Managing Security for Users and Applications

Essbase provides a comprehensive system for managing access to applications, databases, and other objects. The Essbase security system provides protection in addition to the security available through your local area network.

This chapter contains the following sections:

About Security and Permissions

The Essbase security system addresses a wide variety of database security needs with a multi layered approach to enable you to develop the best plan for your environment. Various levels of permission can be granted to users and groups or defined at the system, application, or database scope. You can apply security in the following ways:

Table 22 describes all security permissions and the tasks that can be performed with those permissions.

Table 22: Description of Essbase Permissions  

Permission
Affected Scope
Description

No Access or None

Entire system, application, or database

No inherent access to any users, groups, or resources, unless access is granted globally or by means of a filter. No access is the default when creating an ordinary user. Users with "No Access" can change their own passwords.

Read

Database

Ability to read data values.

Write

Database

Ability to read and update data values.

Execute (or Calculate)

Entire system, application, database, or single calculation

Ability to calculate, read, and update data values for the assigned scope, using the assigned calculation.

Supervisors, application designers for the application, and database designers for the database can run calculations without being granted execute access.

Database Designer

Database

Ability to modify outlines, create and assign filters, alter database settings, and remove locks/terminate sessions and requests on the database.
A user with Database Designer permission in one database does not necessarily have that permission in another.

Application Designer

Application

Ability to create, delete, and modify databases within the assigned application. Ability to modify the application settings, including minimum permissions, remove locks on the application, terminate sessions and requests on the application, and modify any object within the application. You cannot create or delete an application unless you also have been granted the system-level Create/Delete Applications permission.

A user with Application Designer permission in one application does not necessarily have that permission in another.

Filter Access

Database

Ability to access specific data according to the restrictions of a filter assigned to the user or group. The filter definition specifies, for subsets of a database, whether Read, Write, or No Access is allowed for each subset. A user or group can be granted only one filter per database. Filters can be used in conjunction with other permissions. For more information, see Controlling Access to Database Cells.

Create/delete applications

Entire system

Ability to create and delete applications and databases within those applications, and control permissions, locks, and resources for applications created. Includes designer permissions for the applications and databases created by this user.

Create/Delete Users, Groups

Entire system

Ability to create, delete, edit, or rename all users and groups having equal or lesser permissions than their own.

Supervisor

Entire system

Full access to the entire system and all users and groups.



Granting Permissions to Users and Groups

You can define security permissions for individual users and groups. Groups are collections of users that share the same minimum permissions. Users inherit all permissions of the group and can additionally have access to permissions that exceed those of the group. Users and groups are managed on a server-by-server basis: users defined on a server exist for all applications and databases on the server.

Note: User and group management is also available when you use Essbase Administration Services. For more information, see Essbase Administration Services Online Help.

Permissions can be granted to users and groups in the following ways:

Specifying User and Group Types

One major way to assign permissions to users and groups is to define user and group types when you create or edit (modify the permissions of) the users and groups. You define these types in the New User or Edit User dialog boxes (see Figure 185 and Figure 187, respectively).

In Application Manager, users and groups can be created in different ways to specify their system-level (data-independent) permissions. These methods are represented in Application Manager and in Essbase Administration Services Console as user types. A description of these types follows. When using MaxL, you do not create user types: you grant the system-level permissions after the user is created; initially, as an ordinary user with no permissions.

For detailed instructions about creating users and groups in Application Manager, see Creating, Editing, and Copying Users and Groups.

Creating a User with Supervisor Permission

A user with Supervisor permission has full access to the entire system and all users and groups.

The user who installs Essbase on the server is designated the Essbase System Supervisor for that server. Essbase requires that at least one user on each server has Supervisor permission. Therefore, you cannot delete or downgrade the permission of the last supervisor on the server.

When creating or editing a user in Application Manager, the selection shown in Figure 177 gives the user Supervisor permission:

Figure 177: Supervisor permission

When using MaxL, create an ordinary user and then grant the role of supervisor in a separate statement. For example:

create user admin identified by 'password';
grant supervisor to admin; 

Creating an Ordinary User (No Permission)

Users with ordinary permission have no inherent access to any users, groups, or resources. When creating or editing a user in Application Manager, the selection shown in Figure 178 gives the user no permission:

Figure 178: Ordinary User Permission

Creating a User Who Can Create and Delete Users and Groups

Users with Create/Delete Users, Groups permission can create, delete, edit, or rename users and groups with equal or lower permissions only. When creating or editing a user in Application Manager, the selection shown in Figure 179 gives the user Create/Delete Users, Groups permission:

Figure 179: Create/Delete Users, Groups Permission

Creating a User Who Can Create and Delete Applications

Users with Create/Delete Applications permission can create and delete applications and control permissions and resources applicable to those applications or databases they created.

Users with Create/Delete Applications permission cannot create or delete users, but they can manage application-level permission for those applications that they have created. For more information on application-level permission, see Managing Global Security for Applications and Databases.

When creating or editing a user in Application Manager, the selection shown in Figure 180 gives the user Create/Delete Applications permission:

Figure 180: Create/Delete Applications Permission

Granting Application and Database Access to a User or Group

If you need to grant resource-specific permissions to users and groups that are not implied in any user types, you can grant the specific application or database permissions to users when creating or editing them in Application Manager or Administration Services. Using MaxL, you grant the permissions after the user is created by using the grant statement.

There is no need to grant permissions to users or groups that are already Supervisors-they have full privileges to all resources on the OLAP Server.

For details about resource-specific permissions that can be granted, see Table 23.

To grant or modify application or database permissions for a group, follow the instructions below, substituting the word "group" for "user."

To grant or modify application or database permissions for a user:

  1. Using Application Manager, select Security > Users/Groups.
  2. Select a user name, then click Edit User.
  3. In the Edit User dialog box, click App Access. (This button is disabled if the user being edited is a Supervisor.)
  4. Essbase displays this dialog box:

    Figure 181: User/Group Application Access Dialog Box

    The Applications list box shows all applications defined on the server to which you have access. When you select an application, the user's current access level for the selected application appears in the Access group.

  5. From the Applications list box, select the appropriate application and access option:
  6. Click OK to save the settings.

Granting Designer Permissions to a User or Group

Users and groups can be granted Application Designer or Database Designer permission for particular applications or databases. These permissions are useful for assigning administrative privileges to users who need to be in charge of particular applications or databases, but who only need ordinary user privileges for other purposes.

For a given database, users or groups can also be granted any of the following permissions: None, Filter Access, Read Only, Read/Write, and Calculate. (See Table .)

You need to grant database access to other users if:

To grant a user or a group access to databases within the selected application, use this procedure:

  1. In the Edit User dialog box, click App Access. The User/Group Application Access dialog box is displayed: see Figure 181.
  2. In the User/Group Application Access dialog box, select Access DBs. The DB Access button becomes available.
  3. Note: The DB Access button is disabled when the selected user is a Supervisor or Application Designer for the selected database, because these users already have Database Designer access to every database within the application.

  4. Click DB Access. Essbase displays the User Database Access dialog box, as shown in Figure 182.
  5. Figure 182: User Database Access Dialog Box

    The Database list box shows all databases defined within the application to which you have access. After you select a database, the access the user has for the selected database is displayed in the Access group.

    If the user or group is not a Supervisor, you can grant the following permissions, shown in Table 23:

  6. Select the appropriate database and the permissions you want to grant to the user or group.
  7. If you select the Calculate access level, the Calcs button is enabled. Clicking the Calcs button enables you to grant execution permission to a user for specific calculation scripts or all calculation scripts. Using Application Manager, Spreadsheet Add-in, or MaxL, users can execute any calculation scripts granted to them. When you click Calcs, Essbase displays the Execute Calc Scripts dialog box, as shown in Figure 183.

    Figure 183: Execute Calc Scripts Dialog Box

    When selected, the Allow All Calcs check box gives the user permission to run all calculation scripts stored on the application or database. Any calculation scripts defined afterward are added to the user's calculate privileges. Individual calculation script permission can be granted or revoked by leaving Allow All Calcs unselected, selecting the name of the script in one of the list boxes, and clicking Add or Remove.

    Note: By default, a Supervisor, Application Designer, or Database Designer can run all calculation scripts.

  8. Click OK to close the dialog box and save the settings.

Table 23: Permissions Available at the Database Scope  

Database permission
Description

None

Indicates no access to any object or data value in a database.

Filter Access

Indicates that data access is restricted to those filters assigned to the user. (For information about filters, see Controlling Access to Database Cells.)

The Filter check box grants a filter object to a user or group. A user or group can be granted only one filter per database. Selecting this option or any other option except None enables the selection of a filter object from the list box.

Read Only

Indicates read permission: the ability to retrieve all data values. Report scripts can also be run.

Read / Write

Indicates that all data values can be retrieved and updated (but not calculated). The user can run, but cannot modify, Essbase objects.

Calculate

Indicates that all data values can be retrieved, updated, and calculated with the default calculation or any calculation for which the user has been granted permission to execute.

Database Designer

Indicates that all data values can be retrieved, updated, and calculated. In addition, all database-related files can be modified.



Creating, Deleting, and Changing Users and Groups

To help manage security between users and groups, the following user-management tasks are available at varying degrees to users with different permissions:

To manage users and groups using Application Manager:

  1. Connect to the server that houses the users or groups.
  2. Select Security > Users/Groups.
  3. Essbase displays the User/Group Security dialog box, as shown in Figure 184:

    Figure 184: User/Group Security Dialog Box

    The Users list box fills with the names of all users currently defined on this server. Similarly, the Groups list box fills with the names of all groups defined on this server. The five buttons to the right of each list box enable you to perform the functions of user and group management.

For more information on managing users and groups, see Creating, Editing, and Copying Users and Groups, Copying an Existing Security Profile, Deleting Users and Groups, or Renaming Users and Groups.

For information about lock management, and password and user name management, see Managing User Activity at the Server Level.

Tip: You can view lists of users and groups using methods other than Application Manager:

Tool
Instructions
For more information

MaxL

display user or display group

Technical Reference in the docs directory

ESSCMD

LISTUSERS or LISTGROUPS

Technical Reference in the docs directory

Administration Services Console

Enterprise View > Security node

Essbase Administration Services Online Help



Creating, Editing, and Copying Users and Groups

When you create, edit, or copy a user or a group, you define a security profile. This is where you define the extent of the permissions that users and groups have in dealing with each other and in accessing applications and databases. For more specific data-level security, see Controlling Access to Database Cells.

Creating a New User

To create a user means to define the user's name, password, and permission. You can also specify group membership for the user, and you can specify that the user is required to change the password at the next login attempt, or that the user name is disabled, preventing the user from logging in.

To create a new user using Application Manager:

  1. Select Security > Users/Groups.
  2. In the User/Group Security dialog box, select New User. Essbase displays the New User dialog box, as shown in Figure 185:
  3. Figure 185: New User Dialog Box

  4. Type the name of the new user in the Username text box.
  5. Select the type of authentication:
  6. In the Password text box, type the user's password. The password must be at least six characters long.
  7. As you type, Essbase masks your entry with asterisks.

  8. Retype the user's password in the Confirm Password text box. You must type the password exactly as you did in the Password text box.
  9. Note: Passwords are not case-sensitive.

  10. To force the user to change the password at the next login attempt, select User Must Change Password at Next Login. This option enables you to assign a generic password to all new users, which they will have to change when they begin using the system.
  11. At the next login attempt, the user is prompted to change the password in the Change Password dialog box, shown in Figure 188.

  12. To lock the user out from the system, select Username Disabled. Only a system administrator (a user with Supervisor permission) can re-enable the user name.
  13. Select the type of user to create from the User Type group. If you are not sure which type of user to create, see Specifying User and Group Types. If you do not have sufficient permission to create a class of user, those options are disabled.
  14. To assign the user to a group, click Groups.
  15. Essbase displays the Group Membership dialog box as shown in Figure 186.

    Figure 186: Group Membership Dialog Box

    The Not member of list box contains the names of all groups on the server to which this user does not belong.

    1. Select a group from the list and click Add to add the user to that group. Similarly, you can click Remove to remove a user from a group listed in the Member of list box.
    2. Click OK to finalize the addition or removal and return to the New User dialog box.

  16. To assign application and database access to the user, click App Access from the New User dialog box. See Granting Application and Database Access to a User or Group for more information.
  17. Click OK to add the new user to the server. Essbase updates the Users list box (in the User/Group Security dialog box) with the new user.

Tip: You can create users and add them to groups using methods other than Application Manager:

Tool
Instructions
For more information

MaxL

create user or alter user

Technical Reference in the docs directory

ESSCMD

CREATEUSER, ADDUSER, REMOVEUSER

Technical Reference in the docs directory

Essbase Administration Services Console

Enterprise View > right-click Users node > add a user.

Essbase Administration Services Online Help



Editing a User

To edit a user means to modify the security profile established when the user was created. The dialog boxes for editing a user and for creating a new one are exactly the same (except for their titles).

  1. Select Security > Users/Groups.
  2. Select the user whose profile you want to edit and click Edit User in the User/Group Security dialog box.
  3. Essbase displays the Edit User dialog box as shown in Figure 187.

    Figure 187: Edit User Dialog Box

  4. To change the user's password, type the new password in the Password text box. The password must be at least six characters long. As you type, Essbase masks your typing with asterisks.
  5. Retype the user's password in the Confirm Password text box. You must type the password exactly as you did in the Password text box.
  6. Note: Passwords are not case-sensitive.

  7. To force the user to change the password at the next login attempt, check User Must Change Password at Next Login.
  8. Note: If you are changing a user for external authentication, see the instructions in Managing External Authentication.

    When this user tries to log in using the old password, he or she will be prompted to first change the password in the Change Password dialog box, as shown in Figure 188.

    Figure 188: Change Password Dialog Box

  9. To prevent the user from logging in, check Username Disabled (in the Edit User dialog box). Only a system administrator (a user with Supervisor permission) can re-enable the username.
  10. To change the user's group membership, click Groups.
  11. To change the user's application access, click App Access.
  12. Click OK to save the user's new security profile on the server. Essbase updates the server security file with the changes.

You cannot change the names of users from the Edit User dialog box. Use the Rename User button, described in Renaming Users and Groups.

Tip: You can change a user's password or other properties using methods other than Application Manager:

Tool
Instructions
For more information

MaxL

alter user

Technical Reference in the docs directory

ESSCMD

SETPASSWORD

Technical Reference in the docs directory

Administration Services Console

In Enterprise View, right-click a user, and edit the user.

Essbase Administration Services Online Help



Creating or Editing a Group

A group is a collection of users who share the same minimum access permissions. Placing users in groups can save you the time of assigning identical permissions to users again and again.

Note: A member of a group may have permissions beyond those assigned to the group, if permissions are also assigned individually to that user.

The process for creating, editing, or copying groups is the same as that for users, except that there are no group passwords. You define group names and permissions just as you would for users.

When you create a new user, you can assign the user to a group. Similarly, when you create a new group, you can assign users to the group. You must define a password for each user; there are no passwords for groups.

To create a new group or edit an existing group using Application Manager:

  1. Select Security > Users/Groups.
  2. Essbase displays the User/Group Security dialog box (see Figure 184).

  3. To create a new group, click New Group.
  4. To edit an existing group, select the group you want to edit and click Edit Group. Then follow these instructions; they are the same as for creating a new group.

    Note: You cannot rename a group from the Edit Group dialog box; use the Rename Group button, described in Renaming Users and Groups.

    Essbase displays the New Group dialog box, as shown in Figure 189, or the Edit Group dialog box:

    Figure 189: New Group Dialog Box

  5. In the Group name text box, type the name of the group.
  6. Select the type of group to create from the Group Type group. If you do not have sufficient permission to assign a group to a certain type, those options are not selectable.
  7. To assign users to the group:
  8. To assign application and database access to the group, click App Access from the New Group dialog box. Click Help, or see Granting Application and Database Access to a User or Group for more information.
  9. Click OK to add the new group. Essbase updates and displays the Groups list box in the User/Group Security dialog box.

To view a list of users in a group, click Edit Group and then click Users. The Members list box of the User/Group Security dialog box contains a list of the group's users.

Tip: You can create groups and view or change group membership using methods other than Application Manager:

Tool
Instructions
For more information

MaxL

display user in group or create group.

Technical Reference in the docs directory

ESSCMD

LISTGROUPUSERS or CREATEGROUP

Technical Reference in the docs directory

Administration Services Console

In Enterprise View, right-click a user, and edit the user

Essbase Administration Services Online Help



Copying an Existing Security Profile

An easy way to create a new user with the same permissions as another user is to copy the security profile of an existing user. The new user is assigned the same user type, group membership, and application/database access as the original user.

You can also create new groups by copying the security profile of an existing group. The new group is assigned the same group type, user membership, and application access as the original group.

Note: "Copy to New" filters any security permissions the creator does not have from the copy. For example, a user with Create/Delete Users permission cannot create a new supervisor by copying the profile of an existing supervisor.

Copying a User Profile

To copy a user or group means to duplicate the security profile of an existing user or group, and to give it a new name. It is helpful to copy users and groups because it saves you the time of reassigning permissions in cases where you want them to be identical.

To create a new user by copying the security profile of an existing user:

  1. Using Application Manager, select Security > Users/Groups.
  2. Essbase displays the User/Group Security dialog box (see Figure 184).

  3. Select the name of the user whose profile you want to copy.
  4. Click Copy to New. Essbase displays this dialog box:
  5. Figure 190: Copy User Dialog Box

  6. In the Username text box, type the name of the new user.
  7. Enter a password in the Password text box, different from the original user's password if desired. The password must be at least six characters long. As you type, Essbase masks your typing with asterisks.
  8. Retype the user's password in the Confirm Password text box. You must type the password exactly as you did in the Password text box.
  9. Note: Passwords are not case-sensitive.

  10. To force the new user to change the password at the next login attempt, select User Must Change Password at Next Login.
  11. To prevent the new user from logging in, select Username Disabled. (This option and the preceding option are also available from the New User and Edit User dialog boxes.)
  12. Only a user with Supervisor permission can reactivate the user name.

  13. To change the new user's system-wide permission, select the new permission from the User Type group. If you do not have sufficient permission to grant a certain permission to the user, that option is not selectable.
  14. To change the new user's group membership, click Groups.
  15. To change the new user's application access, click App Access.
  16. Click OK to save the new user's security profile on the server. Essbase updates the server security file with the changes.

Copying a Group Profile

To create a new group by copying the security profile of an existing group:

  1. Using Application Manager, select Security > Users/Groups.
  2. Essbase displays the User/Group Security dialog box (see Figure 184).

  3. Select the name of the group you want to copy.
  4. Click Copy to New. Essbase displays this dialog box:
  5. Figure 191: Copy Group Dialog Box

  6. Type the name of the new group in the Group name text box.
  7. To change the new group's user-type (system-level permission), choose the new type from the Group Type area. If you do not have sufficient permission to assign a certain permission to the group, that option is disabled.
  8. To create the new group's membership list, select Users.
  9. The Group Membership dialog box is displayed.

    For more information on using the Group Membership dialog box to assign users to groups, click Help, or see the instructions accompanying Figure 186.

  10. To grant application-wide or database-wide permissions to all members of the group, click App Access.
  11. Click OK to save the new group's security profile on the OLAP Server. Essbase updates the server security file with your changes.

Deleting Users and Groups

To delete a user using Application Manager:

  1. Choose Security > Users/Groups.
  2. Essbase displays the User/Group Security dialog box (see Figure 184).

  3. Select the name of the user you want to delete in the Users list box.
  4. Click Delete User. Essbase displays this confirmation box:
  5. Figure 192: Delete User Confirmation Box

  6. Click Yes to delete the user, or click No to cancel the delete operation.
  7. If you choose to delete the user, Essbase updates the Users list box and the server security file with your changes. Essbase automatically deletes users from all groups to which they belong.

To delete a group using Application Manager:

  1. Select Security > Users/Groups.
  2. Essbase displays the User/Group Security dialog box (see Figure 184).

  3. In the Groups list box, select the name of the group you want to delete.
  4. Click Delete Group.
  5. Members of the group are not affected by this operation, except that they will no longer be a member of the deleted group.

    When you click Delete Group, Essbase displays the Delete Group confirmation box as shown in Figure 193.

    Figure 193: Delete Group Confirmation Box

  6. Click Yes to delete the group, or click No to cancel the delete operation.
  7. If you choose to delete the group, Essbase updates the Groups list box and the server security file with your changes.

Tip: You can delete users and groups using methods other than Application Manager:

Tool
Instructions
For more information

MaxL

drop group or drop user

Technical Reference in the docs directory

ESSCMD

DELETEGROUP or DELETEUSER

Technical Reference in the docs directory

Administration Services Console

In Enterprise View, right-click the user, and select delete

Essbase Administration Services Online Help



Renaming Users and Groups

To rename a user using Application Manager:

  1. Select Security > Users/Groups.
  2. Essbase displays the User/Group Security dialog box (see Figure 184).

  3. Select the name of the user in the Users list box.
  4. Click Rename User.
  5. Essbase displays the Rename User dialog box as shown in Figure 194.

    Figure 194: Rename User Dialog Box

  6. Type the new name for the user in the New Name text box.
  7. Click OK to rename the user.
  8. Essbase updates the Users list box and the server security file with your changes. User names are automatically updated in all groups to which the user belongs.

To rename a group using Application Manager:

  1. Select Security > Users/Groups.
  2. Essbase displays the User/Group Security dialog box (see Figure 184).

  3. Select the name of the group in the Groups list box.
  4. Click Rename Group.
  5. Essbase displays the Rename Group dialog box as shown in Figure 195.

    Figure 195: Rename Group Dialog Box

  6. Type the new name for the group in the New Name text box.
  7. Click OK to rename the group.
  8. Essbase updates the Groups list box and the server security file with your changes. Members of the group are not affected by this operation.

Tip: You can rename users and groups using methods other than Application Manager:

Tool
Instructions
For more information

MaxL

alter group and alter user

Technical Reference in the docs directory

ESSCMD

RENAMEUSER

Technical Reference in the docs directory

Administration Services Console

In Enterprise View, right-click the user, and select Rename.

Essbase Administration Services Online Help



Viewing and Modifying User Permissions

In Application Manager, you can grant or modify user and group application and database permissions from an edit-user standpoint or from an application or database security perspective. The results are the same.

To grant privileges by editing a user or group, see Granting Permissions to Users and Groups.

To grant user-and-group permissions from an application perspective:

  1. From the Application Desktop window, select the application name.
  2. Select Security > Application.
  3. Essbase displays the Application Access dialog box.

  4. To view the current permissions for a user or group, select the user or group name from the Users/Groups list box. The Access group shows the current permission for the selected user or group. Click Help for information on each setting.
  5. To modify the current application permissions for the selected user or group, select the appropriate permission from the Access group.
  6. To define access to databases within the application, select DB Access from the Application Access dialog box.
  7. Click OK to save the settings.

To grant user-and-group permissions from a database perspective:

  1. From the Application Desktop window, select the application and database name.
  2. Select Security > Database. Essbase displays the Database Access dialog box. The Users/Groups list box shows all users and groups on the server. To view the current settings for the user or group, select a name from the list. Click Help for information on each setting.
  3. To modify the current permission for a user or group, select the user or group name from the list box and select the permission you want to grant. For information about permissions available to access databases, see Table 23.
  4. Click OK to save the settings.

Note: If a user has insufficient permission to access the data in a database, the value does not show up in the spreadsheet, or shows up as #NOACCESS.

Managing External Authentication

To use external authentication of users instead of assigning an Essbase password for logins, use this procedure:

  1. Check the AUTHENTICATIONMODULE configuration setting in your server configuration file essbase.cfg, and if you must make any changes, restart OLAP Server.
  2. Create a user with either Application Manager or Essbase Administration Services. This procedure shows the Application Manager method:
    1. Follow the instructions in Creating a New User through Step 5. If you are modifying an existing user, select Security > Users/Groups from the menu, select the appropriate user from the list which appears, and click Edit User.
    2. In the Authentication box, select External.
    3. Enter the protocol, for example LDAP. This should be the same as the authentication module name in the AUTHENTICATIONMODULE entry in your server configuration file essbase.cfg.
    4. Enter the authentication parameters, one or more from the AUTHENTICATIONMODULE parameter list in your server configuration file essbase.cfg.
    5. Finish creating the new user with the instructions in Creating a New User, beginning with Step 8. If you are modifying an existing user, make any other relevant changes, then click OK.

Note: For an Essbase Administration Services method of creating users with external authentication, see Essbase Administration Services Online Help.

Managing Global Security for Applications and Databases

In addition to granting permissions to users and groups, you can change security settings for entire applications and databases and their related files and resources. Application and database security settings enable you to manage connections and create a lowest-common-security profile for the applications and databases.

This section contains the following subsections:

Defining Application Settings

You can define permissions and other security settings that apply to applications by changing the application settings. The settings you define for the application affect all users, unless they have higher privileges granted to them at the user level.

Only users with Supervisor permission (or Application Designer permission for the application) can change application settings.

To define settings for an application:

  1. Connect to the appropriate server and select the name of the application you want to secure.
  2. Select Application > Settings. (This command is unavailable to users with insufficient privileges to define application settings.)
  3. Essbase displays the Application Settings dialog box as shown in Figure 196.

    Figure 196: Application Settings Dialog Box

  4. Define the settings that you want to apply to the application.
  5. For information on the setting types, see either Setting General Application Connection Options or Setting Application and Database Minimum Permissions.

Setting General Application Connection Options

You can define security and connection options using either Application Manager or Administration Services. Select the General tab in the Application Properties window to define the security options using Administration Services.

The following application settings are available in Application Manager:

The following settings are available for various levels of application security. For information about how and when disabling of these settings takes effect, see Table 24.

Table 24 describes when the implementation of protective application settings takes effect, how long the effects last, and which users are affected.

Table 24: Scope and Persistence of Application-Protection Settings  

Disabled Application Setting
When the Disabled Setting Takes Effect
Which Users are Affected by the Disabled Setting
Persistence of the Disabled Setting

Allow Application to Start

Immediately

All users, including supervisors.

Users currently logged in and users who log in later.

The application cannot be started until an administrator re-enables the start-up setting.

Start When Essbase Starts

Immediately

All users.

The application will not start with Essbase unless an administrator enables it.

Allow Commands

Immediately

All users, including supervisors.

Users currently logged in and users who log in later.

Commands are disabled until any of the following occurs:

  1. The administrator who disabled commands logs out.
  2. The application is stopped and restarted.
  3. An administrator re-enables commands.

Allow Connects

Immediately, except that disabling connections does not affect users who already have databases loaded.

Users with permissions lower than Application Designer.

Users currently logged in and users who log in later.

Users already connected to the database are not affected.

Connections are disabled until any of the following occurs:

  1. The application is stopped and restarted.
  2. An administrator re-enables connections.

Allow Updates

Immediately

All users, including supervisors.

Users currently logged in and users who log in later.

Updates are disabled until any of the following occurs:

  1. The administrator who disabled updates logs out.
  2. The application is stopped and restarted.
  3. An administrator re-enables updates.

Enable Security

Immediately

All users, including supervisors.

Users currently logged in and users who log in later.

Security is disabled until a user re-enables security.



The application settings can also be accessed in the following interfaces:

Important: If performing maintenance operations that require disabling commands or updates, make those maintenance operations within the same session as the one in which the setting was disabled.

If you disable commands or updates in a MaxL script, be aware that the end of the script constitutes the end of the session. Calling a nested MaxL or ESSCMD script from the current MaxL script also constitutes the end of the session.

If you disable commands or updates in an ESSCMD script, the end of the script constitutes the end of the session, but calling a nested ESSCMD script from the current ESSCMD script does not constitute the end of the session.

Caution: Never power down or reboot your client computer when you have cleared any of the Allow settings. (Always select Server > Disconnect to log out from the server.) Improper shutdown can cause the application to become inaccessible, which requires a full application shutdown and restart.

If a power failure or system problem causes OLAP Server to improperly disconnect from the Essbase client, and your application is no longer accessible, you must shut down and restart the application. See Running Essbase Servers, Applications, and Databases for more information.

Setting Application and Database Minimum Permissions

Minimum database access permissions can be specified at the application or database level. If specified for an application, minimum database access permissions apply to all databases within the application. When a minimum permission is set to a level higher than None (or No Access) for an application or database, all users on the OLAP Server inherit that permission to access the database or databases.

For example, if an application has Read privilege assigned as the minimum database access level, all users can read any database within that application, even if their individual permissions do not include Read access. Similarly, if a database has a minimum permission setting of None, only users with sufficient granted permissions (granted directly, or implied by filters or group membership) can gain access to the database.

Users with Supervisor, Application Designer, or Database Designer permissions are not affected by minimum-permission settings applied to applications or databases they own. Supervisors have full access to all resources, and Application Designers and Database Designers have full access for their applications or databases.

Users and groups with lower than the minimum permissions inherit at least the minimum permissions for any applications or databases. For information on application and database permissions granted to individual users or groups, see Granting Application and Database Access to a User or Group.

Changes to the minimum permission settings for applications affect only those databases that have lower minimums. In other words, settings defined at a lower level take precedence over more global settings.

The permissions listed in Table 25 are available as minimum settings for applications and databases. Databases of an application inherit the permissions of the applications whenever the application permissions are set higher than those of the database.

Table 25: Minimum Permission Settings Available for Applications and
Databases  

Permission
Description

None

Specifies that no minimum permission has been defined for the application or database. This is the default global permission for newly created applications and databases.

Read

Specifies Read-Only access to any object or data value in the application or database. Users can view files, retrieve data values, and run report scripts. Read access does not permit data-value updates, calculations, or outline modifications.

Write

Specifies Update access to any data value in the databases of the application, or in one database. Users can view Essbase files, retrieve and update data values, and run report scripts. Write access does not permit calculations or outline modifications.

Calculate

Specifies Calculate and update access to any data value in the databases of the application, or in one database. Users can view files, retrieve, update, and perform calculations based on data values, and run report and calculations scripts. Calculate access does not permit outline modifications.

Designer (for Application or Database)

Specifies Calculate and update access to any data value in the databases of the application, or in one database. In addition, Designer permission enables users to view and modify the outline and files, retrieve, update, and perform calculations based on data values, and run report and calculation scripts.



To set minimum permissions for an application:

  1. Connect to the appropriate server and select the name of the application.
  2. Select Application > Settings. (This menu command is unavailable to users with insufficient permission to define application settings.)
  3. Essbase displays the Application Settings dialog box (Figure 196).

  4. Define the permissions that you want to apply to the application. For information about the permissions, see Table 25.
  5. The minimum permission settings are in the Minimum Database Access group.

To set minimum permissions for a database:

  1. Connect to the appropriate server and select the name of the application that contains the database you want to secure.
  2. Select the database name.
  3. Select Database > Settings. (This menu command is unavailable to users with insufficient privileges to define application settings.)
  4. Essbase displays the Database Settings dialog box as shown in Figure 197.

    Figure 197: Database Settings Dialog Box

  5. In the Database Access group of the General tab, define the permissions that you want to apply to the database. For information about the permissions, see Table 25.
  6. The minimum permission settings are in the Database Access group.

    Note: Although any user with a minimum of Read access to a database can start the database, only a Supervisor, a user with Application Designer privilege for the application, or a user with Database Designer privilege for the database can stop the database.

Managing User Activity at the Server Level

This section explains how to manage the activities of users connected to the server. The security concepts explained in this section are session and request management, lock management, connection management, and password/user name management. For information about managing security for partitioned databases, see Designing Partitioned Applications.

Disconnecting Users and Terminating Requests

The security system lets you disconnect a user from the Essbase server when you want to perform maintenance tasks.

To view sessions, disconnect sessions, or terminate requests, you must have Supervisor permission or Application Designer permission for the specified application. You can view or terminate only sessions or requests for users with permissions equal to or lesser than your own.

A session is the time between login and logout for a user connected to Essbase OLAP Server at the system, application, or database scope. A user can have more than one session open at any given time. For example, a user may be logged on to different databases. If you have the appropriate permissions, you can log off sessions based on any criteria you choose; for example, an administrator can log off a user from all databases or from a particular database.

A request is a query sent to OLAP Server by a user or by another process; for example, a default calculation of a database, or a restructuring of the database outline. Each session can process only one request at a time.

To disconnect a session or request:

  1. In Application Manager, choose Security > Connections.
  2. Essbase displays the Connections dialog box as shown in Figure 198.

    Figure 198: Connections Dialog Box

    If you have Supervisor permission, this dialog box lists the following:

  3. To disconnect users or terminate requests, use the drop-down list boxes and optionally select a user session from the grid. (You do not need to select a session from the grid if you are going to terminate multiple sessions at once.)
  4. Table 26 lists the selection combinations available by selecting options from the list boxes, and their equivalent MaxL statements. The log off options are for terminating a user's session. The kill options are for terminating specific requests within any session without logging out the user's entire session.

    Though not listed below, the Use Force check box is also available when a log off option is selected. This check box is useful when you want to terminate a session or sessions while at least one of those sessions is running a request that is currently processing or is not responding. The MaxL equivalent to Use Force is to include the "force" keyword after any statement for logging off a user; for example, alter system logout session <session-id> force;.

  5. Click Apply to execute the operation indicated by your list-box selections. Click Refresh to update your view to see the latest session and request activity on the OLAP Server. Click Cancel to exit the Connections dialog box without terminating any sessions or requests.

Note: You cannot terminate a restructure process. If you attempt to terminate it, a "command not accepted" error is returned, and the restructure process is not terminated.

Table 26: Session and Request Termination Options  

Selections in Application Manager
MaxL equivalents

log off

selected
user

only

alter system logout session <session-id>; 

log off

all users

on selected server

alter system logout session all; 

log off

all users

on selected application

alter system logout session on application <app-name>; 

log off

all users

on selected database

alter system logout session on database <dbs-name>; 

log off

all instances of user

on selected server

alter system logout session by user <user-name>; 

log off

all instances of user

on selected application

alter system logout session by user <user-name> on application <app-name>; 

log off

all instances of user

on selected database

alter system logout session on database <dbs-name>; 

kill

selected request

only

alter system kill request <session-id>; 

kill

all requests

on selected server

alter system kill request all; 

kill

all requests

on selected application

alter system kill request on application <app-name>; 

kill

all requests

on selected database

alter system kill request on database <dbs-name>; 

kill

all requests from user

on selected server

alter system kill request by user <user-name>; 

kill

all requests from user

on selected application

alter system kill request by user <user-name> on application <app-name>; 

kill

all requests from user

on selected database

alter system kill request by user <user-name> on database <dbs-name>; 


Managing User Locks

Essbase Spreadsheet Add-in users can interactively send data from a spreadsheet to the server. To maintain data integrity while providing multiple-user concurrent access, Essbase enables users to lock data for the purpose of updating it. Users who want to update data must first lock the records to prevent other users from trying to change the same data.

Occasionally, you may need to force an unlock operation. For example, if you attempt to calculate a database that has active locks, the calculation must wait when it encounters a lock. By clearing the locks, you allow the calculation to resume.

Only Supervisors can view users holding locks and remove their locks.

To view or remove locks:

  1. Select Security > Locks.
  2. Essbase displays the Database Locks dialog box as shown in Figure 199.

    Figure 199: Database Locks Dialog Box

    The Database Locks dialog box displays a list of users who currently have at least one block locked. It also indicates the number of blocks that are locked, and the amount of time, in seconds, that the blocks have been locked.

  3. To remove a lock, select the user name and click Remove Locks. Removing a user's lock forces a logout of that user's session.
  4. You can also use the REMOVELOCKS command in ESSCMD to perform this task. See the Technical Reference in the docs directory for information.

Managing Passwords and User Names

You can place limitations on the number of login attempts users are allowed, on the number of days users may not use Essbase before becoming disabled from the server, and on the number of days users are allowed to have the same passwords. Only system administrators (users with Supervisor privilege) can access these settings. The limitations apply to all users on the server, and are effective immediately upon clicking OK.

To place limitations on users:

  1. Select Server > Settings.
  2. Essbase displays the Server Settings dialog box as shown in Figure 200.

    Figure 200: Server Settings Dialog Box

    The Password Management option group contains the settings for user management. A setting of 0 for any option means that parameter is turned off; therefore, you must enter at least 1 to apply limitations.

  3. To limit the number of unsuccessful login attempts you want to allow before the user becomes locked out from the server, enter the maximum number of attempts to allow in the first text box of the Password Management group.
  4. Note: If you return to the Server Settings dialog box later and change the number of unsuccessful login attempts allowed, Essbase resets the count for all users. For example, if the setting was 15 and you changed it to 20, all users would be allowed 20 new attempts. If you changed the setting to 2, a user who had already exceeded that number when the setting was 15 would not be locked out. The count returns to 0 for each change in settings.

  5. To limit the number of inactive days allowed before the user becomes locked out from the server, enter the number of days in the second text box of the Password Management group.
  6. The timer starts for all users as soon as you click OK, and it is reset for particular users each time they log in or are reactivated or edited by Supervisors.

  7. To limit the number of days any user can log in with the same password, enter the number of days in the third text box.
  8. The timer starts for all users as soon as you click OK, and it is reset for particular users each time they change their passwords or are reactivated or edited by Supervisors.

Viewing or Activating Disabled User Names

A user name becomes disabled when the user exceeds limitations specified in the Server Settings dialog box (see Managing Passwords and User Names), or because a system administrator has disabled the user name at the user level. To learn how to disable a user name, see Editing a User.

To view or activate currently disabled user names:

  1. Select Security > Disabled Usernames.
  2. Essbase displays the Disabled Usernames dialog box, shown in Figure 201, which lists all disabled user names:

    Figure 201: Disabled Usernames Dialog Box

  3. To activate a user, select the user name from the list box and click Enable.
  4. Essbase displays the Confirm Activate confirmation box as shown in Figure 202.

    Figure 202: Confirm Activate Confirmation Box

  5. Click Yes to confirm that you want to activate the selected user name, or click No to leave it disabled.

Note: Only a system administrator (a user with Supervisor permission) can view or reactivate disabled user names.

The ESSBASE.SEC Security File

All information about users, groups, passwords, privileges, filters, applications, databases, and their corresponding directories is stored in the ESSBASE.SEC file in your $ARBORPATH\Bin directory. Each time you successfully start the Agent, a backup copy of the security file is created as essbase.bak.

If you attempt to start the Agent and cannot get a password prompt or your password is rejected, no .bak file is created. You can restore from the last successful startup by copying essbase.bak to essbase.sec. Both files are in the bin directory where you installed OLAP Server.




© 2002 Hyperion Solutions Corporation. All rights reserved.
http://www.hyperion.com