrating users and groups to use the new identity attribute, you cannot revert to the previousy used identity attribute. To revert, restore user and group data in Native Directory and Essbase from the backups. Before starting Essbase after the upgrade, edit the IDMIGRATION setting in <Hyperion_Home> \AnayticServices\bin\essbase.cfg to indicate whether to migrate to the new identity attribute that Shared Services uses. On starting up, Essbase checks essbase.cfg and performs the action indicated by the IDMIGRATION setting. Tabe 27 Syntax IDMIGRATION Syntax Description CHECKANDMIGRATE NOMIGRATION FORCEDMIGRATION Defaut option. Checks for identity attributes that have changed in Shared Services and updates them in Essbase security. Makes no changes in Essbase security. Updates Essbase users and groups without checking whether identity attributes have changed. Panning Caution! Hyperion recommends that you back up the user and group data in Native Directory and the Panning repository before starting the migration process. After migrating users and groups to use the new identity attribute, you cannot revert to the previousy used identity attribute. To revert, restore user and group data in Native Directory and Panning repository from the backups. Product-Specific Updates 129

130 Note: After upgrading your system, migrate users and groups to the new identity attribute before performing any other operation such as oading security or changing existing security settings. Such changes may be ost during the migration. Panning stores information about provisioned users and groups in the Panning repository. If Shared Services was upgraded to use the new identity attribute, you must synchronize the information in the Panning repository with that in the configured user directories by cicking Migrate Users/Groups. This button is avaiabe in Panning when assigning access to data forms, members, or task ists. Note: HspUserUpdate utiity is no onger used to update users. Financia Management Caution! Hyperion recommends that you backup the user and group data in Native Directory and Financia Management before starting the migration process. After migrating users and groups to use the new identity attribute, you cannot revert to the previousy used identity attribute. To revert, restore user and group data in Native Directory and Financia Management repository from the backups. Financia Management records information about provisioned users and groups in the Financia Management repository. If Shared Services was upgraded to use the new identity attribute, you must synchronize the information in the Financia Management repository with that in the configured user directories. Note: After upgrading Financia Management, migrate users and groups to the new identity attribute before performing any other operation such as oading security or changing existing security settings. Such changes may be ost during the migration. Cick the Migrate Users button on the Security tab of the Financia Management Configuration Utiity to synchronize the information in the Financia Management repository with that in the configured user directories. Migrating Financia Management users is a one-time operation that must be competed before starting Financia Management after upgrading to Reease Reporting and Anaysis Caution! Hyperion recommends that you back up the user and group data in Native Directory and Reporting and Anaysis before starting the migration process. After migrating users and groups to use the new identity attribute, you cannot revert to the previousy 130 Using the Update Native Directory Utiity to Cean Stae Native Directory Data

131 used identity attribute. To revert, restore user and group data in Native Directory and Reporting and Anaysis repository from the backups. Reporting and Anaysis uses the SyncCSSIdentity_BI utiity to synchronize user and group identities stored in its reationa database to refect the identity attribute set in Shared Services. See Using the Unique Identity Attribute to Hande Inter-OU Moves in LDAP-Enabed User Directories on page 38 and Running the Update Native Directory Utiity on page 126. Note: After upgrading Reporting and Anaysis, migrate users and groups to the new identity attribute before performing any other operation such as oading security or changing existing security settings. Such changes may be ost during the migration. Run the SyncCSSIdentity_BI utiity ony if Shared Services was upgraded to use the new identity attribute. Do not run the utiity if Shared Services does not use the new identity attribute or if you do not have stae data resuting from inter-ou moves in the user directories. This utiity needs to be run ony once after upgrading Shared Services and Reporting and Anaysis. The SyncCSSIdentity_BI utiity is instaed in <BIPus_Home>/syncCSSId. Execute the utiity after upgrading Reporting and Anaysis but before starting Reporting and Anaysis services. See <BIPus_Home>/syncCSSId/ReadmeSyncCSSId_BI.txt for detaied instructions to run the SyncCSSIdentity_BI utiity. Runtime information from the utiity is written into <BIPus_Home>/syncCSSId/BI_Sync.og. On successfuy executing the utiity, the vaue of ConfigurationManager.CSSIdSyncState in V8_PROP_VALUE tabe in Reporting and Anaysis database is set to 0 (for NO_SYNC). Other possibe vaues for this property are 1 (CHECK_AND_SYNC, which is the defaut vaue) and 2 (FORCE_SYNC). If the synchronization state in the database is not 0 (NO_SYNC), and the system determines that identity synchronization is required, the authentication service writes warning messages to Hyperion_Home>/ogs/BIPus/CSSSynchronizer.og. However, Reporting and Anaysis services wi run normay. Strategic Finance Strategic Finance automaticay migrates users to the unique identity attribute used by Shared Services to resove issues where domain name or organizationa unit changes might resut in the oss of provisioning and object access information. Product-Specific Updates 131

132 132 Using the Update Native Directory Utiity to Cean Stae Native Directory Data

133 10 Troubeshooting In This Chapter Shared Services Log Fies Troubeshooting Toos and Utiities Shared Services Log Fies Runtime errors and messages are recorded in og fies stored on the Shared Services server. Log Fie SharedServices_Security.og SharedServices_Admin.og SharedServices_Metadata.og SharedServices_Taskfow.og SharedServices_Taskfow_CMDExecute.og SharedServices_Taskfow_Optimize.og SharedServices_SyncOpenLDAP.og SharedServices_Memory_Profier.og SharedServices_Security_Cient.og Contains Security-reated error messages concerning users, groups, roes, and provisioning operations Messages-reated to the User Management Consoe and any messages reported during Shared Services runtime Metadata management and registration-reated errors and messages Taskfow-reated errors and messages from Common Event Services Taskfow scheduing errors and messages from Common Event Services Taskfow optimization errors and messages from Common Event Services Messages from the synchronization of Native Directory with Shared Services database Messages-reated to the memory usage by the Common Administrative Service Product-specific messages and errors generated by Hyperion products SharedServices_Security_Cient.og is ocated in the Temp directory of the product using the externa authentication cient. The ocation of the Temp directory varies, based on the appication server and patform. A Shared Services og fies are ocated in <Hyperion_home>\ogs\SharedServices9. Shared Services Log Fies 133

134 Troubeshooting Toos and Utiities CSSSpy on page 134 WebDAV Browser on page 134 CSSSpy CSSSpy is used to vaidate connections to externa user directories and user ogin. It can aso be used to retrieve user roe information and to assess performance. CSSSpy can connect to any user directory and authenticate a user and perform various Shared Services cas, bypassing Hyperion products. CSSSpy is depoyed with Shared Services. To aunch CSSSpy, use the foowing URL: for exampe, /interop/cssSpy where myserver indicates the DNS name of the Shared Services host machine. WebDAV Browser The WebDAV browser heps to view and vaidate the meta data contained in.product and.instance fies, which are created when an appication is registered with Shared Services. Use the WebDAV browser to diagnose: A faied product registration A faied appication aunch from Shared Services The WebDAV browser is a part of Shared Services instaation. To aunch WebDAV browser, use the foowing URL: for exampe, /interop/content where myserver indicates the DNS name of the Shared Services host machine. Use Shared Services Administrator credentias to og on to the WebDAV browser. 134 Troubeshooting

135 A Hyperion Product Roes In This Appendix Shared Services Roes Essbase Roes Reporting and Anaysis Roes Financia Management Roes Panning Roes Business Rues Roes Business Modeing Roes Strategic Finance Roes Transaction Manager Roes Performance Scorecard Roes Strategic Finance Roes Data Integration Management Roes Essbase Provider Services Roes Shared Services Roes A Shared Services roes are power roes. Typicay, these roes are granted to power users who are invoved in administering Shared Services and other Hyperion products. Roe Name Administrator Directory Manager LCM Manager Description Provides contro over a products that integrate with Shared Services. It enabes more contro over security than any other Hyperion product roes and shoud therefore be assigned sparingy. Administrators can perform a administrative tasks in User Management Consoe and can provision themseves. This roe grants broad access to a appications registered with Shared Services. The Administrator roe is, by defaut, assigned to the admin Native Directory user, which is the ony user avaiabe after you depoy Shared Services. Creates and manages users and groups within Native Directory. Do not assign to Directory Managers the Provisioning Manager roe because combining these roes aows Directory Managers to provision themseves. The recommended practice is to grant one user the Directory Manager roe and another user the Provisioning Manager roe. Runs the Artifact Life-Cyce Management utiity to promote artifacts or data across product environments and operating systems Shared Services Roes 135

136 Roe Name Project Manager Create Integrations Run Integrations Dimension Editor Appication Creator Anaytic Services Appication Creator Financia Management Appication Creator Panning Appication Creator Description Creates and manages projects within Shared Services Creates Shared Services data integrations (the process of moving data between appications) using a wizard. For Orace's Enterprise Performance Management Architect, creates and executes data synchronizations. Views and runs Shared Services data integrations. For Performance Management Architect, executes data synchronizations. Creates and manages import profies for dimension creation. Aso, creates and manages dimensions manuay within the Performance Management Architect user interface or the Cassic Appication Administration option. Required to access Cassic Appication Administration options for Financia Management and Panning using Web navigation. Creates and depoys Performance Management Architect appications. Users with this roe can create appications, but can change ony the dimensions to which they have access permissions. Required, in addition to the Dimension Editor roe, for Financia Management and Panning users to be abe to navigate to their product s Cassic Appication Administration options. When a user with Appication Creator roe depoys an appication from Performance Management Architect, that user automaticay becomes the appication administrator and provisioning manager for that appication. The Appication Creator can create a appications. The Anaytic Services Appication Creator can create Generic Performance Management Architect appications. The Financia Management Appication Creator can create Consoidation appications and Performance Management Architect Generic appications. To create appications, the user must aso be a member of the Appication Creators group specified in Financia Management Configuration Utiity. The Panning Appication Creator can create Panning appications and Performance Management Architect Generic appications. Essbase Roes Additiona Shared Services roes are required for Performance Management Architect. See Shared Services Roes on page 135. Roe Description Power Roes Administrator Appication Manager Create/Deete Appication Database Manager Load/Unoad Appication Grants fu access to administer the server, appications and databases Creates, deetes and modifies databases, and appication settings within the assigned appication. Incudes Database Manager permissions for the databases within the assigned appication Creates and deetes appications and databases within appications. Incudes Manager permissions for the appications and databases created by this user Manages the databases, database objects, ocks and sessions within the assigned appication Start and stops an appication or databases 136 Hyperion Product Roes

137 Roe Description Interactive Roes Cac Write Fiter Cacuates, updates and reads data vaues based on the assigned scope, using any assigned cacuations and fiter Updates and reads data vaues based on the assigned scope, using any assigned fiter Accesses specific data and meta data according to the restrictions of a fiter View Roes Read Server Access Read data vaues Accesses any database that has a defaut access other than none Reporting and Anaysis Roes Roe Description Power Roes Reporting and Anaysis Administrator Reporting and Anaysis Goba Administrator Content Manager Data Source Pubisher Favorites Distributor Job Manager * Schedue Manager Conditionay accesses a resources (uness the fie is ocked by no access ), but not a functionaity; accesses the Administer and Impact Manager modues Appies to Orace's Hyperion Financia Reporting System 9, Orace's Hyperion Interactive Reporting System 9, Orace's Hyperion SQR Production Reporting System 9, and Orace's Hyperion Web Anaysis System 9 Universay and impicity accesses a resources and functionaity; accesses the Administer and Impact Manager modues Note: Reporting and Anaysis Goba Administrators can never be denied access. Appies to Financia Reporting, Interactive Reporting, SQR Production Reporting, and Web Anaysis Manages imported repository content and execute tasks, with impicit access to a resources (uness the fie is ocked by no access ); contains the Data Source Pubisher roe Appies to Financia Reporting, Interactive Reporting, SQR Production Reporting, and Web Anaysis Imports data source connectivity fies Appies to Interactive Reporting and Web Anaysis Pushes content to users Favorites foders using the Favorites Manager Appies to Financia Reporting, Interactive Reporting, SQR Production Reporting, and Web Anaysis Creates and manages pubic job parameters, output directories, and output printer ocations Appies to Interactive Reporting and SQR Production Reporting Creates and manages events, caendars, time events, pubic parameters, and physica resources; creates batches; contains the Scheduer and Job Manager roes Appies to Financia Reporting, Interactive Reporting, and SQR Production Reporting Interactive Roes Reporting and Anaysis Roes 137

138 Roe Anayst Content Pubisher Data Editor Job Pubisher * Persona Page Pubisher * Report Designer Scheduer Smart Form Pubisher * Description Accesses interactive content using fu anaytic and reporting functionaity Appies to Financia Reporting, Interactive Reporting, and Web Anaysis Imports, saves, and modifies batches, books, reports and documents; creates and modify shortcuts and foders Appies to Financia Reporting, Interactive Reporting, SQR Production Reporting, and Web Anaysis Pushes Web Anaysis data to Essbase Imports and modifies documents, jobs, and job output; run jobs; contains the Smart Form Pubisher roe Appies to Interactive Reporting, and SQR Production Reporting Pubishes Persona Pages to the repository, where they can be viewed by other repository users; contains the Persona Page Editor roe Appies to Interactive Reporting andsqr Production Reporting Accesses authoring studios to create and distribute documents Appies to Financia Reporting and Web Anaysis Schedues jobs and batches using the Schedue modue; navigates the repository and assigns access contro; contains the Exporer and Job Runner roes Appies to Financia Reporting, Interactive Reporting, andsqr Production Reporting Loads custom forms for programs (forms prompt job runners to enter information used to define jobs) Appies to SQR Production Reporting Note: You must have the Job Pubisher roe to everage Smart Form Pubisher functionaity. View Roes Dynamic Viewer * Exporer Interactive Reporting Viewer * Job Runner * Persona Page Editor * Persona Parameter Editor Viewer Views, reprocesses, and prints Interactive Reporting documents. Lists repository content in the Expore modue and in context using the Open diaog box; searches, views, and subscribes to content Note: Access to the repository does not grant access to individua fies and foders, which are secured by fie properties and permissions. Appies to Financia Reporting, Interactive Reporting, SQR Production Reporting, and Web Anaysis Reviews and prints static Interactive Reporting documents Runs jobs, and views pubic job parameters and physica resources Appies to Interactive Reporting and SQR Production Reporting Creates, modifies, and customizes Persona Pages; copies content from other users' pubished Persona Pages Appies to Interactive Reporting and SQR Production Reporting Defines points of view and persona parameters on database connections to customize query resut sets Appies to Interactive Reporting, SQR Production Reporting, and Web Anaysis Reviews Workspace content; content is static and accessibe ony from the Favorites foder Note: This roe provides minima end-user functionaity; use it ony when no other roe assignments are possibe. 138 Hyperion Product Roes

139 Roe Description Appies to Financia Reporting, Interactive Reporting, SQR Production Reporting, and Web Anaysis System Roes Trusted Appication Enabes credentiaed cient-server communication of Interactive Reporting database connection fies (.oce extension) that encapsuate connectivity, database type, network address, and database user name information * This Reporting and Anaysis roe does not appy and shoud not be assigned to Financia Management and Panning users who access Financia Reporting or Web Anaysis through Orace's Hyperion Workspace. Financia Management Roes Additiona Shared Services roes are required for Performance Management Architect. See Shared Services Roes on page 135. Roe Description Power Roes Appication Administrator Load System Inter-Company Transaction Admin Performs a Financia Management tasks. Access to this roe overrides any other access setting for the user Loads rues, and member ists Opens and coses periods, ocks and unocks entities, and manages reason codes. Users with the roe can aso perform a Inter-Company tasks Interactive Roes Approve Journas Create Journas Create Unbaanced Journas Defaut Journas Manager Post Journas Manage Tempates Generate Recurring Review Manager Reviewer 1 through Reviewer 10 Submitter Approves or rejects journas Created, modifies, deetes, submits, and unsubmits journas Create unbaanced journas Opens and coses appications, manages documents and favorites, manages Smart View, accesses running tasks, data tasks, oad and extract tasks. Cannot extract meta data or rues. Performs a tasks reated to journas Posts and unposts journas Grants access to the journas tempate task in the Setup Journas modue Grants access to the generate recurring task in the Setup Journas modue Performs a tasks invoving process management Views and edits a bock of data when that data is at the user s designated process management eve Submits a bock of data for fina approva Financia Management Roes 139

140 Roe Lock Data Unock Data Consoidate A Consoidate Consoidate A with Data Run Aocation Manage Data Entry Forms Save System Report On Server Load Exce Data Inter-Company Transaction User Inter-Company Transaction Match Tempate Inter-Company Transaction Auto Match by Account Inter-Company Transaction Auto Match by ID Inter-Company Transaction Manua Match with Toerance Inter-Company Transaction Manua Match Inter-Company Transaction Unmatch Inter-Company Transaction Post/Unpost Enabe write back in Web Grid Database Management Manage Ownership Task Automation Manage Custom Documents Extended Anaytics Data Form Write Back from Exce Description Locks data in Data Exporer Unocks data in Data Exporer Runs consoidate a Runs consoidate Runs consoidate with a data Runs aocations Manages data entry forms in the Web Saves system reports on server Loads data from Smart View Created, edits, deetes, oads and extracts transactions. Runs matching report by account or ID, runs transaction report and dris through from modues. Manages intercompany matching tempates Auto match intercompany transactions by account Auto match intercompany transactions by ID Manua match intercompany transactions with toerance check Manua match intercompany transactions Unmatches intercompany transactions Posts and unposts intercompany transactions Enters and saves data directy to a Web grid Copies and cears data, and deetes invaid records Enters and edits ownership information Sets up automated tasks Loads and extracts custom documents to and from the server Creates and executes extended anaytics queries Submits data from Smart View whie using a Web Data Entry Form View Roes Advanced User Read Journas Receive Emai Aerts for Process Management Uses the Browser View and can access Running Tasks Reads journas Receives e-mais 140 Hyperion Product Roes

141 Roe Receive Emai Aerts for IC Transactions Reserved Description Receives e-mais Not currenty used Panning Roes Additiona Shared Services roes are required for Orace's Enterprise Performance Management Architect. See Shared Services Roes on page 135. Roe Description Power Roes Administrator Appication Owner Mass Aocate Anaytic Services Write Access Performs a appication tasks except those reserved for the appication owner and Mass Aocate roe. Creates and manages appications, manages access permissions, initiates the budget process, designates the e- mai server for notifications. Reassigns appication ownership. Accesses the Mass Aocate feature to spread data muti-dimensionay down a hierarchy, even to ces not visibe in the data form and to which the user does not have access. Any user type can be assigned this roe, but it shoud be assigned sparingy. For panners and interactive users: Grants users the same access permissions they have in Panning to Panning data in Essbase. Enabes users having write access, to change Panning data directy in Essbase using another product such as Financia Reporting or a third-party too. Interactive Roes Interactive User Creates and maintains data forms, Smart View worksheets, business rues, task ists, Financia Reporting reports, and Orace's Hyperion Appication Link adapter processes and fow diagrams. Manages the budget process. Can perform a Panner tasks. Interactive users are typicay department heads and business unit managers. Panner Roes Panner Enters and submits pans for approva, runs business rues and Orace's Hyperion Appication Link fow diagrams. Uses reports that others have created, views and uses task ists, enabes e-mai notification for themseves, creates data using Smart View. View Roes View User Views and anayzes data through Panning data forms and any data access toos for which they are icensed (for exampe, Financia Reporting, Web Anaysis, Smart View). Typica View users are executives who want to see business pans during and at the end of the budget process. To earn which roes do not appy and shoud not be assigned to Panning users who access Financia Reporting or Web Anaysis, see Reporting and Anaysis Roes on page 137. Panning Roes 141

142 Business Rues Roes Roe Description Power Roes Administrator Creates, aunches, edits, vaidates, and manages business rues, sequences, macros, variabes, and projects. Assigns access permissions to business rues, sequences, macros, variabes, and projects. Interactive Roes Interactive User Basic User Creates business rues, sequences, macros, variabes, and projects. Assigns access permissions to business rues, sequences, macros, variabes, and projects. Launches business rues and sequences to which the user has access. Views variabes and macros, business rues, and sequences to which the users has access. Edits business rues, sequences, macros, variabes, and projects for which the user has editing permissions. Business Modeing Roes Roe Description Power Roes Administrator Manages the users, security and databases for the appication, both on the desktop and the Web. Sets up and maintain databases and containers, instas and configures appication (authentication, users and groups, provisioning). Sets up goba toos on the Web Home Page. Interactive Roes Buider Creates the origina mode or enterprise mode by defining a eements of the mode, such as boxes, inks, variabes and financia vaues, and attaching financia data View Roes End User Updates mode periods. Uses business and operationa knowedge to adjust parameters for the origina mode, experiments with the workings of the scenario over the Web to search for process improvements, time or money savings, or unexpected bottenecks or benefits. Strategic Finance Roes Roe Description Power Roes Power Manager Adds and maintains servers, databases, users, and groups. Creates and maintains entities, and designs ad views reports. Interactive Roes 142 Hyperion Product Roes

143 Roe Interactive User Basic User Description Creates and maintains entities, and enters data into entities. Adds scenarios and subaccounts and dimensions. Designs ad views reports. Enters data into entities. Adds scenarios and subaccounts. Views reports. View Roes View User Views entities and reports. Transaction Manager Roes Roe Description Power Roes Administrator Administers a system resources Interactive Roes Basic User Views system resources Performance Scorecard Roes Roe Description Power Roes Power Manager Power Manager roe provides the administrative capabiity within an Performance Scorecard environment Interactive Roes Basic User Interactive User Grants access to reports, scorecards, measures and initiatives with the additiona roe of resut coection administration Primariy a designer roe, the Interactive User has access to a business objects for creation and modification. These incude maps (accountabiity, strategy, cause and effect) as we as scorecards, initiatives and measures. Strategic Finance Roes Roe Description Power Roes Administrator Administers Orace's Hyperion Strategic Finance and assigns access to entities. Incudes Interactive User capabiities. Interactive Roes Transaction Manager Roes 143

144 Roe Basic User Interactive User Description Enters data, adds scenarios and subaccounting Modes, changes dimensiona structure and enters data View Roes View User Views data Data Integration Management Roes Roe Privieges Power Roes Orace's Hyperion Data Integration Management Administrator Data Integration Management Designer Data Integration Management Operator Operates workfows and uses Workfow Manager, uses designer, browses repository, and administers repository and server. Operates workfows uses designer, browses repository, and uses Workfow Manager. Operates workfows and browses repository. Essbase Provider Services Roes Anaytic Provider Services provides the Administrator power roe, which aows users to create, modify, and deete Anaytic Server custers. 144 Hyperion Product Roes

145 B Shared Services Roes and Permitted Tasks Tabe 28 Shared Services User Roes and Tasks Matrix Tasks Administrato r Directory Manager Project Manager Provisioning Manager Create Integrations Run Integrations Create users X X Modify user detais X X Deete users X X Deactivate and Activate user accounts X X Create groups X X Modify group detais X X Deete groups X X Create projects Modify project detais Deete projects Provision users Deprovision users Provision groups Deprovision groups X X X X X X x X X X X X X 145

146 Tasks Administrato r Directory Manager Project Manager Provisioning Manager Create Integrations Run Integrations Generate provision reports Assign access to data integrations Create data integrations Edit data integrations Copy data integrations Deete data integrations Create data integration groups View data integrations Run, or schedue to run, data integrations Run, or schedue to run, data integration groups X X X X X X X X X X X X X X X X X X X X 146 Shared Services Roes and Permitted Tasks

147 C Essbase User Provisioning In This Appendix Launching User Management Consoe from Essbase Essbase Projects, Appications, and Databases in Shared Services Essbase Users and Groups in Shared Services Assigning Database Cacuation and Fiter Access Setting Appication Access Type Synchronizing Security Information Between Shared Services and Essbase Migrating Essbase Users to Shared Services Security Backing Up Security Information This appendix provides information that is specific to Essbase and Shared Services. You can use Shared Services to provide security for Essbase appications, databases, and objects. To use Shared Services security, you must migrate Anaytic Server and any existing Essbase users and groups to Shared Services. For detaied information on Essbase security, see the Hyperion Essbase - System 9 Database Administrator's Guide and the Hyperion Essbase - System 9 Administration Services Onine Hep. See Essbase Roes on page 136 for information on Essbase roes. Launching User Management Consoe from Essbase To manage Essbase users in User Management Consoe, you must og in to User Management Consoe as a user who is provisioned with the foowing Shared Services roes: Provisioning Manager roe for the appropriate Anaytic Server or appications. Directory Manager roe for the appropriate authentication directory. When you aunch User Management Consoe from Administration Services, you automaticay og in to User Management Consoe as the Essbase user that connects the Anaytic Server you are accessing. Note: In Shared Services security mode, you must use the same user to og in to Administration Services Consoe as you use to connect the Anaytic Server. Launching User Management Consoe from Essbase 147

148 When you aunchuser Management Consoe from a browser, you og in as whatever user is appropriate. For exampe, you must og in as a Shared Services Administrator in order to provision an Essbase Administrator with the Directory Manager roe, so that he or she can create and deete users. ä To aunch User Management Consoe: 1 From Enterprise View, find the appropriate Anaytic Server. 2 Under the server node, seect the Security node. 3 Right-cick and seect User Management from the pop-up menu. User Management Consoe aunch page is opened in a separate browser window. 4 Cick Launch to open User Management Consoe. 5 Use the Hep menu in User Management Consoe to get assistance with managing and provisioning users and groups. For information on aunching User Management Consoe from MaxL, see the Essbase Technica Reference. Note: To ensure that Essbase security status and Shared Services security status are synchronized, you may need to refresh security information. For information on refreshing security information, see the Hyperion Essbase - System 9 Database Administrator's Guide. Essbase Projects, Appications, and Databases in Shared Services Shared Services and Essbase both use the term appication. Essbase uses appication to refer to a container for databases. Shared Services uses appication to refer to an object for which you provision users. In this document, appication refers to a Shared Services appication, uness an Essbase appication is specificay stated. In most cases, an Essbase appication maps to a Shared Services appication and so there is no need to distinguish between the two types of appication. For Essbase, migration is done at the Anaytic Server eve. When you migrate an Anaytic Server to Shared Services, a Shared Services project is created for the Anaytic Server. The project is named as foows Anaytic Servers:machineName:AnayticServer# where machinename is the Anaytic Server machine name and AnayticServer# is the sequence number. If you migrate mutipe Anaytic Servers on the same machine, each Anaytic Server migrated gets a different sequence number (AnayticServer#). Aso, if you deete the security fie and re-migrate an Anaytic Server, each successfu migration creates a new server project with a new sequence number. You can deete any unwanted projects in User Management Consoe. Essbase automaticay creates the foowing appications within the project and automaticay registers the appications with Shared Services: 148 Essbase User Provisioning

149 An appication with the same name as the Shared Services project. This appication aows you to specify security at the Anaytic Server eve, and is known as the goba Anaytic Server appication. A Shared Services appication for each Essbase appication on the Anaytic Server. In Shared Services, if an Essbase appication contains mutipe databases, the databases must have the same user security access eves. (However, users can have different cacuation script and database fiters assigned for databases within the same appication. See Assigning Database Cacuation and Fiter Access on page 149). Once you have migrated to Shared Services, when you create a new appication and database in Essbase, a corresponding Shared Services appication is created within the Anaytic Server project and the appication is automaticay registered with Shared Services. Essbase Users and Groups in Shared Services When you migrate to Shared Services, a native Essbase users and groups that do not aready exist in an externa authentication directory are converted to native Shared Services users and groups in the native Shared Services user directory and are given equivaent roes. Any externayauthenticated users are registered with Shared Services but are sti stored in their origina authentication directory. For more information on migrating users and groups, see the Hyperion Essbase - System 9 Database Administrator's Guide. Note: Shared Services supports aggregated groups, in which a parent group contains one or more sub-groups. The sub-groups inherit the roes of their parent group. For exampe, if a parent group is provisioned with the Essbase Administrator roe, any sub-groups (and users in the groups) inherit the Essbase Administrator roe. Once you have migrated to Shared Services, you must create and manage users and groups in User Management Consoe, or through the externa authentication provider. Note: If manua user synchronization is specified, when you provision a user with an Anaytic Server roe, you must request a refresh of security information to enabe the user to og in. For information on manua user synchronization, see the Hyperion Essbase - System 9 Database Administrator's Guide. Assigning Database Cacuation and Fiter Access After provisioning users for Essbase appications in User Management Consoe, you can assign more granuar access permissions to users and groups for a specific Essbase appication and database. For exampe, after assigning a user access to an appication and assigning the user s roe for the appication, you may want to assign an Essbase fiter to the user, or assign the user access to a specific cacuation script. When you seect an Essbase appication from User Management Consoe, a screen is dispayed that ists a users and groups who are provisioned to that appication. On this screen, you seect Essbase Users and Groups in Shared Services 149

150 the users and groups to which you want to assign additiona permissions. After cicking Next to go to the next screen, you seect the database you want to work with, and then use the appropriate drop-down ists to assign fiter and cacuation script access to seected users and groups. For descriptive information about these two screens, cick the Hep button on one of these screens to dispay a context-sensitive hep topic. When you assign database cacuation and fiter access, you automaticay og in toadministration Services and Essbase as User Management Consoe ogged in user. This user must be a vaid Essbase Administrator, Appication Manager, or Database Manager. The user must have the Provisioning Manager roe for the appropriate appication(s). You cannot assign database cacuation or fiter access to an Essbase Administrator or Appication Manager. ä To assign database cacuation and fiter access: 1 Launch User Management Consoe. See Launching User Management Consoe from Essbase on page Expand the Projects node, and seect the appropriate Essbase appication. 3 Right-cick and seect Assign Access Contro. 4 Seect the appropriate item from the Avaiabe Users and Groups drop-down ist to dispay ony users, ony groups, or both. 5 Seect the users and/or groups that you want to work with for the appication. To seect mutipe users/ groups, press the Ctr key between seections. 6 Cick the appropriate arrow button to move your seections to the Seected Users and Groups box. To move a users and groups, cick the doube arrow button. 7 Cick Next to go to the next screen. This screen ists the users who have access to the appication and dispays their user roes. 8 From the Database drop-down ist, seect the database you want to work with. 9 To assign an Essbase fiter to users and groups: a. Seect the check box next to each user and group you want to assign a fiter to. b. From the Fiter drop-down, seect the appropriate fiter. The fiter ist is popuated with the fiters that exist for the seected database on Anaytic Server. 10 To assign users and groups access to an Essbase cacuation script: a. Seect the check box next to each user and group you want to assign cacuation script access to. b. From the Cac drop-down, seect the appropriate cacuation script. The cacuation ist is popuated with the cacuation scripts that exist for the seected database on Anaytic Server. 11 If you want to want to assign ony cacuation access, seect No update from the Fiter drop-down ist. 150 Essbase User Provisioning

151 12 If you want to want to assign ony fiter access, seect No update from the Cac drop-down ist. Note: If you have not yet cicked Save, you can cick Reset to revert to the origina settings (or to revert to the settings changed since the ast save). 13 Cick the appy check mark icon next to the Cac drop-down ist to appy your seections. 14 Cick Save to save the changes. Status messages are dispayed on a new screen. The changes are refected immediatey in Administration Services Consoe. ä To refresh Essbase with database cacuation and fiter access security information for newy provisioned users, cick the Refresh button. Athough you can assign access to database fiters and cacuation scripts through User Management Consoe, you must create the fiters and cacuation scripts in Essbase. For information on creating database fiters, see the Hyperion Essbase - System 9 Database Administrator's Guide Setting Appication Access Type Essbase and Hyperion Panning have the concept of an appication access type for Essbase and Hyperion Panning users. For exampe, when an Essbase user is created using any Essbase administration too, the user is automaticay assigned the appication access type Essbase ; when a Hyperion Panning user is created using the Panning interface, the user is automaticay assigned the appication access type Panning. A user s appication access type specifies whether the user has access to Essbase appications ony, to Panning appications ony, or to both. When you seect a goba Anaytic Server appication from User Management Consoe, a screen is dispayed that ists a users and groups who are provisioned to that appication. On this screen, you seect the users and groups for which you want to assign appication access type. After cicking Next to go to the next screen, you use the drop-down ist to assign appication access type to the seected users and groups. For descriptive information about these two screens, cick the Hep button on one of these screens to dispay a context-sensitive hep topic. When you assign database cacuation and fiter access, you automaticay og in to Administration Services and Essbase as User Management Consoe ogged in user. This user must be a vaid Essbase Administrator and must have the Provisioning Manager roe for the appropriate appication(s). ä To set appication access type for users: 1 Launch User Management Consoe. See Launching User Management Consoe from Essbase on page Expand the Projects node, and seect the goba Essbase appication. Note: An appication with the same name as the Shared Services project is created within the project. This goba appication aows you to specify security at the Anaytic Server eve. Setting Appication Access Type 151

152 3 Right-cick and seect Assign Access Contro. 4 The Avaiabe Users box ists the users that are provisioned to the goba appication. 5 Seect the users that you want to work with. To seect mutipe users, press the Ctr key between seections. 6 Cick the appropriate arrow button to move your seections to the Seected Users box. To move a users, cick the doube arrow button. 7 Cick Next to go to the next screen. This screen ists the seected users. 8 Seect the check box next to the users whose appication access type you want to change. 9 From the User type drop-down ist, seect Anaytic Services or Panning, as appropriate. Note: If you have not yet cicked Save, you can cick Reset to revert to the origina settings (or to revert to the settings changed since the ast save). 10 Cick the appy check mark next to the User type drop-down ist to appy your seections. 11 Cick Save to save the changes. Status messages are dispayed on a new screen. The changes are refected immediatey in Administration Services Consoe. ä To refresh Essbase with appication access type information for newy provisioned users, cick the Refresh button. Synchronizing Security Information Between Shared Services and Essbase To ensure that Essbase security status is synchronized with Shared Services security status, you may need to refresh security information from Shared Services. When the security status is out of synch, the user, group, and appication information dispayed in Essbase may be different from that in Shared Services. For more information on refreshing security information from Shared Services, see the Hyperion Essbase - System 9 Database Administrator's Guide and the Hyperion Essbase - System 9 Administration Services Onine Hep. Migrating Essbase Users to Shared Services Security Before you can use Shared Services to manage security, you must migrate Anaytic Server and any existing Essbase users and groups to Shared Services. For detaied information on migrating users and groups to Shared Services, see the Hyperion Essbase - System 9 Database Administrator's Guide and the Hyperion Essbase - System 9 Administration Services Onine Hep. 152 Essbase User Provisioning

153 Backing Up Security Information For information on backing up security information when Essbase is in Shared Services security mode, see the Hyperion Essbase - System 9 Database Administrator's Guide. Backing Up Security Information 153

154 154 Essbase User Provisioning

155 D Reporting and Anaysis User Provisioning In This Appendix Launching User Management Consoe from Workspace Reporting and Anaysis Roes Reporting and Anaysis Roe Hierarchy Sampe Roe Combinations Launching User Management Consoe from Workspace You use User Management Consoe to manage Reporting and Anaysis users, groups, and roes. You must be a Shared Services Administrator or Provisioning Manager to provision users or groups. See Chapter 8, Managing Provisioning. ä To aunch User Management Consoe from Workspace, seect Navigate > Administer > User Management. User Management Consoe opens in a separate window. Reporting and Anaysis Roes You provision users and groups by assigning combinations of predefined roes (see Appendix A, Hyperion Product Roes ) to achieve specific product access and functionaity. Reporting and Anaysis Roe Hierarchy Roes organize into hierarchies that contain other roes. Orace's Hyperion Reporting and Anaysis System 9 roes aggregate into these branches: Content Manager Branch on page 156 Scheduer Manager Branch on page 156 Launching User Management Consoe from Workspace 155

156 Content Manager Branch 156 Reporting and Anaysis User Provisioning

157 Scheduer Manager Branch Sampe Roe Combinations This tabe provides exampes of the access and functionaity achieved by assigning combinations of roes. Combined Roe Tasks Access Permissions Exporer + Favorites Distributor + Persona Page Editor + Persona Parameter Editor Review interactive Web Anaysis and Financia Reporting content in Workspace Share interactive content without modifying content or saving changes to the repository List and subscribe to repository content Review accessibe interactive content in Orace's Hyperion Web Anaysis Studio Access Persona Page Access Favorites Manager Define Web Anaysis points of view, persona variabes, and persona parameters, to customize the query resut set Exporer + Anayst + Content Pubisher Review interactive Web Anaysis, Financia Reporting, and Interactive Iinteractivey use document types to edit queries, re-query, and save changes back to the repository Sampe Roe Combinations 157

158 Combined Roe Tasks Access Permissions Reporting content in the Orace's Hyperion Workspace List and subscribe to repository content Review accessibe interactive content in Web Anaysis Studio Edit queries, re-query and arrange data Create Financia Reporting batches and books Import, modify and Save As diaog box Persona Page Pubisher Data Source Pubisher + Anayst + Report Designer + Job Manager Create and distribute new interactive Web Anaysis, Financia Reporting, and Orace's Hyperion Interactive Reporting System 9 content Access most content creation functionaity, but not administrator access to resources Create and distribute custom Orace's Hyperion Web Anaysis System 9 documents in Orace's Hyperion Web Anaysis Studio Design Documents interface Access Orace's Hyperion Financia Reporting Studio Access Persona Pages and distribute content to repository users Distribute data source connectivity fies to repository users Distribute batches, books, reports and documents to repository users Import and modify SQR Production Reporting fies and Orace's Hyperion SQR Production Reporting System 9 output Create, save and run jobs Create and manage output directories Content Manager + Schedue Manager Manage a pubished content in the repository and a content creation functionaity Create and manage events, caendars, time events, caendars, pubic parameters, and physica resources Access a content creation and scheduing functionaity, but not administrator access to resources Reporting and AnaysisAdministrator + Data Editor Conditiona access to a resources Access the Administer modue Access most functionaity and modues, with conditiona access to resources Access the Impact Manager modue Abiity to write edits back to Essbase 158 Reporting and Anaysis User Provisioning

159 E Financia Management User Provisioning In This Appendix Assigning Users and Groups to Financia Management Appications Assigning User Access to Security Casses Setting Up E-mai Aerting Running Security Reports for Financia Management Appications Migrating Financia Management Users to Shared Services Security There are two ways to set up security for Financia Management appications: Create a fie with security information and oad it into an appication. See Creating Appication Security Fies and Loading Appication Security in the Hyperion System 9 Financia Management Administrator's Guide. Use the Shared Services User Management Consoe to set up security. This appendix provides information specific to Financia Management and the Shared Services user management system. Before setting up security for Financia Management appications, you must do the foowing: 1. Create projects. See Working with Projects on page Create Orace's Hyperion Financia Management System 9 appications and add appications to a project See the Enterprise Performance Management Architect Administrator's Guide. 3. Provision users by assigning users and groups to appications and assigning roes to users and groups. See Chapter 8, Managing Provisioning. Assigning Users and Groups to Financia Management Appications Note: Before you can assign users and groups to appications, you must provision users. For information on provisioning users, see Chapter 8, Managing Provisioning.. Ony a user assigned to the Provisioning Manager roe can define users and groups for an appication Assigning Users and Groups to Financia Management Appications 159

160 Ony the users and groups provisioned for the appication are avaiabe when you seect users and groups. ä To seect users and groups for an appication: 1 From Seect Users and Groups, seect an option: Show A to show a users that are provisioned Users or Groups, and in Search Criteria, enter the search criteria, and cick Search. 2 From Avaiabe Users and Groups, seect users and groups to assign to the appication, and use the arrow keys to move them to the Seected Users coumn. Tip: Use the Shift and Ctr keys to add or remove mutipe users and groups. 3 Cick Next or Seect Casses. Assigning User Access to Security Casses After you define users and groups and security casses, you can specify the eve of access each user and group has to each security cass in the appication and set up e-mai aerts. Note: You must seect users and casses for the appication before you can access the Assign Access modue. Tabe 29 User Access Leve Access Leve None Metadata Read Promote A User and Group Tasks No access to eements assigned to the security cass. View a specified member in a ist but cannot view or modify data for the member. View data for eements assigned to the security cass but cannot promote or reject. View data for eements assigned to the security cass and can promote or reject. Modify data for eements assigned to the security cass and can promote and reject. You can use the Pivot Tabe feature to togge between two views for assigning access. For exampe, if you have users and groups on rows and security casses on coumns and cick Pivot Tabe, users and groups wi be on coumns and security casses on rows. Note: A user assigned to the Appication Administrator roe for an appication has access to a information in the appication. ä To assign user access to security casses: 1 Seect ces for which to assign access rights. 160 Financia Management User Provisioning

161 Tip: Use the Shift and Ctr keys to seect mutipe ces. Seect a coumn or row by cicking in the coumn or row header. 2 From Access Rights, seect the access eve to assign. 3 Cick Set to appy the eve to the seected ces. 4 Optiona: To add an e-mai aert, seect ces in the tabe and cick Add Aert. Caution! The aerting process uses the e-mai addresses stored in the externa authentication fies. To receive e-mai aerts, users must be on Microsoft Active Directory or LDAP. See Setting Up E-mai Aerting on page 161. Note: To remove e-mai aerts, seect the ce and cick Remove Aert. 5 Cick Save. 6 Cick Next or Security Reports. Setting Up E-mai Aerting You can use e-mai aerting for intercompany transactions and during the process management review process. E-mai aerts hep highight a key event or data change in the system. For exampe, you can send an e-mai aert that an intercompany transaction is mismatched and needs to be matched, or that a process unit is ready for the next promotion eve. Note: The aerting process uses the e-mai addresses that are stored in the externa authentication fies. To receive e-mai aerts, users must be on Active Directory or LDAP. Process Management Aerting ä To set up process management e-mai aerts: 1 For the scenario in the process unit, set the SupportsProcessManagement meta data attribute to A to aow aerts. 2 Assign the user to the Receive E-mai Aerts for Process Management roe. 3 Assign the user to Process Management notifiabe roes as defined in Tabe Assign the user ALL or PROMOTE access to the security casses assigned to the scenario and entity in the process unit and add an aert for each security cass. Users who meet a criteria receive e-mai aerts. Setting Up E-mai Aerting 161

162 Tabe 30 Process Management User Roes and Aert Notification Process Unit Leve Before or After Action First Pass Review Leve 1 Review Leve 2 Review Leve 3 Review Leve 4 Review Leve 5 Review Leve 6 Review Leve 7 Review Leve 8 Review Leve 9 Review Leve 10 Submitted Approved Pubished Process Management User Roes Notified Users with ALL or PROMOTE access to the entity are notified. Reviewer 1 and Submitter roes are notified. Reviewer 2 and Submitter roes are notified. Reviewer 3 and Submitter roes are notified. Reviewer 4 and Submitter roes are notified. Reviewer 5 and Submitter roes are notified. Reviewer 6 and Submitter roes are notified. Reviewer 7 and Submitter roes are notified. Reviewer 8 and Submitter roes are notified. Reviewer 9 and Submitter roes are notified. Reviewer 10 and Submitter roes are notified. Review Supervisor roe is notified. Ony users with this roe can approve the submitted process unit. Reviewer 1 to Reviewer 10 and Submitter roes are notified. Users with ALL, READ, or PROMOTE access to the entity are notified. Note: E-mai aerts are not generated when the process unit is at the Not Started eve or for the Sign Off action. Users with the Appication Administrator roe do not receive e-mai aerts. For a user with the Appication Administrator roe to receive e-mai aerts, set up as a separate user and assign the roe to receive aerts. The user that performed the action to the process unit is aso notified with an e-mai confirmation og stating to whom e-mais were sent. Intercompany Transaction Aerting ä To set up intercompany transaction e-mai aerts: 1 Assign the user to the Receive E-mai Aerts for IC Transactions roe. 2 Assign the user to the Inter-Company Transaction Admin or Inter-Company Transaction User roe. 3 Assign the user ALL, READ, or PROMOTE access to the security casses that are assigned to the scenario and entity in the transaction and add an aert for each security cass. See Assigning User Access to Security Casses on page Financia Management User Provisioning

163 Users who meet a criteria receive e-mai aerts from the Intercompany Transactions or Intercompany Partner Matching Report modues. For information on generating e-mai aerts in intercompany transactions, see the Hyperion System 9 Financia Management User's Guide. Running Security Reports for Financia Management Appications You can run security reports on the information that you seected whie setting up security for the appication. You can run reports for casses by user, roes by user, casses and roes by user, and users by group. You can view the report onine or you can export it to a CSV fie. ä To create a security report: 1 Seect a report option: Rights m m Casses by User Roes by User Users by Group 2 Seect an option: Launch Report to open the report in a new window Export to Fie to save the as a CSV fie. Migrating Financia Management Users to Shared Services Security For information on migrating users to Shared Services security, see Using the Schema Upgrade Utiity in the Hyperion System 9 Financia Management Instaation Guide. Running Security Reports for Financia Management Appications 163

164 164 Financia Management User Provisioning

165 F Panning User Provisioning In This Appendix Launching User Management Consoe From Panning Returning to Panning From User Management Consoe Updating Users and Groups in Panning Roes in Panning About Connection Types and Panning Migrating Users to Shared Services After setting up users and groups, you assign their access permissions to dimension members, data forms, and task ists from within Panning or from User Management Consoe. To assign access in Panning, see the Hyperion Panning - System 9 Administrator's Guide. Launching User Management Consoe From Panning ä To aunch User Management Consoe from within Panning, seect Administration > User Management. User Management Consoe opens in the same browser window as the Panning appication. Returning to Panning From User Management Consoe If you aunch User Management Consoe from within a Panning appication, you can return to your previous pace in the Panning appication. ä To return to the Panning appication from User Management Consoe: 1 From within User Management Consoe, seect Fie > Return to Appication <appication name>. 2 Cick OK. Updating Users and Groups in Panning Panning and Business Rues get the atest ist of users, groups, and roes from User Management Consoe when: Launching User Management Consoe From Panning 165

166 The appication is refreshed with Security Fiters seected. The ProvisionUsers utiity is run. (See Updating Users With a Utiity on page 166.) Someone ogs into the appication; Panning synchronizes that user with User Management Consoe. Migrating User and Group Identities When you change a user or group's identity or their position in the user directory hierarchy, you must update or migrate this information to Panning. ä To migrate changed user and group identities from User Management Consoe to Panning: 1 Take an action: Seect Administration > Manage Data Forms and seect a data form. Seect Administration > Dimensions and seect a dimension member. Seect Administration > Manage Task Lists and seect a task ist. 2 Cick Assign Access. 3 Cick Add Access or Edit Access. 4 Cick Migrate Identities. Deprovisioning or Deeting Users and Groups When you deprovision or deete users or groups in Shared Services, you shoud update the user and group tabes in the Panning reationa database to conserve space. ä To remove deprovisioned users and groups from the Panning database tabes: 1 Take an action: Seect Administration > Manage Data Forms and seect a data form. Seect Administration > Dimensions and seect a dimension member. Seect Administration > Manage Task Lists and seect a task ist. 2 Cick Assign Access. 3 Cick Add Access or Edit Access. 4 Cick Remove Non-provisioned Users/Groups. Updating Users With a Utiity The ProvisionUsers utiity run by administrators through a command ine interface synchronizes users maintained in User Management Consoe with a Panning appication. 166 Panning User Provisioning

167 ä To use the utiity, aunch the ProvisionUsers.cmd fie from the bin directory, using the foowing syntax: ProvisionUsers /ADMIN:adminName /PASS:password /A:appName [/ U:user1[;user2;user3]] [/R:n] If you instaed Panning in the defaut ocation, the bin directory is in this path: <HYPERION_HOME>:/Panning/bin. Tabe 31 ProvisionUsers Syntax Parameter Description Required? /ADMIN:adminName The administrator's name for ogging on to the Panning appication. Yes /PASS:password The administrator's password. Yes /A:appName [/U:user1[;user2;user3]] [/R:n] The Panning appication to synchronize (must be on the server on which the utiity is run). Specifies users to synchronize. For exampe, to synchronize users Panner1 and Panner2, use / U:Panner1;Panner2. Omitting this argument synchronizes a users. Specifies an interva, in minutes, in which synchronization is run. For exampe, to synchronize every 30 minutes, use /R:30. Omitting this argument performs the synchronization once. Yes No No /? Specified by itsef, prints the syntax and options for ProvisionUsers. No Exampe 1 Entering: ProvisionUsers /ADMIN:admin /PASS:password /A:App1 Synchronizes a users in the App1 appication. Exampe 2 Entering: ProvisionUsers /ADMIN:admin /PASS:password /A:App2 /U:Panner1 /R:60 Synchronizes user Panner1 in the App2 appication every 60 minutes. Roes in Panning Subject to the appicabe icense for the software and users, Panning supports the roes described in the Appendix A, Hyperion Product Roes. Roes in Panning 167

168 Write Access to Data in Essbase A administrators have write access to Panning data in Essbase. By defaut, security fiters that Panning generates in Essbase for panners and interactive users are read-ony. However, you can grant panners and interactive users the same access permissions they have in Panning to data in Essbase by assigning them the Anaytic Services Write Access roe. Using another product such as Financia Reporting, Essbase Exce Add-in, or third-party toos, they can then change Panning data to which they have write access in Panning directy in Essbase. Note: Security fiters are aways read-ony for view users. Roes Between Panning and Business Rues Tabe 32 Roes in Panning and Business Rues Panning Roe Business Rues Roe Tasks Performed Administrator Administrator Designs business rues Launches business rues for a Panning appication Interactive user Interactive user Designs business rues Launches rues that have been assigned Launch permissions by an administrator Panner Basic user Launches business rues that have been assigned Launch permissions by an administrator View user None None If a Panning user has different roes across Panning appications, the user s highest roe is used in Business Rues. For exampe, if a user is an administrator in one appication and a panner in another appication, the user becomes an administrator in Business Rues. Access Permissions Between Panning and Essbase After security fiters are updated in the Essbase database, a Panning user's access in Essbase depends on the user type that estabishes the connection. Tabe 33 Access Permissions Between Panning and Essbase User Type for Connection View User Panner Interactive User Administrator Named User Fiter Access Cacuate Cacuate Database Designer * * Not refected in Appication Manager. 168 Panning User Provisioning

169 About Connection Types and Panning Panning estabishes a connection to the Essbase database using the appropriate user type. Tabe 34 Connection Types and Panning Program Used to Log on to Panning Appication Panning and Orace's Hyperion Smart View for Office cient through the Panning provider Orace's Hyperion Financia Reporting System 9, Business Rues, and third-party toos Essbase Connection Poo of supervisor user connections Named user Migrating Users to Shared Services If you are upgrading a Panning appication from an earier reease, foow the instructions in the Hyperion Panning - System 9 Instaation Guide. Before users can og on to the new reease of Panning, you must aso migrate the upgraded appication s users and groups to the User Management Consoe. ä To migrate existing users and groups for a Panning appication to the User Management consoe: 1 After ogging in to the Panning appication, a message prompts you to migrate the existing users and groups, and a Migrate Users and Groups button is dispayed. 2 Cick Migrate Users and Groups. If the migration is successfu, the appication is popuated with the existing user and group roe assignments and the Migrate Users and Groups button no onger dispays. A Panning groups are added to Native directory in the User Management Consoe. Panning administrators that are migrated to the User Management consoe are automaticay assigned the Provisioning Manager roe. If the migration is not successfu, a window dispays the users and groups that faied to migrate. Take an action: Cick OK to ignore the errors and compete the migration. Cick Cance to cance the migration and resove the errors. Unti you have competed the migration process, Orace's Hyperion Panning System 9 presents the Migrate Users and Groups button each time you og on. About Connection Types and Panning 169

170 170 Panning User Provisioning

171 G Business Rues User Provisioning In This Appendix About Business Rues Security Launching User Management Consoe Business Rues User Roes Migrating Business Rues Users to Shared Services Security This appendix provides information that is specific to Business Rues and User Management Consoe within Shared Services. User Management Consoe provides a centraized user interface where you can perform user management tasks for Hyperion products. About Business Rues Security When you migrate Anaytic Administration Services and Business Rues users, groups, and roes to Shared Services, the users and groups are automaticay provisioned for use in Business Rues and other Hyperion products. For more information on managing users and groups in Shared Services, see Chapter 7, Managing Native Directory. After users and groups are migrated to Shared Services, you assign Business Rues roes to them. Business Rues has three predefined roes that you can assign to users and groups: administrator, interactive user, and basic user. These roes determine what tasks users and groups can perform on Business Rues repository objects, such as business rues, sequences, macros, variabes, and projects, whie working in Business Rues. For a description of Business Rues roes, see Business Rues User Roes on page 172. For information on assigning roes from Shared Services, see Chapter 8, Managing Provisioning. After you assign roes to users and groups in Shared Services, you assign them access permissions to repository objects in Business Rues. For exampe, you might want to assign a user access permissions to edit a of the business rues in a Business Rues project. See the Hyperion Business Rues Administrator's Guide or the Hyperion Business Rues Hyperion Essbase - System 9 Administration Services Onine Hep. About Business Rues Security 171

172 Launching User Management Consoe ä To aunch the Hyperion, from the Windows Start menu: 1 Seect Programs > Hyperion > Foundation Services > User Management Consoe. 2 Create users and groups. See Chapter 7, Managing Native Directory. 3 Provision users and groups. See Chapter 8, Managing Provisioning. Business Rues User Roes Subject to the appicabe icense for the software and users, Orace's Hyperion Business Rues supports three pre-defined user roes. For information about assigning Business Rues roes to users and groups, see Chapter 8, Managing Provisioning. Note: You cannot edit Business Rues roes. Administrator: A user or group who has the roe of administrator can do any of the foowing tasks: m m m Create, aunch, edit, vaidate, and manage business rues, sequences, macros, variabes, and projects Assign access permissions to business rues, sequences, macros, variabes, and projects Create and edit users and groups m Note: You create and edit users and groups in User Management Consoe. You cannot create users and groups in Business Rues. Set up the repository and og fie Note: You set up the repository and og fie using the Configuration Utiity in Shared Services. Interactive User: A user or group who has the roe of interactive user can do any of the foowing tasks (as ong as they are assigned by an administrator): m m Create business rues, sequences, macros, variabes, and projects Assign access permissions to business rues, sequences, macros, variabes, and projects Basic User: A user or group who has the roe of basic user can do any of the foowing tasks (as ong as they are assigned by an administrator): m m m Launch business rues and sequences to which the user has access View business rues and sequences to which the users has access View a variabes and macros 172 Business Rues User Provisioning

173 m Edit specific business rues, sequences, macros, variabes, and projects for which the user was granted editing permissions Migrating Business Rues Users to Shared Services Security To migrate native Anaytic Administration Services and Business Rues users to Shared Services, you need to run the Externaize Users utiity in Anaytic Administration Services. When you run this utiity, a native Anaytic Administration Services and Business Rues users from the previous reease are copied from the Anaytic Administration Services/Business Rues repository into the Shared Services repository. (See the Essbase Administration Services Instaation Guide.) After you run the Externaize Users utiity, you upgrade the Business Rues repository from the previous reease to this reease of Business Rues using the Migrate Repository feature in Business Rues (for reeases 3.x through 4.0) or the Configuration Utiity (for reeases 4.1 through the current reease). When you upgrade the repository to this reease, the repository is aso upgraded automaticay in Shared Services. (See the Hyperion Business Rues Administrator's Guide.) During the repository upgrade, Business Rues roes assigned to users are migrated and assigned equivaent roes in Shared Services. In addition, any Business Rues groups are migrated to Shared Services. If the groups have roes assigned to them, these roes are aso migrated and assigned equivaent roes in Shared Services. If a Business Rues group does not exist in Shared Services, it is created. When you upgrade the Business Rues repository, a Business Rues repository objects incuding rues, sequences, variabes, macros, projects, and database ocations and access permissions assigned to them, are upgraded in Shared Services. Now you are ready to use Shared Services to manage security for Business Rues. Migrating Business Rues Users to Shared Services Security 173

174 174 Business Rues User Provisioning

175 H Performance Scorecard User Provisioning In This Appendix Launching User Management Consoe from Performance Scorecard Creating and Provisioning Users and Groups over Shared Services Migrating Performance Scorecard Users and Groups to Shared Services Security You can provision users for Performance Scorecard using Shared Services. This feature enabes you to use existing user information for a number of Hyperion appications, or to provision mutipe users at one time. To provision users through Shared Services, you need to seect this as an option after instaation, when you run the Configuration Utiity, as outined in the Hyperion Performance Scorecard - System 9 Instaation Guide. The Shared Services Administrator must aso be provisioned to the Performance Scorecard appication. The provisioning process requires you to have both Shared Services and Performance Scorecard configured and running. Externa authentication ensures that the appications can communicate seamessy to provision users easiy and accuratey. The information in this Appendix provides instructions for the Performance Scorecard portion of user provisioning ony. See Performance Scorecard Roes on page 143 for information on Performance Scorecard roes. Launching User Management Consoe from Performance Scorecard This section describes how to aunch User Management Consoe from within Performance Scorecard. ä To aunch User Management Consoe: 1 Log on to Performance Scorecard as an administrator. 2 Ensure the Shared Services server is running. 3 From Performance Scorecard, seect Administration > User Management. The User Management Consoe on Shared Services is dispayed. Launching User Management Consoe from Performance Scorecard 175

176 From the Shared Services User Management Consoe, you can perform the foowing tasks: Add and provision new users Modify or deete existing users Perform buk provisioning of mutipe users For detaied instructions on using User Management Consoe, refer to Chapter 3, User Management Consoe. Managing Permissions in Performance Scorecard User provisioning through Shared Services requires configuration on both the Shared Services server and Performance Scorecard appication. You can provision users and groups individuay, or migrate existing users on Performance Scorecard to perform user provisioning on mutipe users. When you configure the appication in the Configuration Utiity after instaing Performance Scorecard, you must use the Shared Services server, which automaticay points to the Shared Services CSS.xm fie for externa authentication. This step enabes Performance Scorecard and the Shared Services server to communicate seamessy when provisioning users. Note: The Shared Services Administrator must aso be provisioned to the Performance Scorecard appication. You can access Shared Services through Performance Scorecard or directy, using the appropriate URL. The URL to User Management Consoe is in the foowing format: name>:<port number>/interop Creating and Provisioning Users and Groups over Shared Services You can provision users and groups for Performance Scorecard using Shared Services. This feature enabes you to use existing user information for a number of Hyperion appications, or to provision mutipe users at one time. In order to provision users for Performance Scorecard from existing users in Shared Services, you need to seect this as an option after instaation, when you run the Configuration Utiity, as outined in thehyperion Performance Scorecard - System 9 Instaation Guide. The Shared Services Administrator must aso be provisioned to the Performance Scorecard appication. When you configure the appication in the Configuration Utiity after instaing Performance Scorecard, you must use the Shared Services server, which automaticay points to the Shared Services CSS.xm fie for externa authentication. This step enabes and the Shared Services server to communicate seamessy when provisioning users. 176 Performance Scorecard User Provisioning

177 The provisioning process requires you to have both the Shared Services server and Performance Scorecard configured and running. Externa authentication ensures that the appications can communicate seamessy to provision users easiy and accuratey. To provision users to enabe them to use Performance Scorecard, these main steps are required: 1. Register with Shared Services. 2. Create the users and groups. 3. Provision the users and groups with the Performance Scorecard properties: security roe, empoyee and primary domain. 4. Assign the Performance Scorecard properties to users and groups, either individuay or using one-time buk provisioning. Access Permissions User provisioning through Shared Services requires configuration on both the Shared Services server and Performance Scorecard appications. You can provision users and groups individuay, or using buk provisioning. Note: The Shared Services Administrator is automaticay provisioned to the Performance Scorecard appication. Before You Begin Before you create and provision users using Shared Services, ensure the foowing conditions have been competed: Performance Scorecard has been configured to use Shared Services-based provisioning, and to obtain directory definition fie from Shared Services(css.xm). The Performance Scorecard appication has been registered on Shared Services. Registration is managed through the Orace's Hyperion Configuration Utiity, and may be performed during instaation or ater. For instructions on configuring and registering Performance Scorecard appications with Shared Services, refer to thehyperion Performance Scorecard - System 9 Instaation Guide. Shared Services is running Performance Scorecard is running Creating a New User or Group Using Shared Services You can create users for Performance Scorecard through Shared Services User Management Consoe. ä To create and provision a new user from Performance Scorecard: 1 Ensure the Shared Services server is running. Creating and Provisioning Users and Groups over Shared Services 177

178 2 Log on to Performance Scorecard as an Administrator. 3 From Performance Scorecard, seect Administration > User Management. The Shared Services User Management Consoe is dispayed. 4 From the Shared Services User Management Consoe, create and provision the users and groups as outined in the Hyperion Security Administration Guide. 5 After the users and groups are provisioned, assign Performance Scorecard user and group properties using one of these options: Assign properties individuay, as outined in Assign Performance Scorecard Properties Individuay on page 178. Assign buk properties for a provisioned users at one time, as outined in Assign Buk Properties in Performance Scorecard on page 179. Assign Performance Scorecard Properties Individuay After a user or group has been created and provisioned, a active directy and indirecty provisioned users and groups must be assigned Performance Scorecard-specific attributes or properties. If the users or groups are not assigned the Performance Scorecard permissions, the user ogon is rejected by Performance Scorecard as an unknown user. Individua user or group properties are created each time the properties are edited and saved on Orace's Hyperion Shared Services User Management Consoe. If this step is skipped, user ogon wi be rejected by Performance Scorecard due to unknown user. ä To assign Performance Scorecard permissions individuay: 1 Log on to Performance Scorecard as an Administrator. 2 From the View pane, seect Projects, and expand the tree to seect the project and appication to which the newy provisioned user has been assigned. The Avaiabe Users and Groups ist for the seected project is dispayed. 3 Seect the name of the newy provisioned user from the ist, and cick Next. 4 On Manage Properties, cick Seect to seect the empoyee. The Seect Empoyee diaog box is dispayed. 5 From Seect Empoyee, seect the name of the Performance Scorecard empoyee record that is to be associated with the seected user ID. 178 Performance Scorecard User Provisioning

179 6 Optiona: From Primary Domain on the Manage Properties tab, seect a Primary Domain for the user. 7 Under Security Roes, seect the Performance Scorecard security roe that you want to assign to the user. For detaied information on Performance Scorecard security roes, refer to the Hyperion Performance Scorecard - System 9 Administrator's Guide. 8 Cick Finish to compete the provisioning of the user for both Shared Services and Performance Scorecard. Assign Buk Properties in Performance Scorecard As an aternative to assigning permissions individuay, you can assign permissions to a newy provisioned users and groups at one time. The Synchronize with Shared Services button is provided on the User Account List and Group Account List page which updates Performance Scorecard with newy provisioned users or groups in Shared Services. When you synchronize users: Group synchronization is impicity aunched to ensure that associated user groups become avaiabe for the user. A active directy and indirecty provisioned users are pued from Shared Services. The Shared Services ist is compared to the Performance Scorecard User Account, matched by Logon Name (user id). Any missing user accounts are automaticay created. The appropriate defaut security roe is set based on directy and indirecty provisioned roe (Performance Scorecard Power Manager > admin,performance Scorecard Interactive > designer,performance Scorecard Basic > user). An empoyee record is created and associated with each created user. The first name, ast name, and e-mai ID are obtained from directory user information. Creating and Provisioning Users and Groups over Shared Services 179

180 A user accounts that are no onger provisioned in Shared Services are isted for optiona deetion. The ist excudes the defaut admin, designer, and user accounts. When you synchronize groups: A active directy and indirecty provisioned groups are pued from Shared Services. The Shared Services ist is compared to the Performance Scorecard Group Account, matched by Group Name. Any missing group accounts are automaticay created. The appropriate defaut security roe is set based on the directy and indirecty provisioned roes (Performance Scorecard Power Manager > admin, Performance Scorecard Interactive > designer,performance Scorecard Basic > user). A group accounts that are no onger provisioned in Shared Services are isted for optiona deetion. ä To assign buk Performance Scorecard permissions: 1 Log on to Performance Scorecard as an Administrator. 2 From Object View, seect Security > User Account List. The ist dispays a existing Performance Scorecard users and provisioned Shared Services users. For Groups, seect Security > Group Account List. 3 On the Account List, cick Synchronize with Shared Services to update user or group account information inperformance Scorecard with the provisioned users and groups in Shared Services. A confirmation message is dispayed. 4 Cick Yes to confirm you want to synchronize a users with users on the Shared Services server. The users and groups are synchronized, and the resuts are dispayed on the Synchronized with Shared Services Resuts window. The resuts show the names of a users and groups that were newy provisioned, and the names of any users and groups who are no onger provisioned on Shared Services. 5 Seect any users or groups that you want to deete, and compete the synchronization. Migrating Performance Scorecard Users and Groups to Shared Services Security When you have a arge number of users and groups to provision through Shared Services, you can perform a one-time migration. For exampe, you can provision a existing members at once with the same security access. Subsequenty, you can assign the properties to individua users or groups who require particuar access after the main transfer. Caution! The Migration option is ony avaiabe once. After you have migrated the buk of your users and groups in this one-time operation, the option is disabed and cannot be used again. Before performing a migration, the foowing tasks must be performed: 180 Performance Scorecard User Provisioning

181 Ensure that the Performance Scorecard Administrator exists in Shared Services, and has been assigned the security roe of Provisioning Manager. Ensure that the Performance Scorecard appication has been registered and assigned to a project in Shared Services. Ensure that a empoyee e-mai addresses are in a vaid and correct format, such as <user>@<provider>.com. Any users with incorrect e-mai addresses wi not be migrated correcty. Refer to the Hyperion Security Administration Guide for detaied instructions. ä To migrate users and groups to Shared Services from Performance Scorecard: 1 Ensure the Shared Services server is running. 2 Log on to Performance Scorecard as an Administrator. 3 From Performance Scorecard, seect Administration > User Provisioning Migration. The Shared Services Administrator For Migration page is dispayed. 4 Enter the User ID and Password for the Administrator. The migration administrator must exist in Shared Services, and have been assigned as the Provisioning Manager. 5 Cick Next to dispay the Pre-Migration Check page. 6 Cick Perform Pre-Migration Check to verify existing data, and create the database tabes for the migration. As the verification progresses, appropriate status messages are dispayed. A message is shown when the pre-migration progress check is compete. Cick OK to dismiss the message and continue. 7 Cick Next to dispay the Externaize Users page. The page shows a ist of a users in the mode, their detais and service provider. The Migration Action status is dispayed as Migrate. Migrating Performance Scorecard Users and Groups to Shared Services Security 181

182 8 For each user that you DO NOT WANT to incude in the migration, cick Edit. The Migration diaog box is dispayed. 9 From Migration Action, seect Do Not Migrate for the seected user, then cick Save. 182 Performance Scorecard User Provisioning

183 This user wi not be incuded in the one-time migration. In future, if the user needs to be added to the Shared Services ist, you must add the user individuay, as outined in Creating and Provisioning Users and Groups over Shared Services on page 176. Caution! Because the Migration option is ony avaiabe once, Hyperion recommends that you incude as many users in the migration as possibe. After you have migrated the buk of your users in this one-time operation, the option is disabed and cannot be used again. 10 Repeat step 9 for each user that you want to excude from the migration. 11 Optiona: When the ist of users is compete, seect the Externaize Groups tab to seect the groups that you want to migrate. The page shows a ist of a groups in the mode, the detais and service provider. The Migration Action status is dispayed as Migrate. 12 For each group that you DO NOT WANT to incude in the migration, cick Edit. The Migration diaog box is dispayed. Migrating Performance Scorecard Users and Groups to Shared Services Security 183

184 13 From Migration Action, seect Do Not Migrate for the seected group, then cick Save. This group wi not be incuded in the one-time migration. In future, if the group needs to be added to the Shared Services ist, you must add the group individuay, as outined in Creating and Provisioning Users and Groups over Shared Services on page 176. Caution! Because the Migration option is ony avaiabe once, Hyperion recommends that you incude as many users in the migration as possibe. After you have migrated the buk of your users in this one-time operation, the option is disabed and cannot be used again. 14 Repeat step 13 for each group that you want to excude from the migration. 15 When the ist of groups is compete, cick Next to dispay the Migration to Shared Services page. 184 Performance Scorecard User Provisioning

185 16 Cick Test migration. A confirmation is dispayed when the test migration process has been successfuy competed. Cick OK to dismiss the message. If a probem is indicated in the migration status messages, correct any errors and try again. 17 Cick Migrate to begin the migration process. The progress of the migration is indicated by the Migration status messages. A message is dispayed to advise the migration has been successfuy competed. A migrated users and groups are dispayed, and have the inherited Orace's Hyperion Performance Scorecard System 9 attributes for their security roes. Migrating Performance Scorecard Users and Groups to Shared Services Security 185

186 186 Performance Scorecard User Provisioning

187 I Business Modeing Roes and Tasks In This Appendix Administrator Buider End User Administrator The administrator manages users, security and databases, both on the desktop and the Web. On the desktop component of the appication, the administrator is responsibe for these tasks: Set up and maintain databases and containers Create and drop database tabes Insta and configure appication and associated properties Set up and modify authentication settings Manage users and groups Provision users to specific modes and mode data Assign owners to modes and scenarios Convert modes For the Web component of the appication, the administrator is responsibe for the foowing tasks: Configure appication and Web servers Set up goba toos on the Web Home Page, as outined in the Hyperion Business Modeing Web User's Guide. In some instances, the tasks assigned to the administrator and mode buider may overap. The Hyperion Business Modeing Mode Buider's Guide provides additiona detai and expanation in cases where the administrator requires more information about the appication. If you are panning to import and export meta data and data between authorized Hyperion appications through Shared Services, the administrator is aso responsibe to register products, set up and manage modes over the Shared Services, and create data integrations. Administrator 187

188 Buider The buider or mode buider is the user who actuay creates the origina mode or enterprise mode by defining a eements of the mode, such as boxes, inks, variabes and financia vaues, and attaching financia data. The buider can perform the foowing tasks: Buid and update modes Cacuate modes and save resuts to Essbase or a reationa database Assign permissions for users to specific modes and mode data Designate which portions of a mode are avaiabe for sharing over the Web Pay scenarios in the appication and over the Web Generate reports in the appication and over the Web Create integrations for the Orace's Hyperion Business Modeing Adapter. For detaied information on buiding a mode, refer to the Hyperion Business Modeing Mode Buider's Guide. End User The end user s roe is an integra part of updating mode periods and paying with scenarios. Using business and operationa knowedge to adjust parameters for the origina mode, the end user can experiment with the workings of the scenario over the Web to search for process improvements, time or money savings, or unexpected bottenecks or benefits. Based on security set by the mode buider, the end user can perform these tasks: Update mode period data Modify avaiabe data to pay scenarios over the Web Generate reports over the Web Compare mutipe scenarios Save changes to forward to the mode owner Save changes as a new scenario to be shared with other users. 188 Business Modeing Roes and Tasks

189 J Essbase Provider Services User Provisioning In This Appendix Provisioning the Administrator Roe in Shared Services Migrating Anaytic Provider Services Users to Shared Services Provisioning the Administrator Roe in Shared Services Use Shared Services to provide security for Provider Services, which is administered through Administration Services. To use Shared Services security, you must register Provider Services with Shared Services. In Shared Services mode, the ony roe that you must assign for Provider Services is the Administrator roe to create, modify, and deete Anaytic Server custers. Ony the Administrator can create Essbase custers in Provider Services. No other roes can be assigned. Nonadministrator users can ony connect to the custers. ä To provision the Administrator roe: 1 Log into Shared Services User Management Consoe at: /interop/. For exampe, 2 In Logon, enter the administrator username and password. By defaut, admin and password are the username and password. 3 Cick Log on. 4 In the navigation pane, expand Projects and APS Servers. Provider Services is isted. 5 To create a user to provision: a. In the navigation pane, expand User Directories and a directory, such as Native Directory. b. Seect Users and right-cick, then seect New. c. Fi in the information to create a new user. d. Cick Next to add the user to one or more existing groups, or cick Finish. e. Cick OK to add the user, or cick Create Another to continue adding users. Provisioning the Administrator Roe in Shared Services 189

190 6 To seect an existing user to provision: a. In the navigation pane, expand User Directories and a directory, such as Native Directory. b. Seect Users, right-cick, then seect Show A. 7 To search for a particuar user, enter the user ID in the User box, then cick Search. 8 From the ist, seect a user ID and seect Provision. 9 In Provision Users or Groups, expand APS Servers and expand the name of Provider Services. 10 Seect Administrator and seect to seect the roe. 11 Cick Save. The user is provisioned as an Provider Services administrator. Log into Orace's Essbase Administration Services Consoe with the administrator user name and password to create and manage Anaytic Server custers. 12 In Provision Summary, review the provisioning information and cick OK. Migrating Anaytic Provider Services Users to Shared Services Because Orace's Hyperion Provider Services has no other users, migration to Shared Services is unnecessary. 190 Essbase Provider Services User Provisioning

191 K Data Integration Management User Provisioning In This Appendix Authentication Methods Data Integration Management User Roes You can provision users for Data Integration Management using Shared Services User Management Consoe. This feature enabes you to use existing user information for a number of Hyperion appications, or to provision mutipe users at one time. Note: You aso use the User Management Consoe to modify or deete user provisioning for Data Integration Management. As with other Hyperion products, Data Integration Management shoud be registered with Shared Services with appication-specific roes. As with other Hyperion products, Data Integration Management shoud be registered with Shared Services with appication-specific roes. When users are provisioned for Data Integration Management in Shared Services, they can use Informatica, and there is no need to create those users again in Informatica. This appendix covers ony the Data Integration Management portion of user provisioning. For detaied instructions on starting and using the Shared Services User Management Consoe, see the Hyperion Security Administration Guide. Provisioning users for Data Integration Management invoves two tasks: 1. Using the Shared Services User Management Consoe to provision the users 2. Synchronizing users withhyperion Configuration Utiity to push them to the Informatica repository. Authentication Methods Data Integration Management is integrated with Informatica PowerCenter to provide a way of uniting disparate sources of data across an enterprise. You can configure Data Integration Management to use either Shared Services authentication or native Informatica authentication. Note: You can use Shared Services authentication with Data Integration Management instaations on Windows, AIX, Linux, or Soaris patforms but not on HP-UX patforms. Authentication Methods 191

192 For Shared Services authentication, you must register Data Integration Management with Shared Services and seect the Use Hyperion Shared Services Authentication option when you configure Data Integration Management with Shared Services. Otherwise, Data Integration Management uses Informatica native authentication. Data Integration Management User Roes Users and roes within Shared Services that have been provisioned for Data Integration Management shoud be synchronized with the Informatica repository. As part of this synchronization, provisioned users are registered with Informatica. The roes assigned to each user are synchronized with Informatica group assignments. Hyperion Configuration Utiity can create a batch fie for synchronizing users. You can then run the batch fie to perform user synchronization whenever users are provisioned or deprovisioned with the Orace's Hyperion Shared Services User Management Consoe. This batch fie is created if you seect the Generate Batch Fie option when synchronizing users with Orace's Hyperion Configuration Utiity. The foowing tabe describes Data Integration Management roes: Roe Privieges Data Integration Management Administrator Workfow Operator Use Designer Browse Repository Use Workfow Manager Admin Repository Admin Server Use Repository Manager Data Integration Management Designer Workfow Operator Use Designer Browse Repository Use Workfow Manager Orace's Hyperion Data Integration Management Operator Workfow Operator Browse Repository 192 Data Integration Management User Provisioning

193 Gossary access permissions A set of operations that a user can perform on a Hyperion resource. aggregated roe A custom roe that aggregates mutipe predefined roes within a Hyperion product. appication (1) A software program designed to run a specific task or group of tasks such as a spreadsheet program or database management system. (2) A reated set of dimensions and dimension members that are used to meet a specific set of anaytica and/or reporting requirements. (3) A management structure containing one or more Essbase databases and the reated fies that contro many system variabes, such as memory aocation and autooad partameters. authentication Verification of identity as a security measure. Authentication is typicay based on a user ID and password. Passwords and digita signatures are forms of authentication. automated stage A stage that does not require human intervention, for exampe, a data oad. business process A set of activities that coectivey accompish a business objective. configuration fie The security patform reies on an XML document to be configured by the product administrator or instaer of the software. The XML document must be modified to indicate meaningfu vaues for properties, specifying ocations and attributes pertaining to the corporate authentication scenario. context variabe A variabe that is defined for a particuar taskfow to identify the context of the taskfow instance. dimensiona hierarchy A type of Shared Services mode that typicay incudes a hierarchy of reated group members, such as entities or accounts. See aso mode. externa authentication Logging on to Hyperion appications by means of user information stored outside the appication, typicay in a corporate user directory such as MSAD or NTLM. fiter In Shared Services, a method that enabes users to fiter seected members from the mode when the mode is imported. See aso mode. fiter A constraint paced on data sets to restrict vaues to specific criteria. For exampe, to excude certain tabes, meta data, data vaues, or to contro access. group A container that enabes the assignment of simiar access permissions to a group of users. identity A unique identification of one vaid user or group existing on an externa authentication repository. integration Process that is run to move data between Hyperion appications using Shared Services. Data integration definitions specify the data moving between a source appication and a destination appication, and enabe the data movements to be grouped, ordered, and schedued. ink (1) Fixed references to a specific object in the repository. Links can reference foders, fies, shortcuts, and other inks using unique identifiers. (2) The point during the execution of a taskfow instance where the activity in one stage ends and contro passes to another stage, which starts. ink condition A ogica expression that is evauated by the taskfow engine to decide the sequence of stage execution within a taskfow. These expressions are defined within the taskfow definition and are used to identify the fow reationship between activities. The expressions are aso used to effect the desired sequence of stage execution. This definition may incude parae or sequentia execution conditions. The ink condition is defined in terms of context variabes defined for the taskfow. Gossary 193

194 oad baancing Distribution of requests across a group of servers, which ensures optima end user performance. managed server An appication server process running in its own Java Virtua Machine (JVM). manua stage A stage that requires human intervention to compete the stage. mode (1) In data mining, a coection of an agorithm's findings about examined data. A mode can be used (appied) against a wider set of data to generate usefu information about that data.(2) A fie or string of content containing an appication-specific representation of data. Modes are the basic data managed by Shared Services. Modes are of two major types: dimensiona and nondimensiona appication objects. (3) In Business Modeing, a network of boxes connected to represent and cacuate the operationa and financia fow through the area being examined. private appication An appication for the excusive use of a product to store and manage Shared Services modes. A private appication is created for a product during the registration process. product In Shared Services, a product is an appication type, such as Hyperion Panning or Hyperion Performance Scorecard. project An instance of Hyperion products that are grouped together to comprise an impementation. For exampe, a Panning project may consist of a Panning appication, an Orace's Hyperion Essbase System 9 cube, and a Financia Reporting Server instance. promotion The process of copying artifacts from one operating environment to another operating environment; for exampe, from a testing environment to a production environment. provisioning The process of granting users and groups specific access permissions to Hyperion resources. repository Stores meta data, formatting, and annotation information for views and queries. roe The means by which access permissions are granted to users and groups for Hyperion resources. security agent A Web access management soutions provider empoyed by companies to protect Web resources; aso known as Web security agent. The Netegrity SiteMinder product is an exampe of a security agent. security patform A framework enabing Hyperion appications to use externa authentication and singe signon using the security patform driver. shared appication An appication in Shared Services that enabes two or more products to share their modes. See aso mode. Singe Sign-On A feature that enabes you to access mutipe Hyperion products after ogging on just once using externa credentias. stage A description of a task that forms one ogica step within a taskfow, usuay performed by a singe individua. A stage can be manua or automated. stage action For automated stages, the action that is invoked to execute the stage. sync The abiity to synchronize modes in Shared Services with modes in the appication. synchronized The condition that exists when the atest version of a mode resides in both the appication and in Shared Services.See mode. task ist A isting of tasks for a particuar user aong with detaied status information for each task. taskfow The automation of a business process in whoe or in part, during which tasks are passed from one taskfow participant to another for actions, according to a set of procedura rues. taskfow definition The representation of the business process in the taskfow management system, which enabes the process to be automated. The taskfow definition consists of a network of stages and their reationships; criteria to indicate the start and end of the taskfow; and information about individua stages, such as participants, associated appications, associated activities, and so on. taskfow instance The representation of a singe instance of a taskfow incuding its state and associated data. 194 Gossary

195 taskfow management system A system that defines, creates, and manages the execution of a taskfow. It enabes the creation of taskfow definitions, interaction with taskfow participants (users or appications), and the aunching of other appications during the execution of a business process. taskfow participant The resource that performs the task associated with the taskfow stage instance. The taskfow system requires a participant for both manua and automated stages. For a manua stage, the task is shown on the task ist for the user to execute the task. For an automated stage, Shared Services, aong with the appication, executes the task. For automated stages, the appication executes the task on behaf of the participant. token An encrypted identification of one vaid user or group on an externa authentication system. user directory A centraized, corporate store of user and group information. May aso be referred to as a repository or provider. Gossary 195

196 196 Gossary

197 A B C D E F G H I J L M N O P R S T U V W X Index Symbos <HSS_Home>, 23 <Hyperion_Home>, 23 A access permissions, 68 Business Modeing, 142 Business Rues, 142 Data Integration Management, 144 Essbase, 136 Financia Management, 139 Performance Scorecard, 143 Panning, 141 Provider Services, 144 Reporting and Anaysis, 137 Shared Services roes, 135 Strategic Finance, 142, 143 Transaction Manager, 143 activate user accounts, 84 add to search order, 54 Administrator roe, 16 aggregated roes, 17, 88 creating, 89 deete, 90 modify, 89 appication-eve access, 68 appications, 23 adding to existing projects, 66 adding to new projects, 66 copying provisioning between, 69 Defined, 65 deete, 69 removing from projects, 66 assigning access permission, 68 audit provisioning assignments, 102 authentication, 12 components, 11 managing directories, 79 overview, 11 scenarios, 12 authorization aggregated roes, 17 goba roes, 16 groups, 17 overview, 14 predefined roes, 17 roes, 15 users, 17 B Browse tab, 34 browser probems JVM errors, 34 pop-up bockers, 33 Business Modeing roes, 142 Business Rues aunching the User Management consoe, 172 migrating users to Shared Services, 173 roes, 142 roes and permissions, 171 roes, described, 172 security for, 171 C cache refresh interva, 57 change root password, 91 change search order, 55 cod standby, 96 configure LDAP-enabed, 40 MSAD, 40 NTLM, 49 Orace Internet Directory, 40 Index 197

198 A B C D E F G H I J L M N O P R S T U V W X reationa database provider, 50 SAP Provider, 46 SiteMinder poicy server, 26 SiteMinder Web agent, 27 user directories, 20 copying provisioning information, 69 creating aggregated roes, 89 deegated administrators, 72 deegated ists, 73 groups, 20, 85 projects, 66 provisioning reports, 102 users, 19, 81 CSSSpy, 134 CSV format Import/Export utiity, 118 D Data Integration Management user roes, 192 Data Integration Management roes, 144 database recover Native Directory data, 93 synchronize with Native Directory, 93 deactivate users, 83 defaut password, 33 user, 16 deegated administration creating administrators, 72 deegated administrators, 72 enabing, 72 hierarchy, 71 provisioning, 73 Shared Services Administrators, 71 deegated ists creating, 73 deeting, 77 modifying, 75 deegated reports, 77 deegated user management mode, 56 deegation pan, 73 deete aggregated roes, 90 appication, 69 appications from project, 66 groups, 88 projects, 67 user accounts, 84 user directories, 54 deeting deegated ists, 77 depoyment ocation, 23 deprovision groups, 102 users, 102 Directory Manager roe, 16 E edit user directory settings, 53 enabing deegated administration, 72 Essbase appication access type, 151 backing up security information, 153 cacuation and fiter access, 149 goba Essbase appication, 148 aunching User Management Consoe, 147 migrating to Shared Services, 152 projects, appications, and databases, 148 roes, 136 synchronizing and refreshing security information from Shared Services, 152 user management and security, 147 user provisioning, 147 users and groups, 149 export provisioning data, 103 F faiover cod standby, 96 hot standby, 98 Native Directory, 94 out of the box, 94 Financia Management assigning user access setting up e-mai aerting, 161 assigning user access to security casses, 160 assigning users and groups, 159 migrating users, 163 roes, 139 running security reports, Index

199 A B C D E F G H I J L M N O P R S T U V W X G generate provisioning reports, 102 goba parameters deegated user management mode, 56 ogging eve, 56 security agent support, 56 token timeout, 56 goba roes Administrator, 16 Directory Manager, 16 LCM Manager, 16 Project Manager, 16 groups, 17 creating, 20, 85 deete, 88 deprovisioning, 102 manage Native Directory, 84 modify, 86 nested, 85 nested from SAP, 22, 23 provisioning, 101 rename, 86 H hierarchy deegated administration, 71 high avaiabiity of Native Directory, 94 hot standby, 98 Hyperion depoyment ocations, 23 Hyperion Remote Authentication Modue, 28 I import provisioning data, 103 Import/Export utiity <ImpEx_home>, 105 considerations, 112 CSV format, 118 home, 105 prerequisites, 106, 113 properties, 107 running, 113 XML format, 114 Import/Export utiity (provisioning data), 103 inter-ou move, 38 considerations, 39 migration behavior, 39 migration sequence, 39 panning, 38 J JVM errors, 34 L aunch User Management Consoe, 33 LCM Manager roe, 16 LDAP, 12 LDAP-enabed user directories configuring, 40 identifying to Shared Services, 20 og fies SharedServices_Admin.og, 133 SharedServices_Memory_Profier.og, 133 SharedServices_Metadata.og, 133 SharedServices_Security.og, 133 SharedServices_Security_Cient.og, 133 SharedServices_SyncOpenLDAP.og, 133 SharedServices_Taskfow.og, 133 SharedServices_Taskfow_CMDExecute.og, 133 SharedServices_Taskfow_Optimize.og, 133 og fies of Shared Services, 133 ogging eve, 56 M manage Native Directory groups, 84 Native Directory Roes, 88 search order, 54 user directories, 79 users, 81 migrate Native Directory, 99 migrating users, 20 modify aggregated roes, 89 groups, 86 projects, 66 user directory settings, 53 users, 82 modifying deegated ists, 75 move panning inter-ou move, 38 users and groups across OUs, 38 Index 199

200 A B C D E F G H I J L M N O P R S T U V W X MSAD configuring, 40 N naming guideines groups, 85 roes, 89 users, 81 Native Directory, 12 activate deactivated accounts, 84 change root password, 91 cod standby faiover, 96 create aggregated roes, 89 create users, 81 deactivate user accounts, 83 deete aggregated roes, 90 deete groups, 88 export, 103 faiover, 94 groups, 84 high avaiabiity, 94 hot standby faiover, 98 manage roes, 88 migrate, 99 modify groups, 86 modify user accounts, 82 out of the box faiover, 94 recover data, 93 synchronize, 93 update aggregated roes, 89 users, 81 nested groups, 22, 85 inheritance poicy, 23 NTLM Hyperion Remote Authentication Modue, 28 support for SSO, 28 supporting UNIX appication environments, 28 O Object Paette, 34 object-eve security, 68 OpenLDAP, 79 out of the box faiover scenario, 94 P Performance Scorecard access permissions, 176, 177 assign permissions buk, 179 individuay, 178 aunching the User Management Consoe, 175 migrating, 180 roes, 143 Panning, 165 about roes, 167 access permissions overview, 165 access permissions with Essbase, 168 Anaytic Services Write Access roe, 168 and connection types with Anaytic Services, 169 deeting or deprovisioning users or groups, 166 aunching User Management Consoe, 165 migrating identities, 166 migrating users, 169 ProvisionUsers utiity, 166 returning to Panning from User Management Consoe, 165 roes, 141 roes with Business Rues, 168 synchronizing users and groups with a utiity, 166 synchronizing with User Management Consoe, 165 panning deegated administration deegation pan, 73 user accounts, 73 pop-up bockers, 33 predefined roes, 17 prerequisites for SAP singe sign-on, 23 Import/Export Utiity, 106, 113 print provisioning reports, 102 product-specific access, 68 Project Manager roe, 16 projects adding appications to new projects, 66 creating, 66 deeting, 67 renaming, 66 properties for Import/Export utiity, 107 Provider Services roe, 189 user provisioning, 189 Provider Services roes, 144 provisioning 200 Index

201 A B C D E F G H I J L M N O P R S T U V W X deegated administrators, 73 exporting data, 103 generating report on, 102 groups, 17, 101 importing data, 103 overview, 14 recover Native Directory data, 93 users, 17, 101 Provider Services, 144, 189 remove assignment, 102 Reporting and Anaysis, 137 Shared Services roes, 135 Strategic Finance, 142, 143 Transaction Manager, 143 update aggregated, 89 run Import/Export utiity, 113 R reationa database provider configuring, 50 remove search order, 56 renaming groups, 86 projects, 66 users, 82 Reporting and Anaysis aunching User Management Consoe, 155 roe hierarchy, 155 Reporting and Anaysis roes, 137 aggregated Content Manager branch, 156 Scheduer Manager branch, 157 combining, 157 Job Manager, 137 reports deegated reports, 77 on provisioning assignments, 102 roes aggregated, 17, 88 assign to group, 101 assign to user, 101 Business Modeing, 142 Business Rues, 142 create aggregated, 89 Data Integration Management, 192 Data Integration Management, 144 defined, 15 deete aggregated, 90 Essbase, 136 Financia Management, 139 goba, 16 manage, 88 Performance Scorecard, 143 Panning, 141 predefined, 17 S SAP keystore timeout, 58 ibraries, 24 nested groups, 22 singe sign-on from Enterprise Porta, 21 singe sign-on prerequisites, 23 search order add to, 54 change, 55 manage, 54 remove, 56 security authentication, 11 authentication components, 11 authentication scenarios, 12 Native Directory, 12 OpenLDAP, 12 product-specific, 68 security API, 12 singe sign-on, 12, 13 user directories, 12 Shared Services Administrator roe, 16 cache refresh interva, 57 Directory Manager roe, 16 LCM Manager roe, 16 og fies, 133 Project Manager roe, 16 recover Native Directory data, 93 roes, 135 SAP keystore, 58 synchronize database with Native Directory, 93 SharedServices_Admin.og, 133 SharedServices_Memory_Profier.og fie, 133 SharedServices_Metadata.og fie, 133 SharedServices_Security.og fie, 133 SharedServices_Security_Cient.og fie, 133 Index 201

202 A B C D E F G H I J L M N O P R S T U V W X SharedServices_SyncOpenLDAP.og fie, 133 SharedServices_Taskfow.og fie, 133 SharedServices_Taskfow_CMDExecute.og fie, 133 SharedServices_Taskfow_Optimize.og fie, 133 singe sign-on assumptions for SAP, 22 direct, 12 for SAP nested groups, 22 from SAP, 21 from SiteMinder, 25 using NTLM, 28 using SiteMinder, 25 using trusted credentias, 13 SiteMinder configure poicy server, 26 configure Web agents, 27 enabing authentication, 27 singe sign-on from, 25 supported security agents, 26 sapd.conf, 94 specia characters, 61 Strategic Finance roes, 142, 143 support for security agent, 56 synchronize databases, 93 T task tabs, 34 test user directory, 52 token timeout, 56 toos and utiities CSSSpy, 134 WebDAV Browser, 134 Transaction Manager roes, 143 trusted singe sign-on, 13 U user authentication, 11 authentication components, 11 authentication scenarios, 12 user accounts for deegated administration, 73 user directory add to search order, 54 change search order, 55 configure, 20 configure LDAP-enabed, 40 configure MSAD, 40 configure NTLM, 49 configure Orace Internet Directory, 40 configure reationa database, 50 configure SAP, 46 create groups, 20 create users, 19 defined, 12 deete, 54 edit settings, 53 goba parameters, 56 manage search order, 54 operations reated to, 37 remove from search order, 56 test connection, 52 use of specia characters, 61 User Management Consoe defaut credentias, 33 aunch, 33 menus, 34 overview, 34 toobar buttons, 34 user provisioning copying to another appication, 69 users, 17 activate inactive, 84 create, 19 creating, 81 deactivate accounts, 83 deeting, 84 deprovisioning, 102 manage in Native directory, 81 migrating to Shared Services, 20 modifying, 82 naming guideines, 81 provisioning, 101 renaming, 82 V viewing deegated reports, 77 W WebDAV Browser, 134 WORLD, Index

203 A B C D E F G H I J L M N O P R S T U V W X X XML format Import/Export utiity, 114 Index 203

204 204 Index A B C D E F G H I J L M N O P R S T U V W X