L06 Configuring Shared Services

L E S S O N 6

Configuring Shared Services 5

Objectives

At the end of this lesson, you should be able to:

• Configure Shared Services

• Configure the EPM Oracle Instance

• Configure the Shared Services and registry database connection

• Configure EPM System Common Settings

• Deploy EPM System products to a WebLogic domain

• Register with Oracle Configuration Manager

• Set up the Shared Services Admin user password

• Configure the Foundation Services web server

• Configure user directories for single sign-on

• Provision users and groups

• Generate provisioning reports

• Create application groups

Lesson 5 Configuring Shared Services

Copyright © 2011, Oracle and/or its aff iliates. All rights reserved.

Running EPM System Configurator forShared Services

Database Server components

Running EPM System Configurator for Shared ServicesWhen you run EPM System Configurator for Shared Services, you perform the following tasks:

• Configure the EPM Oracle Instance

• Configure the Shared Services and Registry database connection

• Configure EPM System common settings

• Configure Logical Address for Web Applications

• Deploy to the Application Server

• Configure Oracle Configuration Manager

• Setup connection to Oracle BI and Publisher

• Set the Shared Services admin user password

5-2 Financial Management 11.1.2: Installation and Configuration


• Configure the Web server

• Import data from earlier releases

The succeeding topics discuss the configuration steps based on the order they are displayed in EPM System Configurator. The following sections describe optional configuration steps.

Configure Logical Addresses for Web ApplicationsYou use this option after first-time deployment if you need to change the logical address for a deployed Web application. This task lets you change the logical address without redeploying the Web application.

Setup Connection to Oracle BI and PublisherYou run this task to specify the configuration information for EPM Workspace to work with Oracle BI EE and BI Publisher.

You must reconfigure the Web server after you perform this task. If the Web server is on this machine, select Configure Web Server at the same time you select Set up Connection to Oracle BI and Publisher.

Import Data From Earlier ReleasesThis option is available only if you are upgrading from an earlier release. This task extracts the contents of a migrated data ZIP file and imports the data to Shared Services.

If you are upgrading from an earlier release, specify the location from which to import Shared Services data. You must specify the full path to hssmigratedata.zip, which is created with the Shared Services Upgrade Utility.

NOTE: To use data from the earlier release of Shared Services, you export the data using a utility, and then copy the resulting file to the machine hosting the new installation. During configuration, EPM System Configurator extracts the necessary data for use in the current release. Exporting Shared Services data from earlier releases is discussed in the Upgrading EPM System Products lesson.

Financial Management 11.1.2: Installation and Configuration 5-3



Configuring the EPM Oracle Instance

Configuring the EPM Oracle InstanceThe EPM Oracle instance is defined when EPM System products are configured.

Typically, if you are installing all products on a single machine, for the first product you configure, you create a new instance. For each product after that, you modify the existing instance. If you are installing in a distributed environment, you create a new instance on each machine.

In this class, you create a new EPM Oracle Instance and accept the default location: MIDDLEWARE_HOME/user_projects/epmsystem1.

TIP: In a UNIX environment, you can deploy to a shared drive by installing to a shared drive and then configuring each machine to deploy to a different instance.



The following table describes options for configuring the instance:

Configurator Field Description

• Modify an existing EPM Oracle instance

• Create a new EPM Oracle instance

Select to modify an existing EPM Oracle instance or to create a new instance.

Home directory for EPM Oracle instances

Specify the directory in which to create the instance. The default EPM Oracle instance location is MIDDLEWARE_HOME/user_projects.

EPM Oracle Instance Name Specify a name for the instance. The default instance name is epmsystem1.




Setting Up the Shared Services and Registry Database Connection

Setting Up the Shared Services and Registry Database ConnectionThe first time you configure EPM System products, you configure a database for use by Foundation Services, which includes Shared Services Registry.

When you configure the Shared Services and Registry database, EPM System Configurator ensures that the database is connected and is a supported database type. If a database is detected, you may be prompted to choose whether to use the detected database or to create a database.

If you are configuring an Oracle database, EPM System Configurator checks that the database was created with the correct character set. If not, you are prompted to correct it.

Guidelines when upgrading Shared Services databases:

• If you are upgrading from an earlier release, select Perform first-time configuration of Shared Services database and enter database connection information for a new database.



• If you are upgrading from Release 11.1.1.3, and you configured all EPM System products to use one database, you are alerted that pre-existing Shared Services tables have been detected in the database. When prompted to drop and recreate the tables, select Yes.

• If you are applying the maintenance release to move from Release 11.1.2.0 to Release 11.1.2.1, select Connect to a previously configured Shared Services database.

Shared Services Registry OverviewThe Shared Services Registry is part of the database that you configure for Foundation Services. It is created the first time you configure EPM System products, and it simplifies configuration by storing and reusing the following information for most EPM System products that you install.

• Initial configuration values such as installation directories, database settings, and deployment settings

• Host computer names, ports, servers, and URLs that you use to implement multiple, integrated, EPM System products and components

Configuration changes you make for one product are automatically applied to other products used in the deployment.

NOTE: In previous releases, Shared Services Registry was sometimes referred to as EPM System Registry.When you upgrade from a previous release of EPM System products, EPM System Configurator updates the Shared Services Registry for products that you upgrade.

You can view and manage the contents of the Shared Services Registry using Lifecycle Management in the Shared Services Console.



To view Shared Services Registry Data in Shared Services Console:

NOTE: For steps on accessing Shared Services Console, see Launching Shared Services Console in this lesson.

1. In Shared Services Console, expand the Foundation application group in the View pane.

2. Perform one of the following actions:

• Click Deployment Metadata.

• Right-click Deployment Metadata and select Explore.

3. Select Shared Services Registry.

For more information, see Oracle Hyperion Enterprise Performance Management System Lifecycle Management Guide.

You can edit the Shared Services Registry using a command line utility. Use this utility only if you are unable to make the required changes to the Shared Services Registry using EPM System Configurator. For more information, see “Updating the Shared Services Registry” in Oracle Hyperion Enterprise Performance Management System Installation Installation and Configuration Guide.



Specifying Database Connection InformationThe following table describes the fields that you must complete to configure the Shared Services and Registry database:


• Connect to a previously configured Shared Services database

• Perform first-time configuration of Shared Services database

When you first configure the Shared Services and Registry database, choose Perform first-time configuration of Shared Services database. This database includes the Shared Services Registry, which is used to store common information for all products.

When you configure in a distributed environment, you must configure the Shared Services database on every machine. On the first machine, you are setting up the Shared Services Registry. For configurations on subsequent machines, choose Connect to a previously configured Shared Services database. In this case, you are letting the machine know the location of the Shared Services Registry.

Database Type Select the database type.

Server Specify the name of the database server where the Shared Services database should be created.

For Oracle RAC, specify the VIP name or one of the node names as the server name.

Port Select the default or specify a custom Shared Services server port number on which the database listens.

Service Name or SID Specify the name of the Shared Services database.

If you are using an Oracle RAC database, specify the RAC service name.

User Name Enter the name of the database user.

Password Enter the password of the database user.

Optional: Advanced Options Click or select to specify additional information.

You can use this option to configure Oracle RAC.




Configuring EPM System Common Settings

Configuring EPM System Common SettingsSelect to create windows services for configured components, use SSL for Web application server communications (requires manual configuration), and set up mail servers. EPM System Configurator displays the Common Settings page once on each machine that you configure.

If you configure on another machine and change any of these options, your new selections apply for all products and machines that you have not configured. If you reconfigure on a machine, the new settings apply to any products that you reconfigure and to future configurations.



The following table describes options for common settings configuration:


Create Windows Services for configured components

(Windows only)

Select to configure each service as a Windows service that starts automatically when you start Windows.

Run Windows Services as non-local system account

Select to specify a non-local system account to configure Windows services, and then specify a user name and password.

Note: Oracle recommends that you select this option.

If you do not select this option, EPM System Configurator creates Windows services using the local system account. Before you start the services, change them to use the appropriate domain account.

User Name Enter the user name for the user to launch the Windows services.

If you leave this field blank, EPM System Configurator creates the services using the local system account.

Password Enter the password for the user used to launch Windows services.

Use SSL for Web application server communications

(requires manual configuration)

Depending on your SSL implementation, select to use SSL communication for all Web applications. If this option is selected, URLs are in the form https.

Note: Selecting this option does not enable secure communication for the Web application server and does not create and load certificates into JREs and JDKs. See Oracle Hyperion Enterprise Performance Management System Security Administration Guide for more information.

Mail Server Host For products that integrate an email feature, which uses standard Simple Mail Transfer Protocol (SMTP) protocol, specify the outgoing mail (SMTP) server. To enable email alerts, you must specify the SMTP server name.

Port Specify the mail server port number or accept the default value. If you are using SSL to communicate with the mail server, enter an SSL port.

Administrator’s Email Address Specify the administrator's email address to use for notifications.



Use SSL to communicate with mail server

Select to use SSL communication for all email communication.

Use authentication to send email Specify whether the mail server requires authentication, and then specify a user name and password.

User Name Specify the user name for the SMTP server.

Password Specify the password for the SMTP server.





Deploying Shared Services to the Application Server

1

2

1. Specify WebLogicdomain information.

2. Enter application server details.

To configure the application server, you do the following:

Deploying Shared Services to the Application ServerEPM System Configurator deploys each application to the WebLogic Server domain you specified. For a new domain, the domain is created when the first application is deployed. Each application runs in a separate JVM, except for Shared Services, and EPM Workspace, which run together and are deployed to the same managed server.



The following table lists the options to define the WebLogic Server domain:

Field Description

• Deply Web applications to an existing domain

• Deploy Web applications to a new domain

Specify whether to deploy Web applications to an existing domain or to a new domain.

If you create a new domain, the WebLogic Administration Server for this domain is created on this machine.

Domain Name To define a new domain, enter a domain name. The default domain name is EPMSystem.

To deploy to an existing domain, specify the domain to use for deployment.

Administration Server Host

For an existing domain, specify the Administration Server Host.

Administration Server Port

Accept or change the default port. To change the default, enter a port number that does not conflict with other applications installed on your machine.

Administrator User

Enter the Administrator user name for the domain. By default, EPM System Configurator uses epm_admin.

Adminstrator Password

Enter the Administrator password or enter a new password for a new domain.

Tip: Make a note of this password.

Confirm Administrator Password

If you are defining a new domain, confirm the Administrator password.

Domain Name To define a new domain, enter a domain name. The default domain name is EPMSystem.

To deploy to an existing domain, specify the domain to use for deployment.

The following table describes options for WebLogic application server deployment configuration.

Field Description

Ear/War Select the components to deploy.

Managed Server Name

Displays the Weblogic Managed Server name.



Note the following application server deployment information:

• You deploy multiple products to a single domain.

• By default, EPM System Configurator deploys 32-bit binaries to 32-bit application servers on 32–bit operating systems, and 64-bit binaries to 64-bit application servers on 64–bit operating systems.

• EPM System Configurator deploys the applications to MIDDLEWARE_HOME/user_projects/domains/<domainName>.

• The EPM Workspace Web application and the Shared Services Web application are deployed when you select the Hyperion Foundation Deploy to Application Server task.

• If you are implementing a custom authentication module, you must include its Java archive (.jar) in the EPM Product classpath. See the Oracle Hyperion Enterprise Performance Management System Security Administration Guide for detailed procedures to implement a custom authentication module.

• Start and stop scripts are created in EPM_ORACLE_INSTANCE/bin/.

• For each application, in EPM_ORACLE_INSTANCE/bin/deploymentScripts there is a setCustomParamsProduct.bat file (.sh extension for UNIX), where you can change JAVA_OPTIONS when using start scripts.

Port Accept or change the default port. To change the default, enter a port number that does not conflict with other applications installed on your machine.

SSL Port Accept the default port or specify the SSL port to use for deployment. Specifying this port sets up SSL using the Java application server's default certificates. See the Oracle Hyperion Enterprise Performance Management System Security Administration Guide for recommendations on updating the Java application server with a valid certificate.

If you are using SSL, you must disable the non-SSL port (or redirect it to the SSL port) in your Java application server after configuration to ensure secure communication.

Advanced Setup Click or select Set up to specify the logical address the products use to connect to the Web application server. Select this option when the Web applications do not communicate with the Web application server directly, as in the following scenarios:

• You have set up a cluster with a load balancer.

• You are using an SSL offloader.

Field Description




Registering with Oracle Configuration Manager

Registering with Oracle Configuration ManagerOracle Configuration Manager collects machine configuration information and installed Oracle software information on a regular basis and uploads it to My Oracle Support.

EPM System Configurator displays this page on the first machine you configure and uses the values for each additional machine in the deployment.

The following table describes options for registering for Oracle Configuration Manager.


Email Enter the email address to use for notifications from MyOracle Support.

View Details Click or select View Details to see information about Oracle Support policies.



NOTE: EPM System Installer installs Oracle Configuration Manager for you in EPM_ORACLE_HOME/ccr.

For more information about Oracle Configuration Manager, see http://download.oracle.com/docs/cd/E18041_01/doc.103/e18035.pdf.

I wish to receive security updates via My Oracle Support

Specify whether you want to receive security updates.

My Oracle Support password Enter your My Oracle Support password.





Setting the Shared Services Admin User Password

Setting the Shared Services Admin User PasswordEPM System Configurator creates a preprovisioned user called admin, which enables you to log on to Shared Services after configuration to create and provision users. EPM System Configurator requires you to specify a new admin password during configuration. After configuration, you can make subsequent changes to the admin user password in the Shared Services Console. See the Oracle Hyperion Enterprise Performance Management System Security Administration Guide.

The following table describes options for resetting the Shared Services admin user password:


Password Enter a new password for the Shared Services admin user.

Re-Type Password To confirm the new password, re-enter the password for the Shared Services admin user.




Configuring the Foundation Services Web Server

Configuring the Shared Services Web ServerYou configure the Web server only on the machine on which you want to run it. If you already configured the Web server and you deploy any additional products, you must run EPM System Configurator again and select the Foundation Services “Configure Web Server” task.

The following table describes the options for the Web server configuration:

Field Description

Select Web Server Select the Web server.

HTTP Port Specify the Web server port. If you use SSL, make sure the port number that you enter is a secure port.

Location of Oracle HTTP server

Specify or browse to the location of the Web server.

Component Review the components for which the Web server is being configured.




Launching Shared Services Console

Launching Shared Services ConsoleAfter you successfully configure Shared Services, you can log on Shared Services Console to perform the following tasks:

• User directory configurations

• Single sign-on configuration

• Native Directory management

• Role-based access control management

• Audit configuration and report management

• Access to Oracle Hyperion Enterprise Performance Management System Lifecycle Management and product artifact exploration



To launch Shared Services Console:

1. Ensure that pop-blockers are not enabled.

2. Open your browser and go to: http://web_server_name:port_number/interop

In the URL, Web_server_name indicates the name of the computer where the Web server used by Foundation Services is running, and port_number indicates the Web server port; for example, http://myWebserver:19000/interop.

If you are accessing Shared Services Console in secure environments, use https as the protocol and the secure Web Server port number. For example, use a URL such as: https://myserver:19043/interop.

The Logon page is displayed in a pop-up window.

3. On the Logon page, enter your user name and password.

Initially, the only user who can access Shared Services Console is admin. The password for admin is specified in Oracle's Hyperion Enterprise Performance Management System Configurator while deploying Foundation Services.

4. Click Log On.

Shared Services Console comprises a View pane, also known as the Application Management pane, and task tabs. When you initially log in, Shared Services Console displays the View pane and a Browse tab.

The View pane is a navigation frame where you can choose objects (such as user directories, users, groups, roles, application groups, and applications). Typically, details of your current selection in the View pane are displayed on the Browse tab. Additional task tabs open as needed, depending on the task that you perform; for example, a Report tab opens when you generate a report, and a Configure tab opens when you configure a user directory.

Depending on the current configuration, Shared Services Console lists your existing objects in the View pane. You can expand these object listings to view details. For example, you may expand the User Directories node to view a list of configured user directories. You may also search configured user directories for users and groups.

A shortcut menu, accessible by right-clicking an object, is associated with some objects in the View pane. Shortcut menus associated with objects in the View pane provide the quickest method to perform operations on the objects. Options in shortcut menus change dynamically, depending on what you select. The commands displayed in the shortcut menu also are available on a menu in the menu bar. Buttons representing enabled menu options are displayed on the toolbar.




Configuring Single Sign-On

Authentication directory User Management console

EPM System products

Configuring Single Sign-OnShared Services helps establish a secure environment for EPM System products. You can define and manage security for EPM System product deployments through Shared Services Console.

NOTE: All EPM System products depend on Shared Services to define how users are authenticated and how they are authorized to use product resources.

EPM System users must be authenticated before their provisioning data is checked to determine the EPM System applications that they can access. By default, users enter a user name and password into a product login page to gain Single Sign-On (SSO) access to all EPM System products.



SSO is a session and user-authentication process that enables EPM System product users to enter credentials only once, at the beginning of a session, to access multiple products. SSO eliminates the need to log in separately to each product to which the user has access.

When you install and deploy Shared Services, Native Directory, the default user directory for EPM System products, is configured automatically. You can configure external user directories to support SSO and authorization for the products that you install.

External authentication enables you to configure Shared Services to use a separate authentication directory; the directory contains corporate user information to authenticate EPM System product users. Each EPM System product enables external authentication by referencing the Shared Services configuration during the product configuration process.

NOTE: Shared Services Console writes the configuration information to the CSS.xml file that is packaged with Shared Services.

You can perform the following user directory management and configuration tasks in Shared Services Console:

• Configure user directories

• Test user directory connections

• Edit user directory settings

• Delete user directories

• Manage the user directory search order

After configuring the directories, you must synchronize them with the Shared Services database.

Configuring Native DirectoryNative Directory refers to the relational database that Shared Services uses to support provisioning and to store seed data such as default user accounts, and additional users and groups that you create. By default, Native Directory contains one user account, admin. You specify the password for the admin account the first time you run EPM System Configurator. With this user account, you can perform all Native Directory and Shared Services administration tasks:

• Maintain and manage the native user and group accounts



• Generate EPM System provisioning information; Shared Services stores the relationships among users, groups, roles, and applications

All EPM System users, whether defined in Native Directory or in an external user directory, belong to the WORLD group, the only default Native Directory group. WORLD is a logical group. All Shared Services users inherit any role assigned to this group. A user gets the sum of all permissions assigned directly to that user as well as those assigned to the user's groups (including the WORLD group).

If Shared Services is deployed in delegated mode, the WORLD group contains groups as well as users. If the delegated list of a user contains the WORLD group, then the user can retrieve all users and groups during searches.

To create Native Directory users:

1. In Shared Services Console, expand User Directories, and then Native Directory.

2. Under the Native Directory node in the View pane, right-click Users, and select New.

3. In the Create User dialog box, enter the following information:

• User Name—a unique user identifier (maximum 256 characters) that follows the naming conventions of your organization. For example, first name initial followed by the last name, as in jyoung.

User names can contain any number or combination of characters. You cannot create identical user names, including names that are differentiated only by number of spaces. For example, you cannot create user names user 1 (with one space between user and 1) and user 1 (with two spaces between user and 1).

• Password—passwords are case-sensitive and can contain any combination of characters.

• Confirm Password—re-enter password.

• First Name—user's first name (optional)

• Last Name—user's last name (optional)

• Description—user's description (optional)

• Email Address—user's e-mail address (optional). The e-mail server domain extension; for example, .com, .org, and .gov, cannot contain more than four characters.

4. Optional: To add the user to one or more groups, click Next.



a. On the Group Membership page, in Search for Groups, enter the name of the group to assign to the user (type * to list all available groups).

b. Click Go.

c. From Available Groups, select groups.

d. Click Add.

e. Optional: From Assigned Groups, select the group and click Remove to unassign a group. Click Reset to undo all changes that you made to Assigned Groups.

5. Click Save.

6. Click Create Another to create another user or OK to close the Create User dialog box.

For additional Native Directory task procedures, see Oracle® Hyperion Enterprise Performance Management System User and Role Security Guide Release 11.1.2.1.




Configuring MSAD or LDAP User Directories

Configuring MSAD or LDAP User DirectoriesThe following external directories are supported:

• Lightweight Directory Access Protocol (LDAP)-enabled user directories, such as Oracle Internet Directory (OID)

• Oracle Directory Server Enterprise Edition (ODSEE) 11gR1 (11.1.1.3+) (previously called Sun Java Directory Service 6.3)

• Novell eDirectory 8.8

• IBM Tivoli Directory Server 6.2

• SAP R/3 Enterprise 5.0SAP R/3 Enterprise 5.0

• Computer Associates SiteMinder 6

• Microsoft Active Directory (MSAD) 2003 and 2008



• Relational databases (Oracle database 10.2.0.4 and later, IBM DB2 9.5 and 9.7, Microsoft SQL Server 2005, 2008, and 2008 R2)

NOTE: You cannot manage external directory users and groups in Shared Services Console. You can configure Shared Services to work with the users and groups that you created in external user directories.

In this class, you connect to an MSAD external directory.

To configure OID, MSAD, or other LDAP-enabled user directories:

1. In Shared Services Console, select Administration, then Configure User Directories.

The Defined User Directories page is displayed. This page lists all configured user directories, including Native Directory.

2. Click New.

3. For a directory type, select an option:

• Lightweight Directory Access Protocol (LDAP)

• Microsoft Active Directory (MSAD)

• SAP

• Relational Database (Oracle, DB2, SQL Server)

4. Click Next.

The Connection Information page for the selected user directory type is displayed.

5. Enter the required parameters. The following table describes the parameters for your external authentication provider:

Field Description

Directory Server Select a user directory. Select Other if you are using a user directory that is not listed.

This property is automatically selected if you chose Active Directory.

Name Enter a descriptive name for the user directory. This description is used to identify a specific user directory if multiple user directories are configured.

DNS Lookup Active Directory only: Select this option to enable DNS lookup.



Host Name (Option)

Active Directory only: Select this option to enable static host name lookup.

Host Name Enter the DNS name or IP address of the user directory server.

Use the fully qualified domain name if the user directory is to be used to support SSO from SiteMinder.

Port Enter the port number where the user directory is running.

SSL Enabled Select to enable secure communication with this user directory.

The user directory must be configured for secure communication.

Base DN Enter the distinguished name (DN) of the node where the search for users and groups should begin. You can also use the Fetch DNs button to list available base DNs and then select the appropriate base DN from the list.

Oracle recommends that you select the lowest DN that contains all EPM System product users and groups.

ID Attribute Enter a unique user attribute. The recommended value of this attribute is automatically set for OID orclguid, SunONE (nsuniqueid), IBM Directory Server (Ibm-entryUuid), Novell eDirectory (GUID), and Active Directory (ObjectGUID). You may change the default value to DN if necessary.

Note: Oracle does not recommend the use of DN as the ID Attribute because it can cause users and groups to lose provisioning data if they move from the current organizational unit to another.

Maximum Size Enter the maximum number of results that a search can return. If this value is greater than that supported by the user directory settings, the user directory value overrides this value.

For user directories other than Active Directory, leave this field blank to retrieve all users and groups that meet the search criteria.

For Active Directory, set this value to 0 to retrieve all users and groups that meet the search criteria.

Trusted Select this check box to indicate that this provider is a trusted SSO source. SSO tokens from trusted sources do not contain the user's password.

Anonymous Bind Select this check box to indicate that Shared Services can bind anonymously to the user directory to search for users and groups. Can be used only if the user directory allows anonymous binds. If this option is not selected, you must specify, in the User DN, an account with sufficient access permissions to search the directory where user information is stored.

Oracle recommends that you do not use anonymous bind.

Field Description



6. Click Next.

The User Configuration screen is displayed.

NOTE: The steps to configure user directories are continued in the succeeding sections.

User DN Enter the distinguished name of the user that Shared Services should use to bind with the user directory. This distinguished name must have read privileges within the Base DN.

Note: This box is disabled if you select Anonymous Bind.

Append Base DN Select this check box to append the base DN to the User DN. If you are using Directory Manager account as the User DN, do not append Base DN.


Password Enter the User DN password.


Show Advanced Options

Select this check box to display advanced options. For more information about advanced options, see the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide.

Field Description




User Configuration

You can use the Auto Configure field to quickly retrieve User information.

User ConfigurationShared Services uses the User Configuration properties to create a URL to determine the node where searches for users begin. Using this URL speeds up the search.

TIP: The user URL should not point to an alias. EPM System security requires that the user URL points to an actual user and not its alias.

To set user configuration properties:

1. Perform steps to configure OID, MSAD, or other LDAP-enabled user directories from the previous section.




a. Enter a unique user identifier using the format attribute=identifier and click Auto Configure.

NOTE: Oracle recommends that you use Auto Configure to retrieve the required information.If you are using OID, you cannot automatically configure user properties, because the root DSE of OID does not contain entries in the Naming Contexts attribute.

b. Enter user information manually. The following table contains the field definitions:

Field Description

User RDN Enter the Relative DN of the user. Each component of a DN is called an RDN and represents a branch in the directory tree.The RDN of a user is generally the equivalent of the uid or cn.

Example: ou=people

Login Attribute Enter the attribute that stores the login name of the user. Users use the value of this attribute as the User Name while logging on to EPM System products.

Example: uid

First Name Attribute

Enter the attribute that stores the user’s first name.

Example: givenName

Last Name Attribute

Enter the attribute that stores the user’s last name.

Example: sn

Email Attribute Enter the attribute that stores the user’s e-mail address.

Example: mail

Object Class Enter the object classes of the user (the mandatory and optional attributes that can be associated with the user). Shared Services uses the object classes listed in this screen in the search filter, and should find all users who should be provisioned.

If needed, you can manually add object classes by entering the object class name in the Object Class box, and clicking Add.

To delete object classes, select the object class and click Remove.

Example: person, organizationalPerson, inetorgperson


Select this check box to enable the use of a filter to retrieve users during search operations.



3. Click Next.

The Group Configuration page is displayed.

NOTE: The steps to configure user directories are continued in the succeeding section.

Filter to Limit Users Enter an LDAP query that retrieves only the users that are to be provisioned with EPM System product roles. For example, the LDAP query (uid=Hyp*) retrieves only users whose names start with the prefix Hyp.

The User Configuration screen validates the User RDN and recommends the use of a user filter, if required.

After entering the user filter, click Execute Filter to validate the query by obtaining a count of the number of users that will be retrieved with the filter.

With the user filter, you limit the number of users returned during a query. It is especially important if the node identified by the user RDN contains many users that need not be provisioned. User filters can be designed to exclude the users that are not to be provisioned, thereby improving performance.

Resolve Custom Primary Groups

Active Directory only: The checkbox that indicates whether to identify primary groups of users to determine effective roles. This checkbox is selected by default. Oracle recommends that you do not change this setting.

Field Description




Group Configuration

You can use the Auto Configure field to quickly retrieve Group information.

Group ConfigurationShared Services uses the Group Configuration properties to create a URL to determine the node where searches for groups begin. The URL speeds up the search.

TIP: The group URL should not point to an alias. EPM System security requires that the group URL points to an actual group and not its alias.

Data entry in the Group Configuration screen is optional. If you do not enter the group URL settings, Shared Services searches within the Base DN to locate groups, which can negatively affect performance, especially if the user directory contains many groups.

If you do not plan to provision groups, or if users are not categorized into groups on the user directory, you can clear the Support Groups check box to disable the fields on this screen.



To set group configuration properties:

1. Perform steps to configure OID, MSAD, or other LDAP-enabled user directories and set user configuration properties from the previous sections.

2. Deselect Support Groups if you do not plan to provision groups, or if users are not categorized into groups on the user directory, then skip to step 5.

Clearing this option disables the fields on this page.


a. Enter a group identifier using the format attribute=identifier and click Auto Configure.

NOTE: Oracle recommends that you use Auto Configure to retrieve the required information.If you are using OID, you cannot automatically configure group properties, because the root DSE of OID does not contain entries in the Naming Contexts attribute.If the group URL is not set for user directories that contain / (slash) or \ (backslash) in its node names, the search for users and groups fails. For example, any operation to list the user or group fails if the group URL is not specified for a user directory in which users and groups exist in a node, such as OU=child \ou,OU=parent/ou or OU=child/ou,OU=parent \ ou.



b. Enter group information manually. The following table contains the field definitions:

Field Description

Group RDN Enter the Relative DN of the group. Each component of a DN is called an RDN and represents a branch in the directory tree. This value, which is relative to the Base DN, is used as the group URL.

Specify a Group RDN that identifies the lowest user directory node in which all groups that you plan to provision are available.

The Group RDN has a significant impact on login and search performance. Because it is the starting point for all group searches, you must identify the lowest possible node in which all groups for EPM System products are available. To ensure optimum performance, the number of groups present within the Group RDN should not exceed 10,000. If more groups are present, use a group filter to retrieve only the groups that you want to provision.

Note: Shared Services displays a warning if the number of available groups within the Group URL exceeds 10,000.

Example: ou=Groups

Name Attribute Enter the attribute that stores the group name.

Example: cn

Object Class Enter the object classes of the group. Shared Services uses the object classes listed in this screen in the search filter, and should find all groups that are associated with the user.

If needed, you can manually add object classes by entering the object class name in the Object Class box, and clicking Add.

To delete object classes, select the object class and click Remove.

Example: groupofuniquenames?uniquemember


Select this check box to enable the use of a filter to retrieve groups during search operations.

Filter to Limit Groups

Enter an LDAP query that retrieves only the groups that are to be provisioned with EPM System product roles. For example, the LDAP query (|(cn=Hyp*)(cn=Admin*)) retrieves only groups whose names start with the prefix Hyp or Admin.

After entering the group filter, click Execute Filter to validate the filter by obtaining a count of the number of groups that will be retrieved with the filter.

With the group filter, you limit the number of groups returned during a query. It is especially important if the node identified by the group RDN contains many groups that need not be provisioned. Filters can be designed to exclude the groups that are not to be provisioned, thereby improving performance.



4. Click Save.

The Directory Configuration Result page is displayed.

5. Click OK.

The Defined User Directories page is displayed.

6. Click Save.

The Save Configuration Summary page is displayed.

7. Click OK.

The Defined User Directories page is displayed.

8. Click Log Off.

9. If you are prompted to log off, click Yes.

10. Restart services.

Testing User Directory ConnectionsAfter configuring a user directory, test the connection to ensure that Shared Services can connect to the user directory with the current settings.

To test user directory connections:

1. From Shared Service Console, select Administration, and then Configure User Directories.

The Defined User Directories screen is displayed.

2. From the list of user directories, select an external user directory configuration to test.

3. Click Test.

A status message indicating the test result is displayed.

4. Click OK.

Managing the User Directory Search OrderWhen you configure an external user directory, Shared Services automatically adds the user directory to the search order and assigns it the next available search sequence. The search order is used to cycle through configured user directories when EPM System searches for users and groups.



You can remove a user directory from the search order, in which case Shared Services automatically reassigns the search order of the remaining directories. User directories not included in the search order are not used to support authentication and provisioning.

NOTE: Shared Services terminates the search for the user or group when it encounters the specified account. Oracle recommends that the corporate directory that contains most of the EPM System users be placed at the top of the search order. If a user has multiple accounts within a user directory, EPM System retrieves the account that the search first encounters.

You can perform the following tasks to manage the search order:

• Add a User Directory to a search order

• Change the search order

• Remove a search order assignment




Provisioning Users and Groups

CSS

Provisioning and Registration

Registration

Authentication

Provisioning

ACL

Relational database

Getprovisioning informa tion

RegistrationEPM ConfiguratorShared Services

EPM System product

CSS

Ex ternaluser directory

Provisioning Users and GroupsProvisioning is the process of granting roles and object Access Control Lists (ACLs) belonging to EPM System applications to users and groups.

EPM System security determines user access to applications using the concept of roles.

Roles are permissions that determine user access to product functions. Each product provides several default roles tailored to suit various business needs. Predefined roles from each application registered with Shared Services are available from Shared Services Console and used for provisioning. You may also create additional roles that aggregate the default roles to suit specific requirements.

Some EPM System products enforce object-level ACLs to further refine user access to their artifacts such as reports and dimension members.

Provisioning is managed at the user or group levels by Provisioning Managers or Shared Services Administrators assigning one or more EPM System application roles to a user or group.



Provisioning SequenceShared Services communicates with the following repositories for provisioning:

• The Shared Services relational database contains product registration information.

• The OpenLDAP database contains role-provisioning information.

• The product repositories contain authentication privileges that are product-specific.

• The external authentication directory contains user credentials and group hierarchy information.

The EPM System authorization process is as follows:

1. After the user logs on, the EPM system product checks whether the user has credentials in user directories.

2. The EPM System product retrieves the user’s provisioning data using group and user information in Shared Services.

3. The EPM System product uses group and user information to retrieve the user's provisioning data from Shared Services. The product uses this data to determine which resources a user can access. Product-specific provisioning tasks, such as setting product-specific access control, are completed for each product. This data is combined with provisioning data to determine the product access for users.

Available RolesA role is a construct, similar to an access control list, that defines the access permissions granted to users and groups to perform functions on Hyperion resources. It is a combination of resource or resource types.

Access to Hyperion application resources is restricted. Users can access application resources only after a role that provides access is assigned to the user or to the group to which the user belongs. Access restrictions based on roles enable administrators to control and manage application access.



Global RolesGlobal roles are Shared Services roles that enable users to perform certain tasks within the Shared Services Console. The following table describes some global rules:

Role Description

Administrator The Administrator role provides control over all products that integrate with Shared Services. It enables more control over security than any other Hyperion product roles and should therefore be assigned sparingly. Administrators can perform all administrative tasks in Shared Services Console and can provision themselves.

This role grants broad access to all applications registered with Shared Services. The Administrator role is, by default, assigned to the admin Native Directory user, which is the only user available after you deploy Shared Services. This user account is initially used to create accounts for other administrators.

Directory Manager The Directory Manager role creates and manages users and groups within Native Directory.

The recommended practice is to grant one user the Directory Manager role and another user the Provisioning Manager role. Otherwise, Directory Managers can provision themselves.

For example, if a user is assigned both roles for a Financial Management application, this user can create a new user, assign the user any role within the application, and log on as the new user, thereby granting personal access to the Financial Management application.

Project Manager The Project Manager role creates and manages projects within Shared Services.

LCM Manager The LCM Manager role executes Artifact Life Cycle Management Utility to promote artifacts and data across product environments and operating systems.

Predefined RolesPredefined roles are built-in roles in EPM System products. You cannot delete these roles from the product. Predefined roles are registered with Shared Services during the application registration process.



Aggregated RolesAggregated roles are custom roles that aggregate multiple product roles within a Hyperion product. An aggregated role consists of multiple roles, including other aggregated roles. For example, a Shared Services Administrator or Provisioning Manager can create a role for Planning that combines the Planner and View User roles into an aggregated role. Aggregating roles can simplify the administration of products that have a large number of granular roles.

You cannot create an aggregated role that spans products, and you cannot include global Shared Services roles in aggregated roles. Aggregated roles are also known as custom roles.

To provision users or groups:

1. In Shared Services Console, expand User Directories.

2. Select a user directory, and search for users or groups.

3. Right-click the user or group, and select Provision.

The Provisioning tab is displayed.

4. Optional: Click Tree or List.

Roles can be displayed in a hierarchy (tree) or a list. You must drill down the hierarchy to display available roles. The list view lists all available roles but does not show their hierarchy.

5. Select one or more roles, and click Add.

The selected roles are displayed in Selected Roles.

6. Click Save.

A dialog box, which indicates that the provisioning process is successful, is displayed.

7. Click OK.

Deprovisioning Users and GroupsWhen you deprovision users or groups, you remove the assigned roles from an application. Shared Services Administrators can deprovision roles from several applications. Provisioning managers of applications can deprovision roles from their applications.



For example, assume that the group Sales_West is provisioned with roles from Financial Management. If this group is deprovisioned by a Financial Management Provisioning Manager, only the roles from Financial Management are removed.

To deprovision users or groups:

1. In Shared Services Console, expand User Directories.

2. Select a user directory, and search for users or groups.

3. Right-click the user or group, and select Deprovision.

4. On the Deprovisioning tab, perform one of the following actions, and click OK.

• Select one or more applications.

• Select Check All to choose all available applications.

5. Click OK.

6. Click Yes in the confirmation dialog box.

7. Click OK.




Generating Provisioning Reports

Generating Provisioning ReportsYou can create reports on provisioning information in Shared Services Console. Provisioning reports enable administrators to review the access rights and permissions granted to users and groups across EPM System applications, which helps track user access for compliance reporting.

The report can contain information on users assigned to roles from selected applications, roles from selected applications assigned to users, and inheritance information that shows the sequence of inheritance starting with the original group or role that was responsible for granting the provisioned role to the user.

To generate provisioning reports:

1. In Shared Services Console, select Administration, and then View Provisioning Report.

2. Enter report generation parameters.



3. Click Create Report.

The report is displayed on the Provision Report tab.

4. Click Print Preview.

The report is displayed in the View Report window.

5. Click Print.

6. Select a printer, and click Print.

7. Click Close.




Creating Application Groups

Application groups are containers for EPM System applications.

Creating Application GroupsAn application group is a container for EPM System applications. For example, an application group may contain a Financial Management application and one or more Reporting and Analysis applications.

If you create an application but you do not assign it to a group, the application is listed under the Default Application Group node in Shared Services Console.

An application can belong only to one application group, but it may contain multiple applications. You can start the provisioning process even if the applications are not assigned to application groups. You can provision applications listed in the Default Application Group node, and then move them to a application group without losing provisioning information.



NOTE: You must be a Shared Services Administrator or Project Manager to create and manage application groups. Shared Services Administrators can work with all registered applications, whereas a Project Manager can work only with the application for which that person is the project manager.

To create application groups:

1. In Shared Services Console, right-click Application Groups in the Object Palette, and select New.

The New Application Group page opens.

2. Enter a unique application group name and an optional description.

3. Perform the following actions to assign applications to this application group:

a. From the List Applications in Application Group list, select DefaultApplicationGroup or an existing application group.

b. Click Update List. The Available Applications list displays the applications that you can assign to the application group.

c. From the Available Applications list, select the applications to assign to the project and click Add.

The selected applications appear in the Assigned Applications list.

4. Click Finish.

5. Perform an action:

• Click Create Another to create another application group.

• Click OK to close the status page.



Summary

In this lesson, you should have learned to:

• Describe EPM System Configurator

• Configure Shared Services

• Configure external user directories

• Provision users and groups

• Generate provisioning reports

• Create application groups




Documents

L06 Configuring Shared Services