The Programs (which include both the software and documentation) contain proprietary information; they are provided
under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and
other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except
to the extent required to obtain interoperability with other independently created software or as specified by law, is
prohibited.
The information contained in this document is subject to change without notice. If you find any problems in the
documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be
expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose.
If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the
United States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to
U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the
applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication,
disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject
to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional
rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500
Oracle Parkway, Redwood City, CA 94065.
The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous
applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures
to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any
damages caused by such use of the Programs.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their
respective owners.
The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is
not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with
the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly
between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b)
fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty
obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you
may incur from dealing with any third party.
Contents
Chapter 1. About Hyperion Security ..................................................... 11
Hyperion application security comprises two distinct and complementary layers that control
user access and permissions:
●“User Authentication” on page 11
●“Provisioning (Role-Based Authorization)” on page 14
About Hyperion Security
User Authentication
User authentication enables single sign-on functionality across Hyperion products by validating
the login information of each user to determine authenticated users. User authentication, along
with product-specific authorization, grants the user access to Hyperion products. Authorization
is granted through provisioning.
Single sign-on (SSO) is a session and user authentication process that permits a Hyperion
product user to enter credentials only once at the beginning of a session to access multiple
Hyperion products. SSO, which is requested at session initiation, eliminates the need to log in
separately to each Hyperion product to which the user has access.
Authentication Components
These components are used to support SSO:
●“Security API” on page 12
●“Native Directory” on page 12
●“User Directories” on page 12
Security Components
11
Security API
The Security Application Programming Interface (Security API) is the main interface to validate
users and interpret user access to Hyperion products. It is a Java API that enables Hyperion
products to authenticate users against user directories configured in Oracle's Hyperion® Shared
Services. It also allows integration with a security agents such as Netegrity SiteMinder, and
retrieval of users and groups based on names and identities. Each Hyperion application
implements the Security API to support user authentication.
Native Directory
Native Directory (OpenLDAP), an open source Lightweight Directory Access Protocol (LDAP)enabled user directory, is bundled and configured with Shared Services.
Native Directory functions:
●Used to maintain and manage the default Shared Services user accounts required by
Hyperion products
●Is the central storage for all Hyperion provisioning information because it stores the
relationships between users, groups, and roles.
Native Directory is accessed and managed using the User Management Console. Refer
toChapter 7, “Managing Native Directory” for more information on provisioning users.
User Directories
User directories refer to any corporate user and identity management system compatible with
Shared Services. Hyperion products are supported on a large number of user directories. These
include LDAP-enabled user directories, such as Sun Java System Directory Server (formerly
SunONE Directory Server) and Microsoft Active Directory, Windows NT LAN Manager
(NTLM); SAP Provider; and custom-built user directories that support LDAP version 3.
In addition to Native Directory, which is automatically configured for your environment, one
or more user directories can be configured as the user information provider for Hyperion
products.
User directories used with Hyperion products must contain an account for each user who
accesses Hyperion products. These users may be assigned to groups to facilitate provisioning.
User Authentication Scenarios
●“Single Sign-on Directly to Hyperion Products” on page 12
●“Single Sign-on from External Systems” on page 13
Single Sign-on Directly to Hyperion Products
About Hyperion Security
12
Direct authentication connects Hyperion products to available user directories to verify the user
name and password (credentials) entered on the Login screen.
1. Using a browser, users access the Hyperion product login screen. They enter user names
and passwords.
The Security API implemented on the Hyperion product queries the configured user
directories (including Native Directory) to verify user credentials. A search order is used to
establish the search sequence. On finding a matching user account in a user directory, the
search is terminated and the user's information is returned to the Hyperion product.
Access to Hyperion product is denied if a user account is not found in any of the user
directories.
2. Using the retrieved user information, the Hyperion product queries Shared Services to
obtain provisioning details for the user. Provisioning details are stored in Native Directory.
On receiving provisioning information from Shared Services, the appropriate Hyperion product
is made available to the user. At this point, SSO is enabled for all Hyperion products for which
that user is provisioned. Access permissions within Hyperion products are determined by the
provisioning information.
Single Sign-on from External Systems
Hyperion products can be configured to accept pre-authenticated users from external sources,
such as Netegrity SiteMinder and SAP Enterprise Portal, to enable SSO. In this scenario,
Hyperion products use the user information provided by a trusted external source to determine
access permissions of users.
SSO with SAP is supported by accepting an SAP logon ticket. In this scenario, users defined in
an SAP user directory can navigate between the SAP Portal and Hyperion products. If an SAP
provider is configured, users can also directly log on to Hyperion products using the user ID
and password stored in the SAP system. The SAP provider creates the SAP logon ticket to enable
SSO with SAP systems.
User Authentication
13
1. Using a browser, users access the login screen of a web identity management solution (for
example, SiteMinder) or SAP Enterprise Portal. They enter user names and passwords,
which are validated against configured user directories to verify user authenticity. Hyperion
products are also configured to work with these user directories.
When users navigate to a Hyperion product, information about the authenticated user is
passed to Hyperion product, which accepts the information as valid.
If the user logged on to SAP Portal, an SAP logon ticket is passed to Hyperion product. The
Security API implemented on Hyperion product decrypts the SAP logon ticket using a
specified SAP certificate.
If the user logged on to a web identity management solution, a custom
header is passed to Hyperion product.
2. To verify user credentials, Hyperion product tries to locate the user in one of the user
directories based on the search order. If a matching user account is found, user information
is returned to Hyperion product.
3. Using the retrieved user information, Hyperion product queries Shared Services to obtain
provisioning details for the user.
On receiving user provisioning information from Shared Services, the Hyperion product is
made available to the user. SSO is then enabled for all Hyperion products for which that
user is provisioned.
Provisioning (Role-Based Authorization)
Hyperion application security determines user access to products using the concept of roles. A
role is a set of permissions that determines user access to product functions.
Each Hyperion product provides several default roles tailored to suit various business needs.
Predefined roles from each Hyperion application registered with Shared Services are available
from User Management Console. These roles are used for provisioning. You may also create
additional roles that aggregate the default roles to suit specific requirements. The process of
HYPLOGIN HTTP
About Hyperion Security
14
granting users and groups specific access permissions to Hyperion resources is called
provisioning.
Native Directory and configured user directories are sources for user and group information for
the provisioning (authorization) process. You can browse and provision users and groups from
all configured user directories from User Management Console. Provisioning data is stored in
Native Directory. You can also use application-specific aggregated roles created in Native
Directory in the provisioning process.
This illustration depicts a broad overview of the authorization process:
1. After a user is authenticated, Hyperion product queries the user directories to determine
the user's groups.
2. Hyperion product uses the group and user information to retrieve the user's provisioning
data from Shared Services. The product uses this data to determine resources that a user can
access.
Product-specific provisioning tasks, such as setting product-specific access control, are
completed from each product. This data is combined with provisioning data to determine
the product access for users.
Role-based provisioning of Hyperion products uses these concepts.
Roles
A role is a construct (similar to access control list) that defines the access permissions granted
to users and groups to perform functions on Hyperion resources. It is a combination of resource
or resource types (what users can access; for example, a report) and actions that users can perform
on the resource (for example, view and edit).
Access to Hyperion application resources is restricted; users can access them only after a role
that provides access is assigned to the user or to the group to which the user belongs. Access
restrictions based on roles enable administrators to control and manage application access.
Provisioning (Role-Based Authorization)
15
Global Roles
Global roles are Shared Services roles that enable users to perform certain tasks within the User
Management Console. See Appendix B, “Shared Services Roles and Permitted Tasks” for a
complete list of Shared Services global roles.
Administrator
The Administrator role provides control over all products that integrate with Shared Services.
It enables more control over security than any other Hyperion product roles and should therefore
be assigned sparingly. Administrators can perform all administrative tasks in User Management
Console and can provision themselves.
This role grants broad access to all applications registered with Shared Services. The
Administrator role is, by default, assigned to the admin Native Directory user, which is the only
user available after you deploy Shared Services. This user account is initially used to create
accounts for other administrators. For example, the Shared Services Administrator assigns other
administrative users either the Directory Manager or Provisioning Manager role (a productspecific role assigned for individual applications). In turn, these users manage general user access
to applications.
Directory Manager
Users who are assigned the Directory Manager role can create and manage users and groups
within Native Directory.
Do not assign to Directory Managers the Provisioning Manager role because combining these
roles allows Directory Managers to provision themselves. If a user is assigned the Provisioning
Manager role for an Oracle's Hyperion® Essbase® – System 9 application as well as the Directory
Manager role, this user can create a new user, assign the user any role within the Essbase
application, and log in as the new user, thereby granting personal access to the Essbase
application.
The recommended practice is to grant one user the Directory Manager role and another user
the Provisioning Manager role.
Project Manager
Users who are assigned the Project Manager role can create and manage projects within Shared
Services.
LCM Manager
Users who are assigned the LCM Manager role can execute the Artifact Life Cycle Management
Utility to promote artifacts and data across product environments and operating systems.
About Hyperion Security
16
Predefined Roles
Predefined roles are built-in roles in Hyperion products. You cannot delete these roles from the
product. Predefined roles are registered with Shared Services during the application registration
process.
Aggregated Roles
Aggregated roles are custom roles that aggregate multiple product roles within a Hyperion
product. An aggregated role consists of multiple roles, including other aggregated roles. For
example, a Shared Services Administrator or Provisioning Manager can create a role for Planning
that combines the Planner and View User roles into an aggregated role. Aggregating roles can
simplify the administration of products that have a large number of granular roles.
You cannot create an aggregated role that spans products, and you cannot include global Shared
Services roles in aggregated roles. Aggregated roles are also known as custom roles.
Users
User directories store information about the users who can access Hyperion products. Both the
authentication and the authorization processes utilize user information. You can only create
and manage Native Directory users from User Management Console.
Users from all configured user directories are visible from User Management Console. These
users can be individually provisioned to grant access rights on the Hyperion products registered
with Shared Services. Hyperion does not recommend the provisioning of individual users.
Groups
Groups are containers for users or other groups. You can create and manage Native Directory
groups from User Management Console. Groups from all configured user directories are
displayed in User Management Console. You can provision these groups to grant permissions
for Hyperion products registered with Shared Services.
Provisioning (Role-Based Authorization)
17
About Hyperion Security
18
Setting Up Authentication
2
In This Chapter
Setting Up Direct Authentication to Hyperion Products ........................................................................19
Setting Up SSO with SAP Enterprise Portal......................................................................................21
Setting Up SSO from SiteMinder .................................................................................................25
Using NTLM to Support SSO ......................................................................................................28
Setting Up Direct Authentication to Hyperion Products
The security environment of Hyperion products comprises two complementary layers:
authentication and authorization.
Setting up Hyperion security to authenticate users directly involves several broad procedures.
See details in later sections.
●“Creating Users on the User Directory” on page 19
●“Creating Groups” on page 20
●“Migrating Users and Groups to Shared Services Security” on page 20
●“Installing and Deploying Shared Services” on page 20
●“Identifying User Directories to Shared Services” on page 20
Creating Users on the User Directory
The security environment of Hyperion products requires that user credentials be checked against
a user directory as a part of the authentication process. This requirement mandates that each
Hyperion application user have an account on the user directory. A unique user identifier
(typically the user name) defined on the user directory is the foundation on which Hyperion
application security is built.
In most deployment scenarios, existing user directories (with user accounts) are used to support
user authentication. For information on creating user accounts, see vendor documentation. See
“Creating Users” on page 81 for information on creating Native Directory users.
Setting Up Direct Authentication to Hyperion Products
19
Creating Groups
User accounts on user directories can be granted membership to groups based on common
characteristics such as the user function and geographical location. For example, users can be
categorized into groups such as Staff, Managers, Sales, and Western_Sales based on their function
within the organization. A user can belong to one or more groups on the user directory, which
is an important consideration in facilitating the provisioning process.
The procedures to create groups and assign group membership vary depending on the user
directory being used. For information on creating groups and assigning group membership, see
vendor documentation. See “Managing Native Directory Groups” on page 84 for information
on creating Native Directory groups.
Migrating Users and Groups to Shared Services Security
If you are upgrading Hyperion products from a release that did not support provisioning, you
must migrate users and groups from the products to Shared Services. You can migrate users who
were authenticated through native product security or through an external directory in that
release. Each product has a migration tool that enables you to migrate user, group, and role
information from Hyperion products to Shared Services. For migration information, see the
appropriate product appendix at the end of this guide.
After migrating users, you can provision users or groups as needed. See Chapter 8, “Managing
Provisioning” for details.
Installing and Deploying Shared Services
See Hyperion Shared Services Installation Guide for information about installing Shared Services
and deploying it to an appropriate application server.
Identifying User Directories to Shared Services
The Shared Services installation and deployment process sets up and configures Native Directory
as the default user directory for Hyperion products. Each additional user directory that you use
to support user authentication and SSO must be configured separately using User Management
Console.
During the user directory configuration process, you assign the search order for each user
directory. This order determines the sequence in which the authentication process searches
within configured user directories to locate the user account that matches the user login
credentials. By default, Hyperion application security is configured to terminate the search
process when a matching user account is found. If you are using multiple user directories,
Hyperion recommends that user accounts be normalized across user directories.
Setting Up Authentication
20
Information on configuring user directories:
●“Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User
Directories” on page 40
●“Configuring an SAP Provider” on page 46
●“Configuring an NTLM User Directory” on page 49
Setting Up SSO with SAP Enterprise Portal
Hyperion products handle SSO to SAP Enterprise Portal by issuing an SAP logon ticket. This
action enables users who log in to Hyperion products to navigate seamlessly to SAP applications.
The illustrated concept:
1. When a user logs in to Hyperion products, the Security API implemented on the product
authenticates the user against configured user directories, including Native Directory.
Hyperion pr oduct iss ues a Hype rion logon token, w hich enable s SSO to Hy perion pro ducts.
The Hyperion logon token contains an SAP logon ticket.
Note:
For SSO with SAP to work, you must configure SAP as valid provider on Shared Services.
2. When the user subsequently navigates to the SAP system or uses an SAP data source, the
SAP logon ticket contained in the Hyperion token is passed to SAP to enable SSO. At this
point, the SAP system assumes the responsibility to validate the credentials in the SAP logon
ticket.
Hyperion products handle SSO from SAP Enterprise Portal by accepting an SAP logon ticket.
This action enables users who log in to SAP Enterprise Portal to navigate seamlessly between
SAP and Hyperion products. The illustrated concept:
Setting Up SSO with SAP Enterprise Portal
21
1. When a user logs in to SAP Enterprise Portal, SAP authenticates the user against the SAP
provider and issues an SAP logon ticket. SSO to SAP is enabled at this time.
2. The user navigates to a Hyperion product. The SAP logon ticket is passed to the Hyperion
product, which decrypts the SAP logon ticket using a SAP certificate stored on the Shared
Services server machine to retrieve the user name.
3. Accepting the user name, retrieved from the SAP ticket, as a valid, the Hyperion product
queries user directories to determine the user's groups. The SAP provider must be configured
as a user directory in Shared Services for this process to work.
4. Using the group information, Hyperion product gets the provisioning information for the
user from Shared Services.
Assumptions in both scenarios:
●If using a non-SAP corporate directory, the corporate user directory used by SAP Enterprise
Portal is supported by Shared Services. See Hyperion Installation Start Here for a list of
supported user directories.
●Users accounts and groups are already defined on the corporate user directory.
●The corporate user directories are configured to work with Shared Services.
●Users and groups are provisioned to access Hyperion products.
Setting Up Authentication
22
Nested SAP Groups
After configuring an SAP user directory, available SAP users and groups are displayed in User
Management Console. Shared Services considers the SAP roles to be the equivalents of groups
created by any corporate directory server. Each role from the SAP user directory is displayed as
a distinct group in User Management Console. Shared Services, however, does not retrieve the
relationships that exist between simple and composite roles within the SAP user directory. If
needed, nested groups can be created in Native Directory to mimic the relationship that existed
between the simple and composite roles in the SAP user directory.
Inheritance Policy for Nested Groups
If you use nested groups from Native Directory to mimic nested SAP groups for provisioning,
the component groups inherit the roles assigned to the nested group. The illustrated concept:
In addition to the roles assigned directly to it, each component role (for example, Group2)
inherits all the roles assigned to the nested group (Role8 and Role9 in the illustration). For
example, the role assi gnment of Grou p1 in the ill ustratio n is Role1, Role 8, and Role9. T he nested
group does not inherit the groups assigned to component groups.
Deployment Locations
Deployment location conventions:
●<
Hyperion_Home
> denotes the root directory where Hyperion products are installed. The
location of this directory is specified during the installation process. For example:
C:\Hyperion (Windows)
/vol1/Hyperion (UNIX)
●<
HSS_Home
C:\Hyperion\deployments\<
/vol1/Hyperion/deployments/<
> denotes the Shared Services root directory. For example:
App_Server_Name
App_Server_Name
>\SharedServices9 (Windows)
>/SharedServices9 (UNIX)
Prerequisites
●All SAP systems within the SAP landscape must be set up for single sign-on with the SAP
login ticket. User names must be normalized across the SAP landscape so that a user name
in one SAP system refers to the same user across all SAP systems. See the SAP documentation
for more information.
●Copy or download the SAP JCo binaries (.dll files for Windows and shared libraries for
UNIX) into
<Hyperion_Home>
/common/SAP/bin directory. For example:
/vol1/Hyperion/common/SAP/bin(UNIX)
C:\Hyperion\common\SAP\bin (Windows).
These binaries are available in your SAP distribution. Registered SAP users may also
download them from the SAP Web site
https://service.sap.com/connectors.
Setting Up SSO with SAP Enterprise Portal
23
●Copy or download the SAP JCo archives (.jar files) into
SAP/lib
directory. For example:
<Hyperion_Home>
/vol1/Hyperion/common/SAP/lib (UNIX)
C:\Hyperion\common\SAP\lib (Windows)
These binaries are available in your SAP distribution. Registered SAP users may also
download them from the SAP Web site
https://service.sap.com/connectors.
/common/
●Copy or download the following SAP libraries into
lib
directory. For example,
<Hyperion_Home>
/common/SAP/
/vol1/Hyperion/common/SAP/lib (UNIX)
C:\Hyperion\common\SAP\lib (Windows)
These libraries are required to verify the SAP SSO logon ticket provided to Hyperion
products. You can extract these libraries from the file system of any SAP J2EE Engine 6.30
or later release. Or extract them from Enterprise Portal EP60 SP2 or later by searching
through the SDA files containing libraries. This step is required only if Hyperion products
are plugged into SAP Enterprise Portal.
❍com.sap.security.core.jar
❍com.sap.security.api.jar
❍sapjco.jar
❍sap.logging.jar
❍iaik_jce.jar
❍iaik_jce_export.jar (if using the export version of the IAIK-JCE libraries)
●Expand the contents of each of the SAP jar files by running the explodejar.bat
(Windows) or explodejar.sh (UNIX) file available in the
SAP/lib
directory.
<Hyperion_Home>
/common/
Setting Up Authentication
24
●Using User Management Console, configure the SAP provider for Shared Services. See
“Configuring an SAP Provider” on page 46 for detailed information.
●If you are providing SSO to Hyperion products from SAP Enterprise Portal, install the SAP
Digital Certificate (SAP X509 certificate) in a convenient location. Hyperion recommends
that this certificate be installed in the following directory where the
●Using User Management Console, provision SAP users and groups to provide them
CSS.xml file is stored:
appropriate access rights to Hyperion products. See Chapter 8, “Managing Provisioning”
for detailed information.
Setting Up SSO from SiteMinder
Hyperion products can be integrated with Web access management solutions such as Netegrity
SiteMinder to provide SSO to Hyperion products. Where SSO from SiteMinder is accepted,
Hyperion products trust the authentication information sent by SiteMinder regarding the
protected resources on the user directory. The illustrated concept:
1. When a user logs in to SiteMinder to access Hyperion products, SiteMinder presents a login
screen. SiteMinder forwards the user credentials to the SiteMinder Policy Server, which
authenticates users against configured user directories.
2. If the user is authenticated, the SiteMinder Policy Server grants access to Hyperion products
and passes a SiteMinder token that has
HYPLOGIN is configured to SM_USERLOGINNAME parameter in SiteMinder.
Note:
In SiteMinder Version 6, configure HYPLOGIN to use SMUSER parameter. HYPLOGIN is a
header that you must create to support SiteMinder integration with Hyperion products. See
SiteMinder documentation for information on configuring
carry the user name of the authenticated user.
3. The Security API implemented on the Hyperion product parses the
and validates the user against the user directories configured on Shared Services.
4. Hyperion product checks Shared Services for the user's provisioning information. Based on
the provisioning information, the Hyperion product provides access to the user.
To enable SSO, SiteMinder and Shared Services must be configured to use the same set of user
directories. Also, the user directories configured in Shared Services must be set up to support
security agent for single sign on. See “Setting Global Parameters” on page 57 for details.
The SiteMinder–enabled SSO, general overview:
HYPLOGIN HTTP header appended to it.
HYPLOGIN HTTP header to
HYPLOGIN HTTP header
Setting Up SSO from SiteMinder
25
The following SiteMinder security agents are tested and supported for SSO with Hyperion
products:
●SiteMinder Policy Server 5.5 SP 2
●SiteMinder Web Agent 5.5 SP 2
Note:
The corporate user directories configured with Shared Services must be trusted when SSO from
SiteMinder is enabled. This is because Shared Services does not store a password in the token
when a security agent is used.
Special Considerations
SiteMinder is a Web only solution. Desktop applications and their addins (for example,
Microsoft Excel and Report Designer) cannot use authentication through SiteMinder.
Hyperion products are supported only on NTLM and LDAP-enabled user directories (including
MSAD).
Setting Up Authentication
26
Configuring the SiteMinder Policy Server
A SiteMinder administrator must configure the policy server to enable SSO to Hyperion
products.
The configuration process:
●Setting up protection for the Web resources of Hyperion products.
●Configuring a response that adds a custom HTTP header to make the user login name
available to Hyperion applications. The header must include the parameter
HYPLOGIN and
must contain the login name of the authenticated user.
See the “Responses and Response Groups” topic in the Netegrity Policy Design Guide for detailed
information. For example, if you use
attribute in the configuration file, the
cn from an LDAP–enabled user directory as the login name
HYPLOGIN parameter should carry the value of the cn
attribute, which is the login name of the authenticated user. SiteMinder administrators can also
configure the header to
SM_USERLOGINNAME (SMUSER for SiteMinder version 6), the user name
specified by the user during logon.
Configuring the SiteMinder Web Agent
The Web agent is installed on a Web server that intercepts requests for Hyperion application
Web resources, such as JSPs, ASPs, and HTML files on the application server. If these Web
resources are protected, the Web agent issues a challenge to unauthenticated users. When a user
is authenticated, the policy server adds
authenticated user. Thereafter, the HTTP request is passed on to the Web resources of the
Hyperion application, and the login name is extracted from headers.
HYPLOGIN, which carries the login name of the
SiteMinder supports SSO across Hyperion products running on heterogeneous Web server
platforms. If Hyperion products use different Web servers, you must ensure that the SiteMinder
cookie can be passed among Web servers within the same domain. You do this by specifying the
appropriate Hyperion application domain as the value of the
WebAgent.conf file of each Web server.
Cookiedomain property in the
See the “Configuring Web Agents” chapter in the Netegrity SiteMinder Agent Guide.
Note:
Because Shared Services uses basic authentication to protect its content, the Web server that
intercepts requests to Shared Services should enable basic authentication to support SSO with
SiteMinder.
Enabling SiteMinder Authentication in Shared Services
Integration with SiteMinder requires that you enable SiteMinder Authentication in Shared
Services. This can be done from User Management Console or by editing the
1 In Shared Services, configure the user directories that SiteMinder use to authenticate users. See the following
topics:
●“Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User
Directories” on page 40
●“Configuring an NTLM User Directory” on page 49
2 Select the Support for Security Agent for Single Sign-oncheck box to specify that the user directories are
used to support SSO from security agents such as SiteMinder. See “Setting Global Parameters” on page
57.
Other Procedures
You must perform these tasks, if not already completed:
●Using User Management Console, configure the corporate directories used by SiteMinder.
See Chapter 4, “Configuring User Directories.”
●Using User Management Console, provision the users and groups to grant appropriate
access to Hyperion products. See Chapter 8, “Managing Provisioning.”
Using NTLM to Support SSO
Shared Services allows you to configure Windows NT LAN Manager (NTLM) as a user directory
to support SSO. Refer to “Configuring an NTLM User Directory” on page 49 for information
on configuring the NTLM user directory.
Under these conditions, you must perform prerequisite steps to support SSO using NTLM:
●NTLM user directory is to be used to authenticate and provision users where Shared Services
and Hyperion products are running in a UNIX environment. In this scenario, Hyperion
Remote Authentication Module must be deployed on the Windows domain that contains
the user accounts.
●Shared Services and Hyperion products are running in a Windows environment, but users
are in Windows NTLM domains that are not trusted on the domain where the Shared
Services host machine is installed. The prerequisite for this scenario is that you deploy
Hyperion Remote Authentication Module on each domain that is not trusted by the domain
where Shared Services host machine is installed.
Do not implement Hyperion Remote Authentication Module if all users belong to the NTLM
domain where the Shared Services host machine is installed or if a trust relationship is established
between the domain where the Shared Services host machine is installed and the NTLM domains
to which users belong.
Setting Up Authentication
28
NTLM with UNIX Application Environments
The following illustration depicts how the Hyperion Remote Authentication Module enables
communication between NTLM and Shared Services running in a UNIX environment.
The Shared Services configuration file (CSS.xml) resides on the application server, as do the
Hyperion application binaries. For NTLM connectivity, you also need NTLM support library
css-9_3_0.dll) on the machine that hosts Hyperion Remote Authentication Module in
file (
the NTLM domain.
The NTLM Primary Domain Controller and the Hyperion Remote Authentication Module can
be on a Windows 2000 or Windows 2003 server. Hyperion does not recommend, however, that
you combine the Hyperion Remote Authentication Module with the NTLM Primary Domain
Controller on the same server. The Hyperion Remote Authentication Module host machine
needs to be in the same domain as the NTLM Primary Domain Controller.
Support for Multiple NTLM Domains
Hyperion Remote Authentication Module enables a Hyperion product to authenticate users
belonging to other NTLM domains that are not trusted by the domain on which Shared Services
is installed.
The following illustration depicts how users spread across multiple NTLM domains can be given
access to Hyperion products deployed in a Windows environment:
Using NTLM to Support SSO
29
Without the Hyperion Remote Authentication Module, the only way to use multiple NTLM
domains for Hyperion products is to establish trust relationships between the Shared Services
host machine's domain and the NTLM domains where user accounts are available.
Setting Up Authentication
30
Each NTLM domain is configured separately on Shared Services as a user provider. See
“Configuring an NTLM User Directory” on page 49 for detailed procedures.
Using NTLM to Support SSO
31
Setting Up Authentication
32
User Management Console
3
In This Chapter
Launching User Management Console...........................................................................................33
Overview of User Management Console .........................................................................................34
Navigating in User Management Console .......................................................................................34
Searching for Users, Groups, Roles, and Delegated Lists......................................................................34
Launching User Management Console
Launch User Management Console using one of the following methods:
●Using a browser and connecting to the User Management Console URL
●On Windows, navigating Start > All Programs > Hyperion > Foundation
Services > User Management Console
●From a Hyperion product interface
➤ To launch User Management Console by connecting to a URL:
1 Using a browser, access the following URL:
http://<server_name>:<port_number>
In the URL,
that hosts Shared Services is running and
Services is using; for example,
Note:
Pop-up blockers may prevent User Management Console from opening.
2 On the Logon screen, type your user name and password.
Initially, the only user who can access User Management Console is admin (default password
admin is password).
for
3 Click Log On.
Note:
<server_name>
indicates the name of the computer where the application server
http://myserver:58080/interop.
/interop
<port_number>
indicates the server port that Shared
Valid SAP users may get a CSSAuthenticationException error message during log on if the
SAP account is locked. Contact your SAP Administrator to unlock the account.
Launching User Management Console
33
If you receive Java Virtual Machine (JVM) errors in User Management Console while using
Microsoft Internet Explorer, ensure that your Internet Explorer installation includes Microsoft
XML parser (MSXML) version 4. MSXML is bundled with Internet Explorer 6.0.
To verify that you have the correct MSXML, check that the following file exists:
c:\winnt\system32\msxml4.dll
If this file is missing, install Internet Explorer 6.0 or later.
Overview of User Management Console
User Management Console comprises an Object Palette and task tabs. When you log in for the
first time, the User Management Console displays the Object Palette and a Browse tab.
The Object Palette is a navigation frame where you can choose objects (such as, user directories,
users, groups, projects, and applications). Typically, the details of your current selection in the
Object Palette are displayed in the Browse tab. Additional task tabs open as needed depending
on the task that you perform; for example, a Report tab when you generate a report, or a
Configure tab when you configure a user directory.
Depending on the current configuration, User Management Console lists your existing objects
—user directories, projects, and unassigned applications—on the Object Palette. You can
expand these object listings to view details. For example, you may expand the User Directories
object to view a list of all currently configured user directories. You may also search configured
user directories for users and groups.
A context-sensitive menu, accessible by right-clicking an object, is associated with some objects
on the Object Palette.
Navigating in User Management Console
When performing actions on objects in the Object Palette, you can right-click an object to access
a context-sensitive menu. These menu options change dynamically, depending on what you
select. The commands displayed on the right-click menu are also available on a menu from the
menu bar. Buttons representing currently enabled menu options are displayed on the toolbar.
Note:
Because Native Directory is administered from User Management Console, some menu options
available in the context-sensitive menu for Native Directory are not available for other user
directories.
Searching for Users, Groups, Roles, and Delegated Lists
User Management Console enables searching for users and groups from configured user
directories and for application roles registered with Native Directory.
User Management Console
34
When searching for users in Native Directory, you can search for all users, active users, or inactive
users. Search boxes that are displayed on the Browse tab reflect the search context based on the
selection in the Object Palette.
➤ To search for users, groups, roles or delegated lists:
1 In the Object Palette, expand User Directories.
2 Expand the user directory to search. Roles are available only in Native Directory.
3 To search for users:
a.Right-click Users.
b.Select a search context (All, Active, or Inactive).
Appropriate search boxes are displayed on the Browse tab.
Note:
You can select a search context only if you are searching within Native Directory.
c.Enter the search string and click Search. Use an asterisk (*) as the wildcard in pattern
searches. Alternatively, click Show All to list all users.
A list of users is displayed on the Browse tab.
4 To search for groups or roles:
a.Select Groups or Roles.
Appropriate search boxes are displayed on the Browse tab.
Note:
Shared Services considers Oracle and SQL Server roles as the equivalents of groups in user
directories. Oracle roles can contain other roles creating a hierarchy of roles. Shared
Services does not display the relationships between database roles in the search results but
honors them during the provisioning process. SQL Server roles cannot be nested. Because
DB2 does not support roles, Shared Services does not display groups if you select a DB2
database provider.
b.For Name, type the Search string and click Search. Use an asterisk (*) as the wildcard in
pattern searches. Alternatively, click Show All to list all groups or roles.
A list of groups or roles is displayed on the Browse tab.
5 To search for delegated lists:
a.Select Delegated Lists.
Appropriate search boxes are displayed on the Browse tab.
b.For List Name, type the Search string and click Search. Use an asterisk (*) as the wildcard
in pattern searches. Alternatively, click Show All to list all lists.
A list of matching delegated lists is displayed on the Browse tab.
Searching for Users, Groups, Roles, and Delegated Lists
35
User Management Console
36
4
In This Chapter
Configuring User Directories
Operations Related to User Directory Configuration............................................................................37
Using the Unique Identity Attribute to Handle Inter-OU Moves in LDAP-Enabled User Directories.........................38
Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User Directories...................................40
Configuring an SAP Provider......................................................................................................46
Configuring an NTLM User Directory..............................................................................................49
Configuring Relational Databases as User Directories .........................................................................50
Testing User Directory Connections ..............................................................................................53
Editing User Directory Settings....................................................................................................53
Deleting User Directory Configurations...........................................................................................54
Managing User Directory Search Order ..........................................................................................54
Setting Global Parameters ........................................................................................................57
Overriding Cache Refresh Interval for MSAD and other LDAP-Enabled User Directories....................................58
Setting Timeout to Resolve SAP Keystore File...................................................................................59
Using Special Characters..........................................................................................................61
Operations Related to User Directory Configuration
Native Directory is configured automatically when you install and deploy Shared Services. You
can configure external user directories to support SSO and authorization.
From User Management Console, you can perform several tasks related to configuring and
managing user directories. These topics provide instructions:
●Configuring user directories
❍“Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User
Directories” on page 40
❍“Configuring an SAP Provider” on page 46
❍“Configuring an NTLM User Directory” on page 49
❍“Configuring Relational Databases as User Directories” on page 50
●“Testing User Directory Connections” on page 53
●“Editing User Directory Settings” on page 53
Operations Related to User Directory Configuration
37
●“Deleting User Directory Configurations” on page 54
●“Managing User Directory Search Order” on page 54
●“Setting Global Parameters” on page 57
Using the Unique Identity Attribute to Handle Inter-OU Moves in
LDAP-Enabled User Directories
Native Directory, the default user directory for Hyperion products, maintains a link to
provisioned users and groups defined in external user directories. When the following actions
take place in an LDAP-based user directory including MSAD, these links are broken, creating
stale data in Native Directory and causing loss of access to Hyperionapplications.
●Users and groups are moved across Organizational Units (OU).
●Multiple users or groups are assigned identical common name (CN).
●CN of provisioned users or groups are modified.
Shared Services resolves this issue by using a unique identity attribute that identifies user
directory users and groups without reference to the location of their accounts.
Caution!
Before migrating to the unique identity attribute, you must clean the stale data, if any, in Native
Directory by running the Update Native Directory Utility utility. See Chapter 9, “Using the
Update Native Directory Utility to Clean Stale Native Directory Data” for detailed information.
Support for inter-OU moves can be implemented while you configure LDAP-enabled user
directories (see “Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User
Directories” on page 40).
Planning the Migration to the Unique Identity Attribute
You must migrate users and groups to the new unique identity attribute only if you face any of
the following scenarios in your MSAD or other LDAP-based user directories, which create
broken links and stale data in Native Directory.
●You moved users and groups across OUs.
●You have multiple users or groups with identical CN.
●You modified the CN of users or groups.
Configuring User Directories
38
Because migrating to the new unique identity attribute affects all Hyperion products, plan the
migration to minimize application downtime.
Back Up Native Directory and Hyperion Product Repositories
After migrating users and groups to use the new identity attribute, you cannot revert to the
previously used identity attribute. Before starting the migration, create backups of Native
Directory database and the Hyperion product databases that store user and group information.
●Native Directory repository
●Shared Services repository
●Essbase (security file)
●Oracle's Hyperion® Planning – System 9 repository
●Oracle's Hyperion® Financial Management – System 9 repository
●Oracle's Hyperion® Reporting and Analysis – System 9 repository
Migration Sequence
Before migrating to the unique identity attribute, run the Update Native Directory Utility if
Native Directorycontain stale data. See Chapter 9, “Using the Update Native Directory Utility
to Clean Stale Native Directory Data.”
Begin by migrating Shared Services users and groups to the unique identity attribute. If you use
Essbase and Planning, migrate Essbase users and groups, and then migrate Planning users and
groups.
You can migrate Financial Management and Reporting and Analysis users and groups anytime
after migrating Shared Services users and groups.
See “Product-Specific Updates” on page 128 for more information.
Behavior During Migration
After you migrate Shared Services users and groups to the unique identity attribute,Hyperion
products stop working until the user and group information contained in product-specific
repositories is updated to reflect the unique identity attribute.
Shared Services and Hyperion product migration to the unique identity attribute can take
considerable time, depending on the number of users and groups involved. Because Hyperion
products will not be available during this time, Hyperion recommends that you schedule in a
way that minimizes downtime.
Important Considerations When Using the Unique Identity Attribute
●The unique identity attribute can be set only for MSAD and other LDAP-enabled user
directories.
●For migration to work, all similar user directories configured on Shared Services must be
migrated to the new unique identity attribute. All MSAD user directory configurations must
be updated with the unique identity attribute before Shared Services can migrate MSAD
users and groups to the new attribute. Similarly, the configuration of all LDAP-enabled user
Using the Unique Identity Attribute to Handle Inter-OU Moves in LDAP-Enabled User Directories
39
directories other than MSAD (SunONE, IBM Directory Server, Novell eDirectory, and
custom user directories) must be updated to the new identity attribute before Shared Services
can migrate users and groups from these user directories to the new attribute.
For example, assume that three MSAD user directories are configured on Shared Services.
Two are configured to use the new identity attribute
configured to use the old identity attribute (
DN). In this scenario, users and groups are not
migrated until the third configuration also uses a unique attribute other than
●Reverse migration is not supported. After migrating to the new unique identity attribute,
you cannot return to the previous identity attribute (
ObjectGUID, and the third is
DN.
DN).
Hyperion recommends that you back up Native Directory database before migrating to the
new unique identity attribute. If you return to
DN as the identity attribute, you can restore
data from the backup.
●If your Release 9.2.x user directory configuration uses an attribute other than DN, you must
upgrade to Shared Services Release 9.3.1.
●Do not migrate to the unique identity attribute by using the Update Native Directory Utility
if you changed the attribute identified as
User Configuration screen or by editing
loginAttribute (using the Login field of the
CSS.xml). If you run the utility, provisioning data
of the users whose accounts are defined on the user directory for which the
loginAttribute is changed is deleted from Native Directory. You cannot recover the
deleted data; however, you can restore it from the latest backup.
Configuring Oracle Internet Directory, MSAD, and Other LDAPEnabled User Directories
Use the procedures in this section to configure any LDAP-enabled corporate user directory, such
as Oracle Internet Directory, MSAD, Sun Java System Directory Server, IBM Tivoli Directory
Server, or a custom user directory.
Note:
Existing Oracle Virtual Directories that are configured to use a database can be configured in
Shared Services as external LDAP providers.
➤ To configure Oracle Internet Directory, MSAD and other LDAP-enabled user directories:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 Select Administration > Configure User Directories.
The Defined User Directories screen opens. This screen lists all user directories, including Native
Directory, that are already configured.
3 Click Add.
4 In Directory Type, select an option:
Configuring User Directories
40
●Lightweight Directory Access Protocol (LDAP) to configure an LDAP-enabled user
directory other than MSAD.
●Microsoft Active Directory (MSAD) to configure MSAD.
5 Click Next.
The Connection Information screen for the selected user directory type opens.
6 Enter the required parameters.
Table 1 Connection Information Screen
Label
Directory ServerThe user directory product you are using. Select Other if you are using an LDAP Version 2 (or
NameA descriptive name for the user directory. Used to identify a specific user directory if multiple user
Host NameName of the server that hosts the user directory. Use the fully qualified domain name if the user
Description
later) product other than those listed.
The ID Attribute value changes to the recommended unique identity attribute for the selected
product.
Note: To configure an existing Oracle Virtual Directory that is configured with an underlying
database, choose
Example:
Other.
Oracle Internet Directory
directories are configured.
Example:
MY_OID
directory is to be used to support SSO from SiteMinder.
Example:
MyServer
Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User Directories
41
LabelDescription
PortThe server port number where the user directory is running.
Example:
389
Base DNThe distinguished name (DN) of the container in the user directory hierarchy where the search for
users and groups should begin. You can also use the Fetch DNs button to list available Base DNs
and then select the appropriate Base DN from the list.
See “Using Special Characters” on page 61 for restrictions on the use of special characters.
Hyperion recommends that you be as specific as possible while identifying the Base DN.
Example:
dc=example,dc=com
ID AttributeThe attribute that carries the identity of the user. The recommended value of this attribute, which
must uniquely identify a user in the user directory, is automatically set for Oracle Internet Directory
orclguid, SunONE (nsuniqueid), IBM Directory Server (Ibm-entryUuid), Novell
eDirectory (
GUID), and MSAD (ObjectGUID). You may change the default value if necessary.
See “Important Considerations When Using the Unique Identity Attribute” on page 39.
Maximum SizeMaximum number of results that a search can return.
For LDAP-enabled user directories other than MSAD, leave this blank to retrieve all users and
groups that meet the search criteria. The maximum size entered in this screen is constrained by
the user directory settings.
For MSAD, set this value to
0 to retrieve all users and groups that meet the search criteria.
SSL EnabledThe check box that enables the use of Secure Socket Layer (SSL) for communication with this
user directory.
Anonymous BindThe check box to indicate that Shared Services can bind anonymously to the user directory to
search for users and groups. If this option is not selected, you must specify in the User DN an
account with sufficient access permissions to search the directory where user information is stored.
Oracle Internet Directory connections do not support anonymous binds.
Note: Hyperion recommends that you do not bind anonymously with the user directory.
TrustedThe check box to indicate that this provider is a trusted source. User credentials from trusted
sources are not validated during SSO. If this option is not set, the user credentials are validated
every time the user requests SSO to a different Hyperion product.
User DNThis box is disabled if the Anonymous bind option is selected.
The user account that Shared Services should use to establish a connection with the user directory.
Typically, for LDAP-enabled user directories other than MSAD, you use the Directory Manager
cn=Directory Manager for this purpose. For MSAD, you use the Security Account
account
Manager name (
sAMAccountName).
You may use other accounts that have sufficient access permissions to search the directory where
user information is stored. Notice that this account must have proxy right to authenticate as a
different user.
Special characters are not allowed in the User DN value. See “Using Special Characters” on page
61 for restrictions on the use of special characters.
Example:
● cn=Directory Manager (user directories other than MSAD)
● sAMAccountName=pturner (MSAD)
Configuring User Directories
42
LabelDescription
Append Base DNThe check box for appending the base DN (the distinguished name of the node where the search
for users and groups could begin) to the specified value. Do not append Base DN to the Directory
Manager account.
This check box is disabled if the Anonymous bind option is selected.
PasswordPassword of the account specified in the User DN box.
This box is disabled if the Anonymous bind option is selected.
Example:
UserDNpassword
7 Click Next.
The User Configuration screen for the selected user directory type opens. Shared Services uses
the properties set in this screen to create a filter that is used to search for users in the user directory.
Using this filter speeds the search.
Hyperion recommends that you use the Auto C onfigure area of the screen to retrieve the required
information.
Note:
Data entry in the User Configuration screen is optional. If you do not specify the settings for the
filter, Shared Services searches the entire directory structure to locate users. This may have
performance implications, especially if the user directory contains accounts for many users.
Caution!
If the user URL is not set for user directories that contain / (slash) or \ (backslash) in its node
names, the search for users and groups fails. For example, any operation to list the user or group
fails if the user URL is not specified for a user directory where users and groups exist in a node
such as
OU=child\ou,OU=parent/ou, or OU=child/ou,OU=parent\ou.
8 In the text box in the Auto Configure area, enter a unique user identifier.
Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User Directories
43
The user identifier must be expressed in the format <attribute>=<identifier>; for
example,
uid=jdoe.
Attributes of the user are displayed in the User Configuration area.
If you are configuring Oracle Internet Directory as a user directory, you cannot automatically
configure the filter because the root DSE of Oracle Internet Directory does not contain entries
in the Naming Contexts attribute. See Oracle documentation for detailed information.
Note:
You can manually enter required user attributes into text boxes in the User Configuration area.
Table 2 User Configuration Screen
Label
User RDNThe Relative DN of the user. Each component of a DN is called an RDN and represents a branch in
LoginThe attribute that stores the login name of the user. Users use the value of this attribute as the User
First NameThe attribute that stores the first name of the user.
Last NameThe attribute that stores the last name of the user.
EmailThe attribute that stores the e-mail address of the user (optional)
Object Class Object classes of the user (the mandatory and optional attributes that can be associated with the
Description
the directory tree. The RDN of a user is generally the equivalent of the
See “Using Special Characters” on page 61 for restrictions on the use of special characters.
Example:
Name while logging into Hyperion products.
Example:
Example:
Example:
Example:
user). Shared Services uses the object classes listed in this screen in the search filter. Using these
object classes, Shared Services should find all users who should be provisioned.
ou=People
uid
givenName
sn
mail
uid or cn.
9 Click Next.
Configuring User Directories
44
You can manually add additional object classes if needed. To add an object class, type the object
class name into the Object class box and click Add.
Delete object classes by selecting the object class and clicking Remove.
Example:
person, organizationalPerson, inetorgperson
Note:
Data entry in the Group Configuration screen is optional. If you do not enter the group filter
settings, Shared Services searches the entire directory structure to locate groups. This process
can negatively affect performance, especially if the user directory contains many groups.
The Group Configuration screen for the selected user directory type opens. Shared Services uses
the properties set in this screen to create a filter to search for groups in the user directory. Using
this filter speeds the search.
10 Clear Support Groups if you do not plan to provision groups or if users are not categorized into groups on
the user directory. Deselecting this option disables the fields on this screen.
If you are supporting groups, Hyperion recommends that you use the Auto Configure area to
retrieve the required information.
If you are configuring Oracle Internet Directory as a user directory, you cannot automatically
configure the filter because the root DSE of Oracle Internet Directory does not contain entries
in the Naming Contexts attribute. See Oracle documentation for detailed information.
11 In the Auto Configure area, enter a unique group identifier and click Go.
The group identifier must be expressed in <attribute>=<identifier> format; for example,
cn=western_region.
Attributes of the group are displayed in the Group Configuration area.
Note:
You can manually enter required group attributes into text boxes in the Group Configuration
area.
Caution!
If the group URL is not set for user directories that contain / (slash) or \ (backslash) in its node
names, the search for users and groups fails. For example, any operation to list the user or group
fails if the group URL is not specified for a user directory in which users and groups exist in a
node such as
OU=child\ou,OU=parent/ou or OU=child/ou,OU=parent \ ou.
Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User Directories
45
Table 3 Group Configuration Screen
Label
Group RDNThe Relative DN of the group. Each component of a DN is called an RDN and represents a branch
Group FilterAn LDAP query that retrieves only the groups that are to be provisioned with Hyperion product roles.
Description
in the directory tree. This value, which is relative to the Base DN, is used as the group URL.
Specify a Group RDN that identifies the lowest user directory node where all the groups that you
plan to provision are available.
The Group RDN has a significant impact on login and search performance. Because it is the starting
point for all group searches, you must identify the lowest possible node within which all groups for
Hyperion products are available. To ensure optimum performance, the number of groups present
within the Group RDN should not exceed 10,000. If more groups are present, use an appropriate
group filter to retrieve only the groups you want to provision.
Note: Shared Services displays a warning if the number of available groups within the Group URL
exceeds 10,000.
See “Using Special Characters” on page 61 for restrictions on the use of special characters.
Example:
For example, the LDAP query
Hyp.
The group filter is used to limit the number of groups returned during a query. Group filters are
especially important if the node identified by the Group RDN contains groups that need not be
provisioned. Filters can be designed to exclude the groups that are not to be provisioned, thereby
improving performance.
ou=Groups
(cn=Hyp*) retrieves only groups whose names start with the prefix
Name AttributeThe attribute that stores the name of the group.
Example:
Object classObject classes of the group (the mandatory and optional attributes that can be associated with the
group). Shared Services uses the object classes listed in this screen in the search filter. Using these
object classes, Shared Services should find all the groups associated with the user.
You can manually add additional object classes if needed. To add an object class, type the object
class name into the Object class text box and click Add.
To delete object classes, select the object class and click Remove.
Example:
cn
groupofuniquenames?uniquemember
12 Click Finish.
Shared Services saves the configuration and returns to the Defined User Directories screen, which
now lists the user directory that you configured.
13 Test the configuration. See “Testing User Directory Connections” on page 53.
14 Add the user directory to the search order used by Shared Services. See “Adding a User Directory to the
Search Order” on page 55 for details.
15 Specify global parameters if needed. See “Setting Global Parameters” on page 57 for details.
Configuring an SAP Provider
Before starting these procedures, meet all prerequisites in “Prerequisites” on page 23.
Configuring User Directories
46
By default, the timeout for resolving SAP keystore file is set to 10 seconds. After configuring an
SAP provider, you can manually edit the
CSS.xml file to set a different timeout. See “Setting
Timeout to Resolve SAP Keystore File” on page 59 for details.
➤ To configure an SAP provider:
1 Launch User Management Console. See “Launching User Management Console” on page 33.
2 Select Administration > Configure User Directories.
The Defined User Directories screen that lists all configured user directories, including Native
Directory, opens.
3 Click Add.
4 In the Directory Type screen, select SAP and click Next.
The SAP Connection Information screen opens.
5 In the SAP Connection Information screen, enter the appropriate configuration parameters.
Table 4 SAP Connection Information Screen
Label
NameA unique configuration name for the SAP provider. You use this name to identify
Description
the SAP provider in situations where multiple SAP providers are defined in Shared
Services.
Example:
MY_SAP_DIRECTORY
Configuring an SAP Provider
47
LabelDescription
SAP Server NameThe host name (or the IP address) of the computer where the SAP Server is
running, or the SAP router address.
Example:
myserver
Client NumberThe client number of the SAP system to which you want to connect.
Example:
001
System NumberThe system number of the SAP System to which you want to connect.
Example:
00
User IDThe user name that Shared Services should use to access SAP. This user must
have access permissions to use Remote Function Calls (RFC) to connect to SAP
and to access user, activity groups, and their relationship data.
Example:
my_sap_user
PasswordThe password of the user identified in the User ID box.
Example:
my_sap_password
Max EntriesThe maximum entries that a query to the SAP provider can return.
Example:
100
Pool SizeJCo connection pool size.
Example:
10
Pool NameA unique name for the connection pool that should be used to establish a link
between Shared Services and SAP.
Example:
HYPERION_SAP_POOL
LanguageLanguage for messages, for example error messages, from SAP. By default, this
is read from the system locale of the server hosting Shared Services.
Example:
EN
Location of SAP Digital CertificateThe location of SAP X509 certificate. Hyperion products use this certificate to
parse the SAP login ticket and to extract the user ID needed to support SSO.
Required only if Hyperion products are plugged into SAP Enterprise Portal.
Example:
Hyperion/common/SAP/bin
C:\Hyperion\common\SAP\bin (Windows) or /app/
(UNIX).
SSL EnabledCheck box that enables you to use Secure Socket Layer (SSL) to communicate
between Shared Services and the SAP provider.
TrustedCheck box that enables you to specify that this provider is a trusted source. User
credentials from trusted sources are not validated during SSO. If you do not select
this option, user credentials are validated every time user requests SSO to a
different Hyperion product.
6 Click Save.
Shared Services saves the configuration and returns to the Defined User Directories screen, which
now lists the SAP provider that you configured.
Configuring User Directories
48
7 Test the SAP provider configuration. See “Testing User Directory Connections” on page 53.
8 Add the SAP provider to the search order used by Shared Services. See “Adding a User Directory to the
Search Order” on page 55 for details.
9 Specify global settings if needed. See “Setting Global Parameters” on page 57 for details.
Configuring an NTLM User Directory
Before starting these procedures, meet all the prerequisites in “Using NTLM to Support SSO”
on page 28.
➤ To configure an NTLM user directory:
1 Launch the User Management Console. See “Launching User Management Console” on page 33.
2 Select Administration > Configure User Directories.
The Defined User Directories screen that lists all the configured user directories, including Native
Directory, opens.
3 Click Add.
4 In Directory Type select NT LAN Manager (NTLM) and click Next.
The NTLM Connection Information screen opens.
5 Enter the required configuration parameters in the NTLM Connection Information screen.
Table 5 NTLM Connection Information Screen
Label
NameA unique configuration name for the NTLM user directory. You use this name to identify the directory
Description
in situations where multiple NTLM directories are configured with Shared Services.
Example:
MY_NTLM_DIRECTORY
Configuring an NTLM User Directory
49
LabelDescription
DomainThe name of the NTLM domain. You may use the Fetch Domain button to retrieve the domain name.
If the domain is not specified, Shared Services, at run time, detects and uses all visible domains.
This may affect performance. The search order is: local computer, domain of local computer, and
trusted domains visible to the local computer.
Note: Because Shared Services does not detect domains when NTLM is used with Hyperion Remote
Authentication Module (HRAM), you must specify the domain if HRAM is used.
Example:
TrustedCheck box to indicate that this provider is a trusted source. User credentials from trusted sources
are not validated during SSO. If this option is not selected, Hyperion products validate user
credentials every time the user switches between Hyperion products.
Maximum SizeMaximum number of entries that a query to the NTLM user directory can return.
Example:
HostnameName of the Windows server where HRAM is installed to support SSO to Hyperion products running
in a UNIX environment. Required only if Hyperion products are running in a UNIX environment.
Example:
PortThe port number where HRAM is running.
Example:
MY_DOMAIN
100
MyHRAMServer
3891
6 Click Finish.
Shared Services saves the configuration and returns to the Defined User Directories screen, which
now lists the NTLM provider that you configured.
7 Test the configuration. See “Testing User Directory Connections” on page 53.
8 Add the user directory to the search order used by Shared Services. See “Adding a User Directory to the
Search Order” on page 55 for details.
9 Specify additional parameters, if needed, for the NTLM user directory. See “Setting Global Parameters” on
page 57 for details.
Configuring Relational Databases as User Directories
User and group information from the system tables of Oracle, SQL Server, and IBM DB2
relational databases can be used to support provisioning. If group information cannot be derived
from the database's system schema, Shared Services does not support the provisioning of groups
from that database provider. For example, Shared Services cannot extract group information
from IBM DB2, because the database uses groups defined on the operating system. You can,
however, add these users to groups in Native Directory and provision those groups.
You must configure Shared Services to connect to the database as the database administrator;
SYSTEM user, to retrieve the list of users and groups.
Configuring User Directories
50
for example, Oracle
Note:
Shared Services can retrieve only active database users for provisioning. Inactive and locked
database user accounts are ignored.
➤ To configure database providers:
1 Launch User Management Console. See “Launching User Management Console” on page 33.
2 Select Administration > Configure User Directories.
The Defined User Directories screen, which lists all configured user directories, including Native
Directory, opens.
3 Click Add.
4 In the Directory Type screen, select Relational Database (Oracle, DB2, SQL Server).
5 Click Next.
6 In the Database Configuration tab, enter configuration parameters.
Table 6 DB Connection Information Screen
Label
Database TypeThe relational database vendor. Shared Services supports only Oracle, IBM
NameA unique configuration name for the database provider. You use this name
ServerThe host name (or the IP address) of the computer where the database server
Description
DB2, and SQL Server databases as database providers.
Example:
to identify the database provider in situations where multiple providers are
defined in Shared Services.
Example:
is running.
Example:
Oracle 9i, 10g
Oracle_DB_FINANCE
myserver
Configuring Relational Databases as User Directories
51
LabelDescription
PortThe port where the database server is available to accept requests.
Example:
Service/SID (Oracle only)The system identifier (default is orcl).
Example:
Database (SQL Server and DB2 only)The database to which Shared Services should connect.
Example:
User NameThe user name that Shared Services should use to access the database. This
user must have access privileges to database system tables. Hyperion
recommends that you use the database Administrator's user name for SQL
Server and IBM DB2 databases, and the
databases.
Example:
PasswordThe password of the user identified in the User Name box.
Example:
TrustedCheck box that enables you to specify that this provider is a trusted source.
User credentials from trusted sources are not validated during SSO. If you do
not select this option, user credentials are validated every time a user
requests SSO to a different Hyperion product.
1521
orcl
master
system account for Oracle
SYSTEM
system_password
7 Optional: To define the maximum database connection pool size (default is 10), click Next.
The Advanced Database Configuration screen opens.
8 In Max ConnectionPool Size, enter the maximum number of connections in the database connection pool
created for this provider.
9 Click Finish.
10 Click OK to return to the Defined User Directories screen.
11 Test the database provider configuration. See “Testing User Directory Connections” on page 53.
12 Add the database provider to the search order used by Shared Services. See “Adding a User Directory to the
Search Order” on page 55 for details.
13 Specify global settings if needed. See “Setting Global Parameters” on page 57 for details.
14 Restart Shared Services.
Configuring User Directories
52
Testing User Directory Connections
After configuring a user directory, test the connection to ensure that Shared Services can
successfully connect to the user directory using the current settings.
Note:
Establishing a successful test connection does not mean that Shared Services will use the
directory. Shared Services uses only the directories that have been assigned a search order.
➤ To test user directory connection:
1 Launch the User Management Console, as explained in “Launching User Management Console” on page
33.
2 Select Administration > Configure User Directories.
The Defined User Directories screen that lists all the configured user directories, including Native
Directory, opens.
3 From the list of user directories, select the directory to test.
4 Click Test.
A status message indicating the results of the test is displayed.
5 Click OK.
Editing User Directory Settings
You can modify any of the parameters of an existing user directory configuration. Hyperion
recommends not editing the configuration data of user directories that have been used for
provisioning.
Caution!
Editing some settings, for example, the Base DN, in the user directory configuration invalidates
provisioning data. Exercise extreme care when modifying the settings of a user directory that
has already been provisioned.
➤ To edit a user directory configuration:
1 Launch the User Management Console, as explained in “Launching User Management Console” on page
33.
2 Select Administration > Configure User Directories.
3 From Defined User Directories screen, select the user directory to edit.
4 Click Edit.
5 Modify the configuration settings as needed.
Testing User Directory Connections
53
For explanation of the parameters you can edit, see the following tables:
●MSAD and other LDAP-enabled user directories:
❍Table 1, “ Connection Information Screen,” on page 41
❍Table 2, “ User Configuration Screen,” on page 44
❍Table 3, “ Group Configuration Screen,” on page 46
●SAP providers: Table 4, “ SAP Connection Information Screen,” on page 47
●NTLM user directories: Table 5, “NTLM Connection Information Screen,” on page 49
●Database providers: Table 6, “ DB Connection Information Screen,” on page 51
6 Click Finish to save the changes.
Deleting User Directory Configurations
You can delete a user directory configuration at any time. Deleting a directory configuration
invalidates all the provisioning information for the users and groups derived from the user
directory. It also removes the directory from the search order.
Tip:
If you do not want to use a configured user directory that was used for provisioning, remove it
from the search order so that the user directory is not searched for users and groups. This action
maintains the integrity of provisioning information. It also enables you to use the user directory
at a later time, if needed.
➤ To delete a user directory configuration:
1 Launch the User Management Console, as explained in “Launching User Management Console” on page
33.
2 Select Administration > Configure User Directories.
3 From Defined User Directories screen, select the directory to delete.
4 Click Delete.
Managing User Directory Search Order
The search order associated with a configured user directory determines the position of the
directory in the search order that Shared Services uses to retrieve user and group information.
Shared Services ignores user directories that are not included in the search order. Consequently,
these user directories are not used to support authentication and provisioning.
Configuring User Directories
54
Note:
Shared Services terminates the search for the user or group when it first encounters the specified
user account. If a user has multiple accounts across user directories, Shared Services retrieves
the account from the user directory that is listed first in the search order.
By default, Native Directory is set as the first directory in the search order. Additional user
directories are given the next available sequence number in the search order. You can perform
these tasks to manage the search order:
●“Adding a User Directory to the Search Order” on page 55
●“Changing the Search Order” on page 56
●“Removing a Search Order Assignment” on page 56
Adding a User Directory to the Search Order
The order in which you add a user directory to the search order is retained as the default search
order. You must have already configured the user directory that you want to include in the search
order. To configure a user directory, see these topics:
●“Configuring Oracle Internet Directory, MSAD, and Other LDAP-Enabled User
Directories” on page 40
●“Configuring an SAP Provider” on page 46
●“Configuring an NTLM User Directory” on page 49
●“Configuring Relational Databases as User Directories” on page 50
➤ To add a user directory to the search order:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 Select Administration > Configure User Directories.
3 From Defined User Directories screen, select the directory to add to the search order.
4 Click Add.
This button is available only if you have selected a user directory that is not already used in the
search order.
Note:
If you have NTLM and MSAD user directories configured, ensure that the MSAD user directory
comes after NTLM in the search order.
Shared Services assigns a default search order, which you may change. For more information,
see “Changing the Search Order” on page 56.
Managing User Directory Search Order
55
Changing the Search Order
The default search order assigned to each user directory, including Native Directory, is based
on the sequence in which the directory was added to the search order.
➤ To change the search order:
1 Launch the User Management Console, as explained in “Launching User Management Console” on page
33.
2 Select Administration > Configure User Directories.
3 From Defined User Directories screen, select the directory whose search order you want to change.
4 Click Move Up or Move Down as needed.
Note:
If you have NTLM and MSAD user directories configured, ensure that the MSAD user directory
comes after NTLM in the search order.
Shared Services displays a message indicating that the search order was updated.
5 Click OK.
The Defined User Directories screen is displayed, which lists the user directories in the updated
order.
Removing a Search Order Assignment
Deleting a user directory from the search order does not invalidate the directory configuration.
It merely removes the user directory from the list of directories that are searched for
authenticating users. A directory that is not included in the search order is set to
status. When you remove a user directory from the search order, the search sequence assigned
to the other user directories is automatically updated.
Note:
You cannot remove Native Directory from the search order.
➤ To delete a user directory from the search order:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 Select Administration > Configure User Directories.
3 From Defined User Directories screen, select the directory to remove from the search order.
Not Used
4 Click Remove.
5 Click OK.
Configuring User Directories
56
Shared Services displays a confirmation dialog box.
Shared Services displays a message indicating that the search order was updated.
6 Click OK to return to the Defined User Directories screen, which lists the status of the user directory as
Not Used.
Setting Global Parameters
These global parameters are applicable to all user directories included in the search order.
●Token timeout–Specifies the time, in minutes, after which the SSO token issued by Hyperion
products or the security agent will expire. Users are forced to log in again after this period.
Note:
Token timeout is not the same as session timeout.
●Logging level–Sets the level at which security issues are recorded in the Shared Services
security log file.
Administrators can change the Shared Services log level on-the-fly to capture relevant
information to debug Shared Services issues. Shared Services application server restart is not
required to activate log level change.
Log files belonging to Hyperion products are stored in <
Hyperion_Home
>/logs, allowing
administrators to easily locate log files to monitor the applications and troubleshoot issues.
Product log files are created in a product-specific folder. For example, Shared Services logs
are in <
Hyperion_Home
>/logs/SharedServices9. Existing log files are not moved to
the new location.
●Delegated User Management Mode–Supports the distributed management of provisioning
activities.
●Support for Security Agent for Single Sign-on–Indicates whether user directories are used
to support SSO from security agents such as SiteMinder.
➤ To set global parameters:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 Select Administration > Configure User Directories.
3 In Defined User Directories, set global parameters.
Table 7 Global Parameters for User Directories
Parameter
Token TimeoutTime limit (in minutes) after which the SSO token issued by Hyperion
Description
products/security agent becomes invalid. Users will be logged out
after token timeout period. Token timeout is set based on the server's
system clock.
Example:
480
Setting Global Parameters
57
ParameterDescription
Logging levelLevel at which user directory related issues are recorded in the Shared
Services security log files.
Example:
Support for Security Agent for Single Sign-onOption enabling support for SSO from security agents such as
SiteMinder.
Enable Delegated User Management ModeOption enabling delegated user management of Hyperion products.
See Chapter 6, “Delegated User Management.”
WARN
4 Click OK.
Overriding Cache Refresh Interval for MSAD and other LDAPEnabled User Directories
By default, Shared Services uses 60 minutes as the cache refresh interval; the period after which
Shared Services refreshes its internal cache of information retrieved from each LDAP-enabled
user directory configured with Shared Services.
Provisioning information for newly added users and groups in LDAP-enabled user directories
is available to Shared Services only after the next cache refresh. This may result in new users and
members of new groups not getting their provisioned roles for up to 60 minutes.
2 Insert the following code into the definition of the LDAP-enabled user directory for which you want to modify
cache refresh interval. This line must be placed immediately after the
authType>
<cacheRefreshInterval>
Be sure to replace
<cacheRefreshInterval>10</cacheRefreshInterval> to set the interval to 10 minutes.
You can set the interval to
code line.
<interval>
<interval>
</cacheRefreshInterval>
with the desired cache refresh interval in minutes. For example,
0 if you want to refresh the cache for every call. This affects
<authType>simple</
performance.
Note:
Cache refresh interval must be set separately for each LDAP-enabled user directory.
3 Save and close the CSS.xml file.
4 Restart the application server if it is running.
Configuring User Directories
58
Setting Timeout to Resolve SAP Keystore File
By default, Shared Services uses 10 seconds as the timeout for resolving the SAP keystore file.
You can override this value in the Shared Services configuration file.
➤ To change the timeout for resolving the SAP keystore file:
2 Insert the following code into the SAP provider definition. This code must be placed immediately after the
token timeout declaration.
<keystore>
<timeout><interval></timeout>
</keystore>
Be sure to replace
example,
<timeout>22</timeout> to set the interval to 22 seconds.
3 Save and close CSS.xml.
4 Restart the application server if it is running.
Connection Pooling
Previous releases of Hyperion products created connection threads to external user directories
on a need-to-use basis. To improve performance, Shared Services allows connection pooling
where user directory connections use a common connection pool.
>/config. For example, C:\Hyperion\deployments\WebLogic9
<interval>
(WebLogic 9.1 on Windows) and /vol1/Hyperion/
(WebLogic 9.1 on UNIX).
with the desired keystore timeout interval in seconds. For
Shared Services uses a default connection pool setting that is used for all configured user
directories. Default connection pool settings are not recorded in
connection pool settings for a user directory, you must update the configuration settings of the
user directory in
do not contain a connection pool definition use the default connection pool.
CSS.xml with a connection pool definition. User directory configurations that
CSS.xml. To use custom
➤ To define connection pool for a user directory configuration:
<maxSize>Maximum number of connections in the pool. Default is
100 for LDAP-enabled directories, including MSAD, and
300 for Native Directory.
<timeout>Timeout (in milliseconds) to get the connection from the
pool. An exception is thrown after this period. Default is
300000 milliseconds (5 minutes).
<evictInterval>Optional: The interval (in minutes) for running the eviction
process to clean up the pool. The eviction process cleans
up idle connections that have exceeded the
allowedIdleConnTime. Default is 60 minutes.
<allowedIdleConnTime>Optional: The time (in minutes) after which idle
connections in the pool are cleaned up by the eviction
process. Default is 120 minutes.
<growConnections>This option indicates whether the connection pool can
grow beyond
<maxSize>. Default is false. If you do not
allow the connection pool to grow, the system throws an
error if a connection is not available within the time set for
<timeout>.
Configuring User Directories
60
3 Verify that each user directory configuration contains a connection pool definition.
4 Optional: Define socket connection timeout for user directories by including the <socketTimeOut>
parameter in the Native Directory user directory definition. For example, the following setting specifies a
socket timeout of 5 seconds.
<socketTimeOut>60000</socketTimeOut>
Note:
Socket timeout set for Native Directory applies to all configured user directories.
Use a high socket timeout value in the following scenarios:
●A large number of users and groups are defined in the user directory.
●The machines that host the user directories are geographically distant from the machine that
hosts Shared Services.
●A low-bandwidth network connection exists between the machine that hosts Shared Services
and the machine that hosts the user directory.
A sample Native Directory definition containing socket timeout definition:
5 Save and close CSS.xml.
6 Restart Shared Services and all Hyperion products.
Using Special Characters
MSAD and other LDAP-enabled user directories allow special characters in entities such as DNs,
user names, roles, and group names. Special handling may be required for Shared Services to
understand such characters.
Generally, you must use escape characters while specifying any special character used in user
directory settings for LDAP-enabled user directories, including MSAD; for example, user and
group URLs and Base DN. Native Directory and NTLM do not require special handling of
characters.
Table 9 lists the special characters that can be used in user names, group names, user URLs,
group URLs, and in the value of OU in user DN. Native Directory and NTLM do not require
special handling of characters.
Using Special Characters
61
Table 9 Supported Special Characters
Character
Name or MeaningCharacterName or Meaning
(open parenthesis$dollar
)close parenthesis+plus
“quotation mark/slash
'single quotation mark\backslash
,comma^caret
&ersand;semicolon
=equal to#pound
<less than@at
>greater than
Table 10 Special Characters that Should not Be Used in Application IDs
Character
Name or MeaningCharacterName or Meaning
,comma;semicolon
<less than+plus
>greater than=equal to
&ersand
Table 11 Special Characters that Should not Be Used in Application Names
Character
Name or Meaning
[open bracket
]close bracket
(open parenthesis
)close parenthesis
●Special characters are not permitted in the value set for the Login User attribute.
●Asterisk (*) is not supported in user names, group names, user and group URLs, and in the
name of the OU in UserDN.
●Attribute values containing a combination of special characters are not supported.
●Ampersand (&) can be used without an escape character. For MSAD settings, & must be
specified as
&.
Configuring User Directories
62
●User and group names cannot contain both a backslash (\) and slash (/). For example, names
such as
test/\user and new\test/user are not supported.
●Space is not supported as a special character in Base DN.
Table 12 Characters that Need not Be Escaped
Character
Name or MeaningCharacterName or Meaning
(open parenthesis'single quote
)close parenthesis^caret
$dollar@at
These characters must be escaped if you use them in user directory settings (user names, group
names, user URLs, group URLs and User DN).
If the user URL is not specified, users created within the RDN root must not contain / (slash)
or \ (backslash). Similarly, these characters should not be used in the names of groups created
within the RDN root if a group URL is not specified. For example, group names such as
OU=child\ou,OU=parent/ou or OU=child/ou,OU=parent\ou are not supported. This
issue does not apply if you are using a unique attribute as the
Applications and projects are two important Shared Services concepts. An application is a
reference to a single instance of a Hyperion application that is registered with Shared Services.
The registration process makes Shared Services aware of the existence of the Hyperion
application. All provisioning activities are performed against an application.
In User Management Console, Hyperion applications are organized into projects. A project is
a container for applications. For example, a project may consist of a Reporting and Analysis
application and a Planning application. To provision users to an application, the application
must belong to a project.
This chapter contains information on creating and managing projects. It also provides
information on working with applications.
Working with Projects
A project is a container for Hyperion applications. For example, a project may contain a Planning
application and one or more Reporting and Analysis applications. An application can belong to
only one project.
Applications that are registered withShared Services but do not yet belong to a project are listed
under Unassigned Applications in User Management Console.
The applications that are registered with Shared Services but have not been assigned to a project
are listed under the Unassigned Applications node within User Management Console.
Applications assigned to a project are listed under the Projects node of User Management
Console.
An application can belong to only one project, but a project may contain multiple applications.
You can start the provisioning process only after applications are assigned to projects.
Topics covering project management tasks:
Overview
65
●“Creating Projects ” on page 66
●“Modifying Project Properties” on page 67
●“Deleting Projects ” on page 67
Note:
You must be a Shared Services Administrator or Project Manager to create and manage projects.
Shared Services Administrators can work with all registered applications but a Project Manager
can work only with the application for which that person is the project manager.
Creating Projects
During the project creation process, you can also assign applications to the new project.
➤ To create a project:
1 Launch the User Management Console, as explained in “Launching User Management Console” on page
33.
2 Right-click Projects in the Object Palette, and select New.
3 Enter a unique project name in Name text box and enter an optional description in Description box.
Note:
Project names that start with the less than symbol (<), for example <my_project do not appear
in the Provisioning screen. Hyperion recommends that you create project names that start with
a character other than the less than symbol.
4 To assign applications to this project:
a.From List Applications in Project, select<Unassigned Applications> or an existing
project that contains applications that you want to assign to the project.
b.Click Update List to list the applications in the Available Applications list.
c.From Available Applications, select the applications to assign to the project and click
Add.
The selected applications appear in the Assigned Applications list.
d.To remove an assigned application, from Assigned Applications, select the application to
remove from the project and click Remove. To remove all applications from the Assigned
Applications list, click Reset.
5 Click Finish.
6 Click Create Another to create another project, or OK to close the status screen.
Working with Applications and Projects
66
Modifying Project Properties
You can modify all properties and settings of an existing project, including application
assignments.
Note:
You can also add applications to projects by moving them from another project or from the
Unassigned Applications node. Refer to “Moving Applications ” on page 69.
➤ To modify a project:
1 Launch the User Management Console, as explained in “Launching User Management Console” on page
33.
2 Select Projects from the Object Palette.
3 On the Browse tab, right-click the project to modify and select Open.
4 Modify the project properties as needed. See step 4 on page 66 for information on assigning or removing
applications.
5 Click Save.
Deleting Projects
Deleting a project removes the association of applications with the project, removes provisioning
assignments from applications within the project, and deletes the project container. Applications
from deleted projects are moved to the Unassigned Applications node.
➤ To delete a project:
1 Launch the User Management Console, as explained in “Launching User Management Console” on page
33.
2 Select Projects from the Object Palette.
3 In the Browse tab, right-click the project and select Delete.
4 Click OK in the confirmation screen.
Managing Applications
User Management Console keeps track of all Hyperion applications that are registered with
Shared Services. The registration process is completed from individual Hyperion applications
and not from Shared Services.
All registered applications, initially, are listed under the Unassigned Applications node on User
Management Console because the registration process does not automatically assign
applications to a project. Applications must be assigned to a project before users and groups can
Managing Applications
67
be provisioned against the roles belonging to those applications. Applications that have been
assigned to a project are listed under the Project node of User Management Console.
Topics covering application management tasks:
●“Assigning Access Permissions to Applications ” on page 68
●“Moving Applications ” on page 69
●“Copying Provisioning Information Across Applications” on page 69
●“Deleting an Application” on page 69
Assigning Access Permissions to Applications
User Management Console enables application administrators to perform provisioning tasks,
such as assigning access permissions to application-specific objects; for example, reports and
calculation scripts. For example, for Essbase applications, users with the appropriate Oracle's
Essbase® Administration Services permissions can assign filter and calculation script access to
selected users and groups.
Some products require that certain security tasks be performed in the product interface itself,
not through User Management Console. For example, using the Administration Services
interface, you must create filters and calculation scripts. You can then provision these objects
by assigning specific users or groups from User Management Console. Likewise, you must assign
access permission on repository content of Reporting and Analysis from within that product,
not from User Management Console.
You must either be a Shared Services administrator or be provisioned with the appropriate
product role (Planning Manager, for example) to assign access permission from the User
Management Console. See the appropriate product appendix at the end of this guide for
instructions on assigning access permission for specific products.
Before starting this procedure, ensure that the required servers and applications are running.
➤ To assign application-specific access permissions:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 From the Projects node in the Object Palette, expand the project containing the application.
3 Right-click the application and select the appropriate menu item for that application. An application-specific
tab is displayed.
Note:
If the application is not running, an error message is displayed when you select the application.
Restart the product server and refresh the Object Palette by clicking View > Refresh to access
the application.
4 Assign access permissions as needed. Refer to the appropriate product appendix at the end of this guide
for details.
Working with Applications and Projects
68
Moving Applications
You can move assigned applications from one project to another and from unassigned
applications to existing projects. Moving an application removes the association between the
application and the project but does not affect provisioning assignments for the application.
➤ To move an application:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 Right-click the application and select Move To.
3 On the Move To tab, select the destination project for the application.
4 Click Save.
Copying Provisioning Information Across Applications
If you have multiple products of the same type (product and product version), you can copy
provisioning information from one application to another. When you copy provisioning
information, all user, group, and role information is copied to the target application. Productspecific access control settings are not copied.
➤ To copy provisioning information across applications:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 From Projects in the Object Palette, right-click the application from which you want to copy provisioning
information and select Copy Provisioning.
The Copy Provisioning tab opens. This tab lists the target application to which you can copy
provisioning information.
3 Select the destination project.
4 Click Save.
Deleting an Application
Shared Services administrators can delete applications from projects or from available
unassigned applications.
Deleting an application from a project moves it from the project to the Unassigned Applications
node on the Object Palette. You may now assign this application to a different project. When
you delete an application from a project, all provisioning information for that application is
removed.
Deleting an application from the Unassigned Applications node on the Object Palette deregisters
the application and removes all meta data information for that application. Perform this process
only if there is no other way to deregister or delete the application.
Managing Applications
69
➤ To delete an application:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 From existing projects or from unassigned applications, locate the application to delete.
3 Right-click the application and select Delete.
4 Click OK in the confirmation dialog box.
Working with Applications and Projects
70
Delegated User Management
6
In This Chapter
About Delegated User Management.............................................................................................71
Hierarchy of Administrators .......................................................................................................71
Enabling Delegated User Management Mode...................................................................................72
Delegated user management enables creating a hierarchy of administrator users for Hyperion
products focusing on the expertise and access needs of such users. This feature allows the Shared
Services Administrator to delegate the responsibility of managing users and groups to other
administrators who are granted restricted access to manage users and groups for which they are
responsible.
In delegated administration mode, a search for users and groups retrieves only the users and
groups for which an administrator is responsible. Only the admin or users with the Administrator
Shared Services role can view all the users and groups across delegated administrators.
Hierarchy of Administrators
The default Shared Services Administrator account (admin) is the most powerful account in
Hyperion products. Hyperion recommends that you change the password of this account after
you first access Shared Services.
Two tiers of administrators exist in delegated administration mode:
●“Shared Services Administrators” on page 71
●“Delegated Administrators” on page 72
Shared Services Administrators
Hyperion recommends that you create Shared Services Administrator accounts similar to the
default admin account to administer Shared Services and other Hyperion applications.
About Delegated User Management
71
You can create Shared Services Administrator accounts by provisioning users and groups with
the Shared Services Administrator role, which provides unfettered access to all Shared Services
functions.
Delegated Administrators
In contrast to Shared Services Administrators, Delegated Administrators have limited
administrator-level access to Shared Services and Hyperion products. Delegated Administrators
can access only the users and groups for which they are granted Administrator access, dividing
user and group management tasks across multiple administrators.
The permissions of Delegated Administrators on Hyperion products are controlled by the access
rights that a Shared Services Administrator has granted them through provisioning. For example,
assume that a Delegated Administrator is granted the Directory Manager global role in Shared
Services, enabling the user to create new users and groups in Native Directory. Without
additional roles, this Delegated Administrator cannot view a list of users and groups that other
administrators created.
If they have the permission to provision users (granted through the Provisioning Manager role),
Delegated Administrators can create other Delegated Administrators and provision them to
further delegate administrative tasks.
Enabling Delegated User Management Mode
You must enable Delegated User Management mode for Shared Services before you can create
delegated administrators. The default Shared Services deployment does not support delegated
administration.
Additional screens and menu options become available after you switch to Delegated User
Management mode.
➤ To enable Delegated User Management mode:
1 Launch the Oracle's Hyperion® Shared Services User Management Console, as explained in “Launching User
Management Console” on page 33.
2 From Administration, select Configure User Directories.
3 From Defined User Directories, select Enable Delegated User Management Mode.
4 Click OK.
5 Restart Shared Services.
Creating Delegated Administrators
Delegated User Management
72
●“Planning Steps” on page 73
●“Provisioning Delegated Administrators” on page 73
●“Creating Delegated Lists” on page 73
●“Viewing Delegated Reports” on page 77
Planning Steps
User Accounts for Delegated Administrators
Shared Services Administrators create Delegated Administrators from existing user accounts in
the user directories configured on Shared Services. Unlike in the provisioning process, delegated
administration capabilities cannot be assigned to groups. Before starting the process of
delegating Shared Services administration, verify that Delegated Administrators are created as
users in a configured user directory.
Create a Delegation Plan
The delegation plan should identify the levels of Delegated Administrators needed to effectively
administer Hyperion products. The plan should identify:
●Users and groups that each Delegated Administrator should manage. This list can be used
while creating Delegated Lists. See “Creating Delegated Lists” on page 73.
●Shared Services and Hyperion product roles that each Delegated Administrator should be
granted.
Provisioning Delegated Administrators
Shared Services Administrators provision Delegated Administrators to grant them roles based
on the delegation plan.
Delegated Administrators must be granted Shared Services roles depending on the activities they
should perform. See “Shared Services Roles” on page 135 for a list of Shared Services roles.
Delegated Administrators can be granted roles from Hyperion products; for example,
Provisioning Manager from Planning, to allow them to perform administrative tasks in
Hyperion products.
Creating Delegated Lists
Delegated lists identify the users and groups that a Delegated Administrator can manage. Each
list is assigned to one or more Delegated Administrators. Delegated Administrators can:
●View only the users and groups assigned to them through delegated lists. All other users and
groups remain hidden from their view.
●Create delegated lists for other users they manage.
●Search and retrieve only the users and groups that are included in their delegated lists.
Creating Delegated Administrators
73
Note:
Shared Services displays the Delegated List node only if the current user is assigned to manage
delegated lists.
The users and groups that a Delegated Administrator creates are not automatically assigned to
the administrator who created them. A Shared Services Administrator must add these users and
groups to delegated lists before Delegated Administrators can access them. Delegated
Administrators, however, can assign these users and groups to the delegated lists that they create.
➤ To create delegated lists:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In Native Directory in Object Palette, right-click Delegated List, and select New.
The Create Delegated List screen opens.
3 In Name, enter a unique name for the delegated list.
4 Optional: In Description, type a description of the list.
5 Optional: To add groups to the list, click Next.
a.In Search for Groups, enter the name of the group to assign to the list. Leave this field
empty to retrieve all groups. Use * as the wildcard for pattern searches. If you are a
Delegated Administrator, only groups assigned to you are displayed.
b.In Directory, select the user directory from which groups are to be displayed.
c.Click Go.
d.From Available Groups, select one or more groups.
e.Click Add.
The selected groups are listed in Assigned Groups.
Note:
Shared Services considers Oracle and SQL Server database roles as the equivalents of groups
in user directories. Oracle database roles can be hierarchical. SQL Server database roles
cannot be nested. Because DB2 does not support roles, Shared Services does not display
groups if you select a DB2 database provider.
f.Optional: To unassign a group, from Assigned Groups, select a group and click Remove.
To unassign all groups, click Reset.
6 Optional: To add users to the list, click Next.
a.In Search for Users, type the name of the user to assign to the list. Leave this field blank
to retrieve all users. Use * as the wildcard for pattern searches. If you are a Delegated
Administrator, only users assigned to you are displayed.
Delegated User Management
74
b.In Directory, select the user directory from which users are to be displayed.
c.Click Go.
d.From Available Users, select one or more users.
e.Click Add.
The selected users are listed in Assigned Users.
f.Optional: To unassign a user, from Assigned Users, select a user and click Remove. To
unassign all users, click Reset.
Note:
The Delegated Administrator of the list is automatically added as a user.
7 Optional: To assign Delegated Administrators for this list, click Next.
The Managed By tab opens.
a.In Search for Users, enter the name of the user to assign as the Delegated Administrator
of the list. Leave this field blank to retrieve all users. Use * as the wildcard for pattern
searches. If you are a Delegated Administrator, only users assigned to you are displayed.
b.In Directory, select the user directory from which users are to be displayed.
c.Click Go.
d.From Available Users, select one or more users.
e.Click Add.
The selected users are listed in Assigned Users.
f.Optional: To unassign a user, from Assigned Users list, select the user and click Remove.
To unassign all users, click Reset.
Note:
The user who creates the list is automatically added as a Delegated Administrator of the list.
8 Click Finish.
Modifying Delegated Lists
Delegated Administrators can modify only the lists assigned to them. Users with Shared Services
Administrator role can modify all delegated lists.
➤ To modify delegated lists:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Native Directory node in the Object Palette, select Delegated Lists.
3 Search for the delegated list to modify. See “Searching for Users, Groups, Roles, and Delegated Lists” on
page 34.
Delegated lists that meet the search criterion are listed on the Browse tab.
4 Right-click the delegated list and select Properties.
Creating Delegated Administrators
75
The Delegated List Properties screen opens.
5 Optional: On General, modify the list name and description.
6 Optional: To add groups, click Group Members.
a.In Search for Groups, enter the name of the group to assign to the list. Leave this field
empty to retrieve all groups. Use * as the wildcard for pattern searches. If you are a
Delegated Administrator, only groups assigned to you are displayed.
b.In Directory, select the user directory from which groups are to be displayed.
c.Click Go.
d.From Available Groups, select one or more groups.
e.Click Add.
The selected groups are listed in Assigned Groups.
f.Optional: To unassign a group, from Assigned Groups, select the group and click
Remove. To unassign all groups, click Reset.
7 Optional: To add users to the list, click User Members.
a.In Search for Users, enter the name of the user to assign to the list. Leave this field blank
to retrieve all users. Use * as the wildcard for pattern searches. If you are a Delegated
Administrator, only users assigned to you are displayed.
b.In Directory, select the user directory from which users are to be displayed.
c.Click Go.
d.From Available Users, select one or more users.
e.Click Add.
The selected users are listed in Assigned Users.
f.Optional: To unassign a user, from Assigned Users list, select the user and click Remove.
To unassign all users, click Reset.
Note:
The Delegated Administrator of the list is automatically added as a user.
8 Optional: To modify Delegated Administrator assignment, click Managed By.
The Managed By page opens.
a.In Search for Users, enter the name of the user to assign as the Delegated Administrator
of the list. Leave this field blank to retrieve all users. Use * as the wildcard for pattern
searches. If you are a Delegated Administrator, the users assigned to you are displayed.
b.In Directory, select the user directory from which users are to be displayed.
c.Click Go.
Delegated User Management
76
d.From Available Users, select one or more users.
e.Click Add.
The selected users are listed in Assigned Users.
f.Optional: To unassign a user, from Assigned Users list, select the user and click Remove.
To unassign all users, click Reset.
Note:
The user who creates the list is automatically added as a Delegated Administrator of the list.
9 Click Save.
Deleting Delegated Lists
➤ To delete delegated lists:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Native Directory node in the Object Palette, select Delegated Lists.
3 Search for the delegated list to modify. See “Searching for Users, Groups, Roles, and Delegated Lists” on
page 34.
Delegated lists that meet the search criterion are listed on the Browse tab.
4 Right-click the delegated list and select Delete.
5 Click OK in the confirmation dialog box.
Viewing Delegated Reports
Delegated reports contain information about the users and groups assigned to the selected
delegated lists and the delegated administrators to whom the list is assigned.
Shared Services Administrators can generate and view delegated reports on all delegated lists.
Delegated Administrators can generate reports on the delegated lists they created and the
delegated lists assigned to them.
➤ To view delegated reports:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In Native Directory in Object Palette, right-click Delegated List, and select View Delegated Reports.
The View Delegated Report screen opens.
3 In Delegated List Name, enter the name of the list for which the report is to be generated. Use * as wildcard
for pattern searches.
4 In Managed By, enter the user ID of the Delegated Administrator whose assignments in the specified list
are to be reported. Use * as wildcard for pattern searches.
5 Click Create Report.
6 Click Cancel to close the report or Print Preview to preview the report.
If you preview the report:
Creating Delegated Administrators
77
a.Click Print to print the report.
b.Click Close to close the View Report window.
Delegated User Management
78
7
In This Chapter
Managing Native Directory
About Native Directory.............................................................................................................79
Shared Services uses Native Directory to store user provisioning data and a relational database
to store product registration data.
After the initial logon to a Hyperion product, the product directly queries Native Directory for
user provisioning information. Hyperion products can function normally only if Native
Directory is running.
User Management Console displays a list of users and groups for each configured user directory,
including Native Directory. These lists are used to provision users and groups against application
roles.
User Management Console is the central administration point for Native Directory, the default
user directory that is installed with Shared Services. Other user directories are administered
through their own administration screens.
The install location of Native Directory is referred to as
<
openLDAP_Home
> throughout this
document.
Native Directory data is stored in
<
stored in
openLDAP_Home
>/bdb/bin.
openLDAP_Home
>/var/openldap-data, and utilities are
<
By default, Native Directory is deployed to port 58089 as a process (UNIX) or a service
(Windows).
Default Users and Groups
Native Directory, by default, contains one user account (admin, with password as the default
password). Using this account, you can perform all Native Directory and Shared Services
administration tasks.
All Shared Services users belong to the WORLD group, the only default Native Directory group.
WORLD is a logical group. All Shared Services users inherit any role assigned to this group. A
user gets the sum of all permissions assigned directly to that user as well as those assigned to the
user's groups (including WORLD group).
If Shared Services is deployed in delegated mode, the WORLD group contains groups as well as
users. If the delegated list of a user contains the WORLD group, then the user can retrieve all
users and groups during search operations.
Starting Native Directory
By default, Native Directory is installed as a Windows service or UNIX process.
Starting Native Directory in Normal Mode
On Windows, you can start Native Directory by starting Hyperion S9 OpenLDAP service from
<
the Services window, or by executing
On UNIX systems, run
<
openLDAP_Home
openLDAP_Home
Starting Native Directory in Debug Mode
➤ To start Native Directory in debug mode:
1 Using a command prompt window, navigate to <
2 Execute the following command:
slapd —d 1.
>/startOpenLDAP script to start the process.
openLDAP_Home
>startService.bat.
>.
Managing Native Directory
80
Stopping Native Directory
On Windows, you can stop Native Directory by stopping Hyperion S9 OpenLDAP service from
<
the Services window, or by executing
openLDAP_Home
>stopService.bat.
On UNIX systems, run
<
openLDAP_Home
process.
Managing Native Directory Users
Shared Services Administrators or Directory Managers can perform the following tasks to
manage Native Directory user accounts:
●“Creating Users” on page 81
●“Modifying User Accounts” on page 82
●“Deactivating User Accounts” on page 83
●“Deleting User Accounts ” on page 84
●“Provisioning Users and Groups” on page 101
●“Deprovisioning Users and Groups” on page 102
●“Generating Provisioning Reports” on page 102
Note:
Users in external user directories cannot be managed from User Management Console.
>/stopOpenLDAP script to stop the Native Directory
Creating Users
➤ To create users:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Native Directory node in the Object Palette, right-click Users, and select New.
3 In the Create User screen, enter the required information.
Table 14 Create User Screen
Label
User NameA unique user identifier as per the naming conventions of your organization (for example, first
First NameFirst name of the user (optional)
Description
name initial followed by last name, as in jyoung)
User names can contain any number or combination of characters.
You cannot create identical user names, including names that are differentiated only by number
of spaces. For example, you cannot create user names
user and 1) and user 1 (with two spaces between user and 1).
user 1 (with one space between
Managing Native Directory Users
81
LabelDescription
Last NameLast name of the user (optional)
DescriptionDescription of the user (optional)
Email AddressEmail address of the user (optional)
PasswordThe password for this user account. Passwords are case-sensitive and can contain any
combination of characters.
Confirm PasswordThe entry in the Password text box
4 Optional: To add the user to one or more groups, click Next.
a.On the Group Membership page, in Search for Groups, type the name of the group to
assign to the user (type * to list all available groups).
b.Click Go.
c.From Available Groups, select one or more groups.
d.Click Add.
The selected groups are listed in Assigned Groups list.
e.Optional: To unassign a group, from Assigned Groups list, select the group and click
Remove. To unassign all groups, click Reset.
5 Click Finish.
6 Click Create Another to create another user or OK to close the Create User screen.
Modifying User Accounts
For the default admin account, you can only modify e-mail address, password, and group
membership. For all other user accounts, you can modify any property.
➤ To modify user accounts:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Native Directory node in the Object Palette, select Users.
3 Search for user account. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34.
A list of users that meet the search criterion is displayed on the Browse tab.
4 Right-click the user account and select Properties.
The User Properties screen opens.
Note:
Managing Native Directory
82
The User Properties screen displays the Managed By tab if Shared Services is deployed in
Delegated Administration mode.
5 On the General tab, modify one or more user properties.
See Table 14 for descriptions of the properties that you can modify.
6 Optional: Modify the user's associations with Native Directory groups.
a.In Search for Groups box on the Member Of tab, type the name of the group to assign to
this user (type * to list all available groups), and click Go.
b.From Available Groups, select one or more groups to assign to the user, and click Add.
The selected groups are listed in Assigned Groups.
To remove an assigned group, from Assigned Groups, select the group to remove, and
click Remove.
7 To view the delegated administrators assigned to the user, open the Managed By tab, which is available only
if Shared Services is deployed in Delegated Administration mode.
8 Click Save.
Deactivating User Accounts
You can deactivate user accounts that should not have access to Hyperion applications. Account
deactivations are, typically, temporary suspensions where the Native Directory administrator
hopes to reactivate the accounts in the future.
●Inactive user accounts cannot be used to log on to Hyperion applications, including User
Management Console.
●Group associations of inactive accounts are maintained and remain visible to Native
Directory administrators.
●Role associations of inactive accounts are maintained.
●Inactive user accounts are not displayed on the product-specific access-control screens of
items for which access is disabled.
●Inactive user accounts are not deleted from Native Directory.
Note:
The admin account cannot be deactivated.
➤ To deactivate user accounts:
1 Launch the User Management Console, as explained in “Launching User Management Console” on page
33.
2 In the Native Directory node in the Object Palette, right-click Users, and select Show Active to list all user
accounts you can deactivate.
To search for a specific user account to deactivate, see “Searching for Users, Groups, Roles, and
Delegated Lists” on page 34.
3 Right-click the user account, and select Deactivate.
Managing Native Directory Users
83
Activating Inactive User Accounts
Activating inactive user accounts reinstates all associations that existed before the accounts were
deactivated. If a group of which the inactive user account was a member was deleted, the roles
granted through the deleted group are not reinstated.
➤ To activate deactivated user accounts:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Native Directory node of the Object Palette, right-click Users, and select Show Inactive to list all
inactive user accounts you can activate.
To search for a specific user account to activate see “Searching for Users, Groups, Roles, and
Delegated Lists” on page 34.
3 Right-click the user account, and select Activate.
Deleting User Accounts
Deleting a user account removes the user’s associations with Native Directory groups, the role
assignments of the user, and the user account from Native Directory.
Note:
The admin account cannot be deleted.
➤ To delete user accounts:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 From the Native Directory node of the Object Palette, click Users.
3 Search for a user account. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34.
A list of users that meet the search criterion is displayed on the Browse tab.
4 Right-click the user account, and select Delete.
Managing Native Directory Groups
Native Directory users can be grouped based on common characteristics. For example, users
can be categorized into groups such as staff, managers, and sales based on function, and
Sales_West and Managers_HQ, based on location. A user can belong to one or more groups.
Native Directory groups can contain other groups and users from user directories configured
on Shared Services.
Managing Native Directory
84
Group affiliations of a user are important considerations in the authorization process. Typically,
groups, rather than individual user accounts, are used to facilitate the provisioning process.
Tasks performed by Shared Services administrators or directory managers:
●“Creating Groups” on page 85
●“Modifying Groups” on page 86
●“Deleting Groups” on page 88
●“Provisioning Users and Groups” on page 101
●“Deprovisioning Users and Groups” on page 102
●“Generating Provisioning Reports” on page 102
Note:
Groups on external user directories cannot be managed from User Management Console.
Creating Groups
Native Directory groups can contain users and groups from any user directories configured on
Shared Services, including Native Directory. Groups that contain other groups are known as
nested groups.
Each component group of a nested group used in provisioning inherits all roles assigned to the
nested group. Similarly, users assigned to a group inherit the roles assigned to the group.
When a group from an external user directory is added to a Native Directory group, Shared
Services creates a reference in the database to establish the relationship.
➤ To create Native Directory groups:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Object Palette, right-click Groups, and select New.
3 For Name in the Create Group screen, enter a unique group name.
Group names are not case-sensitive.
4 Optional: Enter a group description.
5 Perform an action:
●To create the group without adding groups or users, click Finish, and go to step 10.
●To create a nested group or assign users to the group, click Next.
The Group Members tab is displayed.
6 Create a nested group. To skip this step, click Next.
a.In Search for Groups, enter the criterion for retrieving groups. Use * (asterisk) as the
wildcard to retrieve all available groups.
b.In Directory, select the user directory from which to retrieve groups.
All configured user directories are listed in the Directory list.
c.Click Go.
Groups that match the search criterion are listed under Available Groups.
Managing Native Directory Groups
85
d.From Available Groups, select the groups to nest within the new group.
e.Click Add.
The selected groups are listed under Assigned Groups list.
To remove an assigned g rou p, from Assigned Gro ups , select the group to remove and click
Remove. To remove all assigned groups, click Reset.
f.Optional: To retrieve and assign groups from other user directories, repeat Steps a-e.
7 To create the group without adding users, click Finish. To add uses to the group, click Next.
The User Members tab is displayed.
8 To assign users to the group:
a.In Search for Users, enter the search criterion. Use * (asterisk) as the wildcard to retrieve
all users.
b.In Directory, select the user directory from which to retrieve users.
All configured user directories are listed under Directory.
c.Click Go.
User accounts matching the search criterion are listed under Available Users.
d.From Available Users, select one or more users to add to the group.
e.Click Add.
The selected user accounts are listed under Assigned Users. To remove a selected user,
from Assigned Users, select the user to remove and click Remove. To remove all selected
users, click Reset.
f.Optional: To retrieve and assign users from other user directories, repeat Steps a-e .
9 Click Finish.
10 From the confirmation screen, select Create Another (to create another group) or select OK (to return to
the Browse tab).
Modifying Groups
You can modify the properties of all Native Directory groups except WORLD (the container for
all users and groups within Native Directory). If you remove a subgroup from a nested group,
the role inheritance of the subgroup is updated. Similarly, if you remove a user from a group,
the role inheritance of the user is updated.
Note:
You cannot modify the settings of the WORLD group.
Managing Native Directory
86
➤ To modify groups:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Native Directory node of the Object Palette, select Groups.
3 Search for a group. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34.
A list of groups that meet the search criterion is displayed on the Browse tab.
4 Right-click a group, and select Properties.
The Group Properties screen is displayed.
Note:
The Group Properties screen displays the Managed By tab if Shared Services is deployed in
Delegated Administration mode.
5 If you want to modify general properties of the group, on the General tab, edit the name and description.
6 If you want to modify group assignments, open the Group Members tab and perform one or both actions:
a.To add groups to the group:
●In Search for Groups, enter the search criterion. Use * (asterisk) as the wildcard to
retrieve all groups.
●In Directory, select the user directory from which to retrieve groups.
●Click Go.
●From Available Groups, select one or more groups, and click Add.
Selected groups are listed in the Assigned Groups list. To remove a selected group,
from Assigned Groups, choose the group and click Remove. To undo all your actions
in this tab, click Reset.
●Optional: To retrieve and assign groups from other user directories, repeat this
procedure.
b.To remove groups from the group:
●From Assigned Groups, select one or more groups.
●Click Remove.
Removed groups are listed in the Available Groups list.
7 If you want to modify user assignments, open the User Members tab and perform one or both actions:
a.To add users to group:
●In Search for Users, enter the search criterion. Use * (asterisk) as the wildcard to
retrieve all available user accounts.
●In Directory, select the user directory from which to retrieve user accounts.
All configured user directories are listed in the Directory list.
●Click Go.
●From Available Users, select one or more users to assign to the group.
●Click Add.
The selected users are listed in Assigned Users list.
Managing Native Directory Groups
87
To remove an assigned user, from Assigned Users, select the user and click Remove.
To undo all your actions in this tab, click Reset.
●Optional: To retrieve and assign users from other user directories, repeat this
procedure.
b.To remove users from the group:
●From Assigned Users, select one or more users.
●Click Remove.
8 To view the delegated administrators assigned to the group, open the Managed By tab, which is available
only if Shared Services is deployed in Delegated Administration mode.
9 Click Save.
Deleting Groups
Deleting a group removes the group’s associations with users and roles and removes the group’s
information from Native Directory but does not delete the users or subgroups assigned to the
deleted group.
➤ To delete groups:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 From the Object Palette, select Groups.
3 Search for the group to delete. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34.
A list of groups that meets the search criterion is displayed on the Browse tab.
4 Right-click the group, and select Delete.
Managing Roles
Roles define the operations that users can perform in specific applications.
Application roles from all registered Hyperion applications can be viewed but not updated or
deleted from User Management Console. Tasks performed by Shared Services Administrators:
●“Creating Aggregated Roles” on page 89
●“Modifying Aggregated Roles” on page 90
●“Deleting Aggregated Roles” on page 90
●“Generating Provisioning Reports” on page 102
Managing Native Directory
88
Note:
You can provision newly created users and groups from LDAP-enabled user directories,
including MSAD. However, the roles provisioned to the new users and groups are available to
the users (become effective) only after Shared Services refreshes its cache. By default, the cache
refresh interval is set to 60 minutes, which can be modified. See “Overriding Cache Refresh
Interval for MSAD and other LDAP-Enabled User Directories” on page 58.
Creating Aggregated Roles
To facilitate administration and provisioning, Shared Services Administrators can create
aggregated roles that associate multiple product-specific roles with a custom Shared Services
role. Users with Shared Services Provisioning Manager role can create aggregated roles for the
product for which they are Provisioning Managers. Shared Services Administrators can create
aggregated roles for all Hyperion products.
For information on aggregated roles, see “Aggregated Roles” on page 17.
Note:
You can create roles only after at least one Hyperion application has been registered with Shared
Services.
➤ To create aggregated roles:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 From the Object Palette, right-click Roles, and select New.
The Create Role screen is displayed.
3 For Name, enter a role name. Role names that contain special characters are not supported. Role names
should not start or end with a \ (backslash). See “Using Special Characters” on page 61 for more information.
4 Optional: For Description, enter a role description.
5 From Product Name, select the product for which to create the role.
This list includes all Hyperion applications registered with Shared Services.
6 Click Next.
7 On the Role Members tab, find the roles to add.
●To retrieve all roles from the selected application, click Go.
●To search for a role, enter the role name in Search for Roles and click Go. Use * (asterisk)
as the wildcard in pattern searches.
8 From Available Roles, select the application roles to assign.
9 Click Add.
The selected roles are listed in Assigned Roles list.
To remove a selected role, from Assigned Roles, select the role and click Remove. To undo all
your actions in this tab, click Reset.
10 Click Finish.
Managing Roles
89
Modifying Aggregated Roles
You can modify only aggregated roles; default application-specific roles cannot be modified
from Shared Services. You may change all role properties except the product name.
➤ To modify aggregated roles:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Object Palette, select Roles.
3 Retrieve an aggregated role. See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34.
4 Right-click the role, and select Properties.
The Role Properties screen is displayed.
5 If you want to modify general properties of the role, on the General tab, edit the name and description.
6 If you want to modify role member assignments, open the Role Members tab, and perform one or both
actions:
a.To add role members:
●Retrieve the roles to add.
❍To retrieve all roles, click Go.
❍To retrieve a specific role, enter the role name in Search for Roles and click Go.
Use * (asterisk) as the wildcard in pattern searches.
●From Available Roles, select one or more roles.
●Click Add. The selected roles are listed under Assigned Roles.
To remove a selected role, from Assigned Roles, select one or more roles and click
Remove. To undo your actions in this tab, click Reset.
b.To remove role assignments:
●From Assigned Roles, select one or more roles to remove.
●Click Remove.
7 Click Save.
Deleting Aggregated Roles
You can delete aggregated roles that are created from Shared Services. You cannot delete
application-specific roles.
➤ To delete aggregated roles:
Managing Native Directory
90
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 In the Object Palette, select Roles.
3 Retrieve an aggregated role.
See “Searching for Users, Groups, Roles, and Delegated Lists” on page 34.
A list of roles that meet the search criterion is displayed on the Browse tab.
4 Right-click a role, and select Delete.
5 In the confirmation dialog box, click OK.
Changing Native Directory root User Password
Shared Services Administrators can change the password of the Native Directory root user
account, which provides complete control over Native Directory. The default
hard-coded in a file and is not visible to users.
root, the most powerful Native Directory user account, provides complete control over Native
Directory. The password of the
provide an interface to change this password. To improve security, Shared Services provides a
screen to change the
encrypted version of the password in
restart Native Directory and Shared Services.
Note:
Only a user provisioned with Shared Services Administrator role can change the root password.
root password. If you update the password, Shared Services stores an
root user account is stored in a file. Native Directory does not
CSS.xml. The updated password takes effect after you
root password is
➤ To update Native Directory root password:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 From Administration, select Change Native Directory Password.
3 In Current Password, enter the existing root account password. This field is automatically populated if
the default password has not been changed previously.
4 In New Password and Confirm Password, enter the new password for root account.
5 Click Finish.
6 Restart Native Directory by restarting the Hyperion S9 OpenLDAP Windows service or UNIX process.
7 Restart Shared Services.
Backing Up the Native Directory Database
The Native Directory database must be backed up periodically to recover from loss of
provisioning data due to media failures, user errors, and unforeseen circumstances. Hyperion
recommends that you regularly back up this database.
Best Practices
Hyperion recommends monthly cold backups of the Native Directory database and Shared
Services repository. Perform hot backups daily to supplement the cold backups.
Changing Native Directory root User Password
91
●Schedule hot backups when database usage is at its lowest.
●Back up the Shared Services repository and Native Directory database at the same time so
that backup is in sync.
●Store backup for disaster recovery.
●Test backup and recovery procedures to ensure that the process works.
Hot Backup
Regular incremental backups of the Native Directory database can be performed without
shutting down Native Directory. Known as hot backups, they do not interfere with the
availability of Shared Services.
backup.bat (Windows) or backup.sh (UNIX) to schedule daily hot backups. This
Use
<
Hyperion-supplied backup file is stored in
<hss_version>
\server\scripts
scripts
(UNIX).
/server/scripts; for example C:\Hyperion\SharedServices\9.3.1
(Windows) or /vol1/Hyperion/SharedServices/9.3.1/server/
Hyperion_Home
See Hyperion Shared Services Installation Guide for information on the files and directories that
are backed up.
>/SharedServices/
Note:
This procedure backs up Shared Services configuration files and Native Directory.
➤ To run a hot backup:
1 Using a command prompt window, navigate to <
<hss_version>
/server/scripts.
Hyperion_Home
>/SharedServices/
2 Execute the following command.
●Windows: backup.bat <
●UNIX: backup.sh <
where
backup_directory
backup_directory
backup_directory
>
>
indicates the path of the directory where the backup is to be
stored.
3 Monitor the backup process to ensure that it runs successfully.
Cold Backup
Cold backups are performed after shutting down Native Directory.
Managing Native Directory
92
Note:
Data in the Native Directory database is synchronized with the data available in the Shared
Services repository. Hyperion recommends that you back up the Shared Services repository
along with the Native Directory database.
➤ To back up Native Directory database:
1 Stop Native Directory service or process.
2 Copy <openLDAP_Home> into a secure location.
Synchronizing Native Directory Database with the Shared
Services Repository
The database configured with Shared Services stores information related to product registration.
The Native Directory database contains provisioning data for all products. These databases work
in tandem to support Hyperion products.
Data inconsistencies between the databases impact normal operations. Inconsistencies could
occur during manual database update or database upgrades or in replicated Native Directory
environments in which the Native Directory slave has taken over for a failed Native Directory
master. (See “Setting Up Native Directory for High Availability and Failover” on page 94 for
detailed information on Native Directory replication.)
To remove inconsistencies, the Native Directory database must be synchronized with the Shared
Services database. The synchronization process uses the Shared Services database as the master
database to resolve data inconsistencies.
Messages (errors as well as information) related to the operation are recorded in the
SharedServices_syncOpenLDAP.log file. See Chapter 10, “Troubleshooting.”
➤ To synchronize the Native Directory database with the Shared Services repository:
1 Launch User Management Console, as explained in “Launching User Management Console” on page 33.
2 Select Administration > Sync Native Directory.
The Sync Native Directory tab displays the status of the synchronization operation.
3 Optional: Click Refresh to update the status.
4 Optional: Click View Log to display a log file that details the operations that were performed during the
synchronization process.
Recovering Native Directory Data
To enable SSO and provisioning, Native Directory must be running. If Native Directory service
(Windows) or process (UNIX) fails, causing Native Directory to crash, you must recover the
provisioning data before users can access Hyperion products, including Shared Services.
Synchronizing Native Directory Database with the Shared Services Repository
93
➤ To recover provisioning data after a Native Directory crash:
1 Verify that the Native Directory service (Windows) or process (UNIX) is not running.
2 Open a command prompt (Windows) or console (UNIX) window.
3 Navigate to
\<HSS_version>
<HSS_version>/openLDAP/bdb/bin
<openLDAP_Home>\bdb\bin
\openLDAP\bdb\bin (Windows) or <Hyperion_Home>/SharedServices/
. For example,
(UNIX)
<Hyperion_Home>\SharedServices
4 Run the db_recover utility, using the following command:
db_recover –h <
Path_Native_Directory_data_file
>
For example, db_recover –h ../../var/openldap-data
Where openldap-data indicates the name of Native Directory data file.
5 Monitor the utility to ensure that it runs successfully.
6 Restart the Hyperion S9 OpenLDAP service or process.
7 On the application server, restart Shared Services.
Setting Up Native Directory for High Availability and Failover
Native Directory high availability and failover can be achieved through various scenarios.
●“Out of the Box Deployment” on page 94
●“Cold Standby Deployment” on page 96
●“Hot Standby Deployment” on page 98
Out of the Box Deployment
The out of the box failover scenario involves establishing a master-slave relationship between
two fully synchronized installations of Native Directory running on separate machines.
➤ To set up a replicated Native Directory environment:
1 Install and configure Shared Services on two server machines (for example, machine1 and machine2).
Managing Native Directory
94
See the Hyperion Shared Services Installation Guide for instructions.
2 On the server machines, stop the Hyperion S9 OpenLDAP service or process.
3 On the master server (for example, machine1), create a directory (for example, C:\OpenLDAP\logs
in Windows or /apps/OpenLDAP/logs in UNIX) to store the replication log files.
4 On the master server, update the <
●replica directive.
replica uri=ldap://<
binddn= “cn=Replicator,dc=css,dc=hyperion,dc=com”
bindmethod=simple credentials=security
Where
machine2). You can use the IP address of the slave host instead of the DNS name. You must
<slave_host_name>
specify one replica directive for each slave.
Caution!
The second and third lines of the replica directive must be preceded by at least one white
space, to denote that the line is a continuation of the previous line.
binddn entry (in the master slapd.conf file) must be the same.
b.Add the following updateref entry that provides the URI to the Native Directory master.
updateref “ldap://
<master_host_name>
”
For example, updateref “ldap://machine1”.
You can use IP address instead of the DNS name; for example,
192.168.167.166”
updateref “ldap://
c.Update the rootdn value to be identical to the updatedn (replicator) value:
rootdn “cn=Replicator,dc=css,dc=hyperion,dc-com”
6 Copy Native Directory data from the master server to the slave server .
The default location of Native Directory data is <
7 On the master server, update the CSS.xml file, which is located in the
openLDAP_Home
<HSS_home>
>/var/OpenLdap-data.
\config.
Setting Up Native Directory for High Availability and Failover
95
You should include the following slave definition immediately after the <native
name=”Native Directory”>
<slaves>
<slave>
declaration:
<url>ldap://
<type>failover</type>
</slave>
</slaves>
Where
<slave_host_name>
<slave_host_name>
is the name of the slave server machine and 58089 is the Native
:58089</url>
Directory port.
8 On the master server and then on the slave server, start the Hyperion S9 OpenLDAP service or process.
9 On the master server, start the slurpd replication service or process by performing an action:
●On Windows, execute the following command from a command prompt window.
must always be running to synchronize data between the master and slave servers.
Cold Standby Deployment
In cold standby deployment (see following illustration), the primary environment consists of
Shared Services (1) including Native Directory (2) and one or more Hyperion products (3). The
standby environment consists of an inactive Native Directory (5) instance. The instances in
primary and standby environments connect to a Native Directory database (6) hosted on the
same physical hard drive that is dual attached to the primary and standby environments.
This deployment uses a hardware load balancer (4) to perform these tasks:
●Detect the failure of the Native Directory instance in the primary environment
●Start the Native Directory service (Windows) or process (UNIX) in the standby environment
●Route all requests to the standby Native Directory instance
Note:
Native Directory in the standby environment handles all calls until the primary environment is
brought back online and the load balancer is configured to route calls to the primary
environment.
➤ To deploy Native Directory for failover in cold standby mode:
1 Install Shared Services in the primary and standby environments. Refer to the Hyperion Shared Services
Installation Guide for instructions.
2 Configure and deploy Shared Services in the primary environment.
You need not configure or deploy Shared Services in the standby environment.
3 Verify that Hyperion S9 OpenLDAP service or process is running in the primary and secondary
environments.
4 Stop the Hyperion S9 OpenLDAP service or process in the secondary environment.
5 Move Native Directory data to the shared drive or volume. This drive or volume must be visible to the computers
hosting Native Directory instances in primary and secondary environments.
a.Create the var/openldap-data directory structure to store Native Directory data.
<
b.Move the contents of
environment to the
openLDAP_Home
var/openldap-data directory on the shared drive or volume.
>/var/openldap-data from the primary
6 Modify slapd.conf in both primary and secondary environments.
a.Using a text editor, open <
b.Modify the
directory parameter so that it points to the directory where Native Directory
openLDAP_Home
>/slapd.conf.
data is stored on the shared drive.
c.Save and close the files.
7 Configure the load balancer and monitoring application.
Setting Up Native Directory for High Availability and Failover
97
The load balancer must host a monitoring application capable of checking if Native Directory
is running in the primary environment. This can be achieved by using the LDAP ping mechanism
or by using corporate process monitoring tools (for example, Tivoli and UniCenter).
a.Configure the monitoring application to perform these tasks:
●Use the following directive (embedded in a batch or shell file) to look for an active
Native Directory instance in the primary environment.
●Using the following command, start Native Directory in the standby environment if
ldapurl
cn=*. For example, ldapsearch –H ldap://
Native Directory is not active in the primary environment. You must create custom
scripts to start Native Directory.
net start “Hyperion S9 OpenLDAP” (Windows).
b.Configure the load balancer to reroute all requests to the standby environment upon
detecting a failure in the primary environment. You can use DNS name or IP address
redirection for this purpose. See documentation from the load balancer vendor for
information on how to complete this step.
8 Start Hyperion S9 OpenLDAP service or process on primary and standby environments.
9 Test your deployment.
A simple test would be to stop the Hyperion S9 OpenLDAP service or process in the primary
environment. The monitoring application on the load balancer should restart the process or
service in the standby environment.
Hot Standby Deployment
In hot standby deployment (see following illustration), the primary environment consists of
Shared Services (1) including Native Directory (2), and one or more Hyperion products (3).
The standby environment consists of an active Native Directory (5) instance. Each Native
Directory instance connects to its own database (6). A sync agent (7) backs up Native Directory
in the primary environment and updates it in the standby environment to synchronize the
databases at scheduled intervals.
The sync agent is not a part of Hyperion software distribution. The sync agent is similar to a
corporate scheduling agent or workflow tool that enables executing and monitoring jobs.
Customers must use their own sync agent to initiate backup and restore processes.
Hot Standby Deployment uses a hardware load balancer (4) to perform these tasks:
●Detect the failure of the Native Directory instance in the primary environment
●Route all requests to the standby Native Directory instance upon detecting a failed instance
in the primary environment.
Managing Native Directory
98
Note:
Native Directory in the standby environment handles all calls until the primary environment is
brought back online and the load balancer is configured to route calls to the primary
environment.
➤ To deploy Native Directory for failover in hot standby mode:
1 Install Shared Services in the primary and standby environments.
Refer to the Hyperion Shared Services Installation Guide for instructions.
2 Configure and deploy Shared Services in the primary environment.
You need not configure or deploy Shared Services in the standby environment.
3 Verify that Hyperion S9 OpenLDAP service or process is running in the primary and secondary
environments.
4 Configure the process monitoring application with the following directive to check if Native Directory service
(Windows) or process (UNIX) is running in the primary environment:
ldapsearch –H
58089/dc=css,dc=example,dc=com cn=*
ldapurl
cn=*. For example, ldapsearch –H ldap://myserver:
5 Configure the load balancer to reroute all requests to the standby environment on detecting a failure in the
primary environment.
You can use DNS name or IP address redirection for this purpose. See documentation from the
load balancer vendor for information on how to complete this step.
6 Configure the sync agent (scheduler) to back up Native Directory data from the primary environment and to
update the standby environment.
7 Test the configuration.
Migrating Native Directory
The Native Directory database stores security-related data. You must migrate Native Directory
data as a part of migrating Shared Services. See Hyperion Shared Services Installation Guide for
Migrating Native Directory
99
details. Migration is the process of copying an application instance from one operating
environment to another; for example, from development to testing or from testing to
production.
You use the Import/Export utility to migrate Native Directory.
➤ To migrate Native Directory:
1 On the computer that hosts the source Shared Services server, perform the following actions:
a.Install the Import/Export utility. See “Installing the Import/Export Utility” on page 106.
b.Create the
importexport.properties file. “Preparing the Property File” on page
107.
c.Execute the Import/Export utility to export Native Directory data into an export file. See
“Running the Utility” on page 113.
d.Verify that the export file has been created.
2 On the computer that hosts the target Shared Services server, perform the following actions:
a.Stop Hyperion Shared Services OpenLDAP service or process.
b.Back up
\opneLDAP
openLDAP_Home
(Windows) or /app/Hyperion/SharedServices/9.3.1/openLDAP
>, for example, C:\Hyperion\SharedServices\9.3.1
<
(UNIX).
c.Back up the Shared Services repository.
d.Copy the export file from the computer that hosts the source Shared Services server.
e.Install the Import/Export utility. See “Installing the Import/Export Utility” on page 106.
f.Create the
importexport.properties file or copy it from the computer that hosts the
source Shared Services server. Ensure that the export file name matches the value of
import.file property. See “Preparing the Property File” on page 107.
g.Validate the export file. If any errors are indicated, fix them and validate the export file
again until it is error free.
Managing Native Directory
100
h.Execute the Import/Export utility to import Native Directory data from the export file.
See “Running the Utility” on page 113.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.