Essbase provides a comprehensive system for managing access to applications, databases, and other objects. The Essbase security system provides protection in addition to the security available through your local area network.
This chapter contains the following sections:
The Essbase security system addresses a wide variety of database security needs with a multi layered approach to enable you to develop the best plan for your environment. Various levels of permission can be granted to users and groups or defined at the system, application, or database scope. You can apply security in the following ways:
You can create users who log in using an external authentication protocol instead of the Essbase password. If you want users to use an outside authentication module such as LDAP, you must add an entry to the server configuration file essbase.cfg, and create the Essbase users with a reference to the external authentication. For more information, see Managing External Authentication.
Table 22 describes all security permissions and the tasks that can be performed with those permissions.
Permission |
Affected Scope |
Description |
---|---|---|
No inherent access to any users, groups, or resources, unless access is granted globally or by means of a filter. No access is the default when creating an ordinary user. Users with "No Access" can change their own passwords. |
||
Ability to calculate, read, and update data values for the assigned scope, using the assigned calculation. Supervisors, application designers for the application, and database designers for the database can run calculations without being granted execute access. |
||
Ability to modify outlines, create and assign filters, alter database settings, and remove locks/terminate sessions and requests on the database. |
||
Ability to create, delete, and modify databases within the assigned application. Ability to modify the application settings, including minimum permissions, remove locks on the application, terminate sessions and requests on the application, and modify any object within the application. You cannot create or delete an application unless you also have been granted the system-level Create/Delete Applications permission. A user with Application Designer permission in one application does not necessarily have that permission in another. |
||
Ability to access specific data according to the restrictions of a filter assigned to the user or group. The filter definition specifies, for subsets of a database, whether Read, Write, or No Access is allowed for each subset. A user or group can be granted only one filter per database. Filters can be used in conjunction with other permissions. For more information, see Controlling Access to Database Cells. |
||
Ability to create and delete applications and databases within those applications, and control permissions, locks, and resources for applications created. Includes designer permissions for the applications and databases created by this user. |
||
Ability to create, delete, edit, or rename all users and groups having equal or lesser permissions than their own. |
||
You can define security permissions for individual users and groups. Groups are collections of users that share the same minimum permissions. Users inherit all permissions of the group and can additionally have access to permissions that exceed those of the group. Users and groups are managed on a server-by-server basis: users defined on a server exist for all applications and databases on the server.
Note: User and group management is also available when you use Essbase Administration Services. For more information, see Essbase Administration Services Online Help.
Permissions can be granted to users and groups in the following ways:
One major way to assign permissions to users and groups is to define user and group types when you create or edit (modify the permissions of) the users and groups. You define these types in the New User or Edit User dialog boxes (see Figure 185 and Figure 187, respectively).
In Application Manager, users and groups can be created in different ways to specify their system-level (data-independent) permissions. These methods are represented in Application Manager and in Essbase Administration Services Console as user types. A description of these types follows. When using MaxL, you do not create user types: you grant the system-level permissions after the user is created; initially, as an ordinary user with no permissions.
For detailed instructions about creating users and groups in Application Manager, see Creating, Editing, and Copying Users and Groups.
A user with Supervisor permission has full access to the entire system and all users and groups.
The user who installs Essbase on the server is designated the Essbase System Supervisor for that server. Essbase requires that at least one user on each server has Supervisor permission. Therefore, you cannot delete or downgrade the permission of the last supervisor on the server.
When creating or editing a user in Application Manager, the selection shown in Figure 177 gives the user Supervisor permission:
Figure 177: Supervisor permission
When using MaxL, create an ordinary user and then grant the role of supervisor in a separate statement. For example:
create user admin identified by 'password'; grant supervisor to admin;
Users with ordinary permission have no inherent access to any users, groups, or resources. When creating or editing a user in Application Manager, the selection shown in Figure 178 gives the user no permission:
Figure 178: Ordinary User Permission
Users with Create/Delete Users, Groups permission can create, delete, edit, or rename users and groups with equal or lower permissions only. When creating or editing a user in Application Manager, the selection shown in Figure 179 gives the user Create/Delete Users, Groups permission:
Figure 179: Create/Delete Users, Groups Permission
Users with Create/Delete Applications permission can create and delete applications and control permissions and resources applicable to those applications or databases they created.
Users with Create/Delete Applications permission cannot create or delete users, but they can manage application-level permission for those applications that they have created. For more information on application-level permission, see Managing Global Security for Applications and Databases.
When creating or editing a user in Application Manager, the selection shown in Figure 180 gives the user Create/Delete Applications permission:
Figure 180: Create/Delete Applications Permission
If you need to grant resource-specific permissions to users and groups that are not implied in any user types, you can grant the specific application or database permissions to users when creating or editing them in Application Manager or Administration Services. Using MaxL, you grant the permissions after the user is created by using the grant statement.
There is no need to grant permissions to users or groups that are already Supervisors-they have full privileges to all resources on the OLAP Server.
For details about resource-specific permissions that can be granted, see Table 23.
To grant or modify application or database permissions for a group, follow the instructions below, substituting the word "group" for "user."
To grant or modify application or database permissions for a user:
Essbase displays this dialog box:
Figure 181: User/Group Application Access Dialog Box
The Applications list box shows all applications defined on the server to which you have access. When you select an application, the user's current access level for the selected application appears in the Access group.
For information about permissions, see Table .
Users and groups can be granted Application Designer or Database Designer permission for particular applications or databases. These permissions are useful for assigning administrative privileges to users who need to be in charge of particular applications or databases, but who only need ordinary user privileges for other purposes.
For a given database, users or groups can also be granted any of the following permissions: None, Filter Access, Read Only, Read/Write, and Calculate. (See Table .)
You need to grant database access to other users if:
To grant a user or a group access to databases within the selected application, use this procedure:
Note: The DB Access button is disabled when the selected user is a Supervisor or Application Designer for the selected database, because these users already have Database Designer access to every database within the application.
Figure 182: User Database Access Dialog Box
The Database list box shows all databases defined within the application to which you have access. After you select a database, the access the user has for the selected database is displayed in the Access group.
If the user or group is not a Supervisor, you can grant the following permissions, shown in Table 23:
If you select the Calculate access level, the Calcs button is enabled. Clicking the Calcs button enables you to grant execution permission to a user for specific calculation scripts or all calculation scripts. Using Application Manager, Spreadsheet Add-in, or MaxL, users can execute any calculation scripts granted to them. When you click Calcs, Essbase displays the Execute Calc Scripts dialog box, as shown in Figure 183.
Figure 183: Execute Calc Scripts Dialog Box
When selected, the Allow All Calcs check box gives the user permission to run all calculation scripts stored on the application or database. Any calculation scripts defined afterward are added to the user's calculate privileges. Individual calculation script permission can be granted or revoked by leaving Allow All Calcs unselected, selecting the name of the script in one of the list boxes, and clicking Add or Remove.
Note: By default, a Supervisor, Application Designer, or Database Designer can run all calculation scripts.
Database permission |
Description |
---|---|
Indicates no access to any object or data value in a database. |
|
Indicates that data access is restricted to those filters assigned to the user. (For information about filters, see Controlling Access to Database Cells.) The Filter check box grants a filter object to a user or group. A user or group can be granted only one filter per database. Selecting this option or any other option except None enables the selection of a filter object from the list box. |
|
Indicates read permission: the ability to retrieve all data values. Report scripts can also be run. |
|
Indicates that all data values can be retrieved and updated (but not calculated). The user can run, but cannot modify, Essbase objects. |
|
Indicates that all data values can be retrieved, updated, and calculated with the default calculation or any calculation for which the user has been granted permission to execute. |
|
Indicates that all data values can be retrieved, updated, and calculated. In addition, all database-related files can be modified. |
To help manage security between users and groups, the following user-management tasks are available at varying degrees to users with different permissions:
To manage users and groups using Application Manager:
Essbase displays the User/Group Security dialog box, as shown in Figure 184:
Figure 184: User/Group Security Dialog Box
The Users list box fills with the names of all users currently defined on this server. Similarly, the Groups list box fills with the names of all groups defined on this server. The five buttons to the right of each list box enable you to perform the functions of user and group management.
For more information on managing users and groups, see Creating, Editing, and Copying Users and Groups, Copying an Existing Security Profile, Deleting Users and Groups, or Renaming Users and Groups.
For information about lock management, and password and user name management, see Managing User Activity at the Server Level.
Tip: You can view lists of users and groups using methods other than Application Manager:
Tool |
Instructions |
For more information |
---|---|---|
When you create, edit, or copy a user or a group, you define a security profile. This is where you define the extent of the permissions that users and groups have in dealing with each other and in accessing applications and databases. For more specific data-level security, see Controlling Access to Database Cells.
To create a user means to define the user's name, password, and permission. You can also specify group membership for the user, and you can specify that the user is required to change the password at the next login attempt, or that the user name is disabled, preventing the user from logging in.
To create a new user using Application Manager:
Figure 185: New User Dialog Box
As you type, Essbase masks your entry with asterisks.
Note: Passwords are not case-sensitive.
At the next login attempt, the user is prompted to change the password in the Change Password dialog box, shown in Figure 188.
Essbase displays the Group Membership dialog box as shown in Figure 186.
Figure 186: Group Membership Dialog Box
The Not member of list box contains the names of all groups on the server to which this user does not belong.
Tip: You can create users and add them to groups using methods other than Application Manager:
Tool |
Instructions |
For more information |
---|---|---|
To edit a user means to modify the security profile established when the user was created. The dialog boxes for editing a user and for creating a new one are exactly the same (except for their titles).
Essbase displays the Edit User dialog box as shown in Figure 187.
Figure 187: Edit User Dialog Box
Note: Passwords are not case-sensitive.
Note: If you are changing a user for external authentication, see the instructions in Managing External Authentication.
When this user tries to log in using the old password, he or she will be prompted to first change the password in the Change Password dialog box, as shown in Figure 188.
Figure 188: Change Password Dialog Box
You cannot change the names of users from the Edit User dialog box. Use the Rename User button, described in Renaming Users and Groups.
Tip: You can change a user's password or other properties using methods other than Application Manager:
Tool |
Instructions |
For more information |
---|---|---|
A group is a collection of users who share the same minimum access permissions. Placing users in groups can save you the time of assigning identical permissions to users again and again.
Note: A member of a group may have permissions beyond those assigned to the group, if permissions are also assigned individually to that user.
The process for creating, editing, or copying groups is the same as that for users, except that there are no group passwords. You define group names and permissions just as you would for users.
When you create a new user, you can assign the user to a group. Similarly, when you create a new group, you can assign users to the group. You must define a password for each user; there are no passwords for groups.
To create a new group or edit an existing group using Application Manager:
Essbase displays the User/Group Security dialog box (see Figure 184).
To edit an existing group, select the group you want to edit and click Edit Group. Then follow these instructions; they are the same as for creating a new group.
Note: You cannot rename a group from the Edit Group dialog box; use the Rename Group button, described in Renaming Users and Groups.
Essbase displays the New Group dialog box, as shown in Figure 189, or the Edit Group dialog box:
Figure 189: New Group Dialog Box
Note: You cannot add users to a group having higher permissions than your own.
To view a list of users in a group, click Edit Group and then click Users. The Members list box of the User/Group Security dialog box contains a list of the group's users.
Tip: You can create groups and view or change group membership using methods other than Application Manager:
Tool |
Instructions |
For more information |
---|---|---|
An easy way to create a new user with the same permissions as another user is to copy the security profile of an existing user. The new user is assigned the same user type, group membership, and application/database access as the original user.
You can also create new groups by copying the security profile of an existing group. The new group is assigned the same group type, user membership, and application access as the original group.
Note: "Copy to New" filters any security permissions the creator does not have from the copy. For example, a user with Create/Delete Users permission cannot create a new supervisor by copying the profile of an existing supervisor.
To copy a user or group means to duplicate the security profile of an existing user or group, and to give it a new name. It is helpful to copy users and groups because it saves you the time of reassigning permissions in cases where you want them to be identical.
To create a new user by copying the security profile of an existing user:
Essbase displays the User/Group Security dialog box (see Figure 184).
Figure 190: Copy User Dialog Box
Note: Passwords are not case-sensitive.
Only a user with Supervisor permission can reactivate the user name.
To create a new group by copying the security profile of an existing group:
Essbase displays the User/Group Security dialog box (see Figure 184).
Figure 191: Copy Group Dialog Box
The Group Membership dialog box is displayed.
For more information on using the Group Membership dialog box to assign users to groups, click Help, or see the instructions accompanying Figure 186.
To delete a user using Application Manager:
Essbase displays the User/Group Security dialog box (see Figure 184).
Figure 192: Delete User Confirmation Box
If you choose to delete the user, Essbase updates the Users list box and the server security file with your changes. Essbase automatically deletes users from all groups to which they belong.
To delete a group using Application Manager:
Essbase displays the User/Group Security dialog box (see Figure 184).
Members of the group are not affected by this operation, except that they will no longer be a member of the deleted group.
When you click Delete Group, Essbase displays the Delete Group confirmation box as shown in Figure 193.
Figure 193: Delete Group Confirmation Box
If you choose to delete the group, Essbase updates the Groups list box and the server security file with your changes.
Tip: You can delete users and groups using methods other than Application Manager:
Tool |
Instructions |
For more information |
---|---|---|
To rename a user using Application Manager:
Essbase displays the User/Group Security dialog box (see Figure 184).
Essbase displays the Rename User dialog box as shown in Figure 194.
Figure 194: Rename User Dialog Box
Essbase updates the Users list box and the server security file with your changes. User names are automatically updated in all groups to which the user belongs.
To rename a group using Application Manager:
Essbase displays the User/Group Security dialog box (see Figure 184).
Essbase displays the Rename Group dialog box as shown in Figure 195.
Figure 195: Rename Group Dialog Box
Essbase updates the Groups list box and the server security file with your changes. Members of the group are not affected by this operation.
Tip: You can rename users and groups using methods other than Application Manager:
Tool |
Instructions |
For more information |
---|---|---|
In Enterprise View, right-click the user, and select Rename. |
In Application Manager, you can grant or modify user and group application and database permissions from an edit-user standpoint or from an application or database security perspective. The results are the same.
To grant privileges by editing a user or group, see Granting Permissions to Users and Groups.
To grant user-and-group permissions from an application perspective:
Essbase displays the Application Access dialog box.
To grant user-and-group permissions from a database perspective:
Note: If a user has insufficient permission to access the data in a database, the value does not show up in the spreadsheet, or shows up as #NOACCESS.
To use external authentication of users instead of assigning an Essbase password for logins, use this procedure:
Note: For an Essbase Administration Services method of creating users with external authentication, see Essbase Administration Services Online Help.
In addition to granting permissions to users and groups, you can change security settings for entire applications and databases and their related files and resources. Application and database security settings enable you to manage connections and create a lowest-common-security profile for the applications and databases.
This section contains the following subsections:
You can define permissions and other security settings that apply to applications by changing the application settings. The settings you define for the application affect all users, unless they have higher privileges granted to them at the user level.
Only users with Supervisor permission (or Application Designer permission for the application) can change application settings.
To define settings for an application:
Essbase displays the Application Settings dialog box as shown in Figure 196.
Figure 196: Application Settings Dialog Box
For information on the setting types, see either Setting General Application Connection Options or Setting Application and Database Minimum Permissions.
You can define security and connection options using either Application Manager or Administration Services. Select the General tab in the Application Properties window to define the security options using Administration Services.
The following application settings are available in Application Manager:
The following settings are available for various levels of application security. For information about how and when disabling of these settings takes effect, see Table 24.
Table 24 describes when the implementation of protective application settings takes effect, how long the effects last, and which users are affected.
The application settings can also be accessed in the following interfaces:
Important: If performing maintenance operations that require disabling commands or updates, make those maintenance operations within the same session as the one in which the setting was disabled.
If you disable commands or updates in a MaxL script, be aware that the end of the script constitutes the end of the session. Calling a nested MaxL or ESSCMD script from the current MaxL script also constitutes the end of the session.
If you disable commands or updates in an ESSCMD script, the end of the script constitutes the end of the session, but calling a nested ESSCMD script from the current ESSCMD script does not constitute the end of the session.
Caution: Never power down or reboot your client computer when you have cleared any of the Allow settings. (Always select Server > Disconnect to log out from the server.) Improper shutdown can cause the application to become inaccessible, which requires a full application shutdown and restart.
If a power failure or system problem causes OLAP Server to improperly disconnect from the Essbase client, and your application is no longer accessible, you must shut down and restart the application. See Running Essbase Servers, Applications, and Databases for more information.
Minimum database access permissions can be specified at the application or database level. If specified for an application, minimum database access permissions apply to all databases within the application. When a minimum permission is set to a level higher than None (or No Access) for an application or database, all users on the OLAP Server inherit that permission to access the database or databases.
For example, if an application has Read privilege assigned as the minimum database access level, all users can read any database within that application, even if their individual permissions do not include Read access. Similarly, if a database has a minimum permission setting of None, only users with sufficient granted permissions (granted directly, or implied by filters or group membership) can gain access to the database.
Users with Supervisor, Application Designer, or Database Designer permissions are not affected by minimum-permission settings applied to applications or databases they own. Supervisors have full access to all resources, and Application Designers and Database Designers have full access for their applications or databases.
Users and groups with lower than the minimum permissions inherit at least the minimum permissions for any applications or databases. For information on application and database permissions granted to individual users or groups, see Granting Application and Database Access to a User or Group.
Changes to the minimum permission settings for applications affect only those databases that have lower minimums. In other words, settings defined at a lower level take precedence over more global settings.
The permissions listed in Table 25 are available as minimum settings for applications and databases. Databases of an application inherit the permissions of the applications whenever the application permissions are set higher than those of the database.
To set minimum permissions for an application:
Essbase displays the Application Settings dialog box (Figure 196).
The minimum permission settings are in the Minimum Database Access group.
To set minimum permissions for a database:
Essbase displays the Database Settings dialog box as shown in Figure 197.
Figure 197: Database Settings Dialog Box
The minimum permission settings are in the Database Access group.
Note: Although any user with a minimum of Read access to a database can start the database, only a Supervisor, a user with Application Designer privilege for the application, or a user with Database Designer privilege for the database can stop the database.
This section explains how to manage the activities of users connected to the server. The security concepts explained in this section are session and request management, lock management, connection management, and password/user name management. For information about managing security for partitioned databases, see Designing Partitioned Applications.
The security system lets you disconnect a user from the Essbase server when you want to perform maintenance tasks.
To view sessions, disconnect sessions, or terminate requests, you must have Supervisor permission or Application Designer permission for the specified application. You can view or terminate only sessions or requests for users with permissions equal to or lesser than your own.
A session is the time between login and logout for a user connected to Essbase OLAP Server at the system, application, or database scope. A user can have more than one session open at any given time. For example, a user may be logged on to different databases. If you have the appropriate permissions, you can log off sessions based on any criteria you choose; for example, an administrator can log off a user from all databases or from a particular database.
A request is a query sent to OLAP Server by a user or by another process; for example, a default calculation of a database, or a restructuring of the database outline. Each session can process only one request at a time.
To disconnect a session or request:
Essbase displays the Connections dialog box as shown in Figure 198.
Figure 198: Connections Dialog Box
If you have Supervisor permission, this dialog box lists the following:
Unless you are a Supervisor, you can see only session information for users who are connected to an application for which you have Application Designer permission.
If you have Application Designer permission, this dialog box lists information only for users (including yourself) who are connected to any application for which you have Application Designer permission.
Table 26 lists the selection combinations available by selecting options from the list boxes, and their equivalent MaxL statements. The log off options are for terminating a user's session. The kill options are for terminating specific requests within any session without logging out the user's entire session.
Though not listed below, the Use Force check box is also available when a log off option is selected. This check box is useful when you want to terminate a session or sessions while at least one of those sessions is running a request that is currently processing or is not responding. The MaxL equivalent to Use Force is to include the "force" keyword after any statement for logging off a user; for example, alter system logout session <session-id> force;.
Note: You cannot terminate a restructure process. If you attempt to terminate it, a "command not accepted" error is returned, and the restructure process is not terminated.
Essbase Spreadsheet Add-in users can interactively send data from a spreadsheet to the server. To maintain data integrity while providing multiple-user concurrent access, Essbase enables users to lock data for the purpose of updating it. Users who want to update data must first lock the records to prevent other users from trying to change the same data.
Occasionally, you may need to force an unlock operation. For example, if you attempt to calculate a database that has active locks, the calculation must wait when it encounters a lock. By clearing the locks, you allow the calculation to resume.
Only Supervisors can view users holding locks and remove their locks.
Essbase displays the Database Locks dialog box as shown in Figure 199.
Figure 199: Database Locks Dialog Box
The Database Locks dialog box displays a list of users who currently have at least one block locked. It also indicates the number of blocks that are locked, and the amount of time, in seconds, that the blocks have been locked.
You can also use the REMOVELOCKS command in ESSCMD to perform this task. See the Technical Reference in the docs directory for information.
You can place limitations on the number of login attempts users are allowed, on the number of days users may not use Essbase before becoming disabled from the server, and on the number of days users are allowed to have the same passwords. Only system administrators (users with Supervisor privilege) can access these settings. The limitations apply to all users on the server, and are effective immediately upon clicking OK.
To place limitations on users:
Essbase displays the Server Settings dialog box as shown in Figure 200.
Figure 200: Server Settings Dialog Box
The Password Management option group contains the settings for user management. A setting of 0 for any option means that parameter is turned off; therefore, you must enter at least 1 to apply limitations.
Note: If you return to the Server Settings dialog box later and change the number of unsuccessful login attempts allowed, Essbase resets the count for all users. For example, if the setting was 15 and you changed it to 20, all users would be allowed 20 new attempts. If you changed the setting to 2, a user who had already exceeded that number when the setting was 15 would not be locked out. The count returns to 0 for each change in settings.
The timer starts for all users as soon as you click OK, and it is reset for particular users each time they log in or are reactivated or edited by Supervisors.
The timer starts for all users as soon as you click OK, and it is reset for particular users each time they change their passwords or are reactivated or edited by Supervisors.
A user name becomes disabled when the user exceeds limitations specified in the Server Settings dialog box (see Managing Passwords and User Names), or because a system administrator has disabled the user name at the user level. To learn how to disable a user name, see Editing a User.
To view or activate currently disabled user names:
Essbase displays the Disabled Usernames dialog box, shown in Figure 201, which lists all disabled user names:
Figure 201: Disabled Usernames Dialog Box
Essbase displays the Confirm Activate confirmation box as shown in Figure 202.
Figure 202: Confirm Activate Confirmation Box
Note: Only a system administrator (a user with Supervisor permission) can view or reactivate disabled user names.
All information about users, groups, passwords, privileges, filters, applications, databases, and their corresponding directories is stored in the ESSBASE.SEC file in your $ARBORPATH\Bin directory. Each time you successfully start the Agent, a backup copy of the security file is created as essbase.bak.
If you attempt to start the Agent and cannot get a password prompt or your password is rejected, no .bak file is created. You can restore from the last successful startup by copying essbase.bak to essbase.sec. Both files are in the bin directory where you installed OLAP Server.
![]() © 2002 Hyperion Solutions Corporation. All rights reserved. http://www.hyperion.com |