L06 Configuring Shared Services

L E S S O N
6
5
Configuring Shared Services
Objectives
At the end of this lesson, you should be able to: Configure Shared Services Configure the EPM Oracle Instance Configure the Shared Services and registry database connection Configure EPM System Common Settings Deploy EPM System products to a WebLogic domain Register with Oracle Configuration Manager Set up the Shared Services Admin user password Configure the Foundation Services web server Configure user directories for single sign-on Provision users and groups Generate provisioning reports Create application groups
Lesson 5 Configuring Shared Services
Running EPM System Configurator for Shared Services
Database
Server components
Copyright 2011, Oracle and/or its affiliates. All rig hts reserved.
Running EPM System Configurator for Shared Services

When you run EPM System Configurator for Shared Services, you perform the following tasks: Configure the EPM Oracle Instance Configure the Shared Services and Registry database connection Configure EPM System common settings Configure Logical Address for Web Applications Deploy to the Application Server Configure Oracle Configuration Manager Setup connection to Oracle BI and Publisher Set the Shared Services admin user password
5-2
Financial Management 11.1.2: Installation and Configuration
Lesson 5 Configuring Shared Services Configure the Web server Import data from earlier releases The succeeding topics discuss the configuration steps based on the order they are displayed in EPM System Configurator. The following sections describe optional configuration steps.
Configure Logical Addresses for Web Applications

You use this option after first-time deployment if you need to change the logical address for a deployed Web application. This task lets you change the logical address without redeploying the Web application.
Setup Connection to Oracle BI and Publisher

You run this task to specify the configuration information for EPM Workspace to work with Oracle BI EE and BI Publisher. You must reconfigure the Web server after you perform this task. If the Web server is on this machine, select Configure Web Server at the same time you select Set up Connection to Oracle BI and Publisher.
Import Data From Earlier Releases

This option is available only if you are upgrading from an earlier release. This task extracts the contents of a migrated data ZIP file and imports the data to Shared Services. If you are upgrading from an earlier release, specify the location from which to import Shared Services data. You must specify the full path to hssmigratedata.zip, which is created with the Shared Services Upgrade Utility. NOTE: To use data from the earlier release of Shared Services, you export the data using a utility, and then copy the resulting file to the machine hosting the new installation. During configuration, EPM System Configurator extracts the necessary data for use in the current release. Exporting Shared Services data from earlier releases is discussed in the Upgrading EPM System Products lesson.
5-3
Configuring the EPM Oracle Instance
Configuring the EPM Oracle Instance

The EPM Oracle instance is defined when EPM System products are configured. Typically, if you are installing all products on a single machine, for the first product you configure, you create a new instance. For each product after that, you modify the existing instance. If you are installing in a distributed environment, you create a new instance on each machine. In this class, you create a new EPM Oracle Instance and accept the default location: MIDDLEWARE_HOME/user_projects/epmsystem1. TIP: In a UNIX environment, you can deploy to a shared drive by installing to a shared drive and then configuring each machine to deploy to a different instance.
5-4
Lesson 5 Configuring Shared Services The following table describes options for configuring the instance:
Configurator Field Modify an existing EPM Oracle instance Create a new EPM Oracle instance Home directory for EPM Oracle instances EPM Oracle Instance Name Specify the directory in which to create the instance. The default EPM Oracle instance location is MIDDLEWARE_HOME/user_projects. Specify a name for the instance. The default instance name is epmsystem1. Description Select to modify an existing EPM Oracle instance or to create a new instance.
5-5
Setting Up the Shared Services and Registry Database Connection
Setting Up the Shared Services and Registry Database Connection

The first time you configure EPM System products, you configure a database for use by Foundation Services, which includes Shared Services Registry. When you configure the Shared Services and Registry database, EPM System Configurator ensures that the database is connected and is a supported database type. If a database is detected, you may be prompted to choose whether to use the detected database or to create a database. If you are configuring an Oracle database, EPM System Configurator checks that the database was created with the correct character set. If not, you are prompted to correct it. Guidelines when upgrading Shared Services databases: If you are upgrading from an earlier release, select Perform first-time configuration of Shared Services database and enter database connection information for a new database.
5-6
Lesson 5 Configuring Shared Services If you are upgrading from Release 11.1.1.3, and you configured all EPM System products to use one database, you are alerted that pre-existing Shared Services tables have been detected in the database. When prompted to drop and recreate the tables, select Yes. If you are applying the maintenance release to move from Release 11.1.2.0 to Release 11.1.2.1, select Connect to a previously configured Shared Services database. Shared Services Registry Overview The Shared Services Registry is part of the database that you configure for Foundation Services. It is created the first time you configure EPM System products, and it simplifies configuration by storing and reusing the following information for most EPM System products that you install. Initial configuration values such as installation directories, database settings, and deployment settings Host computer names, ports, servers, and URLs that you use to implement multiple, integrated, EPM System products and components Configuration changes you make for one product are automatically applied to other products used in the deployment. NOTE: In previous releases, Shared Services Registry was sometimes referred to as EPM System Registry. When you upgrade from a previous release of EPM System products, EPM System Configurator updates the Shared Services Registry for products that you upgrade. You can view and manage the contents of the Shared Services Registry using Lifecycle Management in the Shared Services Console.
5-7
Lesson 5 Configuring Shared Services To view Shared Ser vices Registr y Data in Shared Ser vices Console: NOTE: For steps on accessing Shared Services Console, see Launching Shared Services Console in this lesson. 1. In Shared Services Console, expand the Foundation application group in the View pane. 2. Perform one of the following actions: Click Deployment Metadata. Right-click Deployment Metadata and select Explore. 3. Select Shared Services Registry. For more information, see Oracle Hyperion Enterprise Performance Management System Lifecycle Management Guide. You can edit the Shared Services Registry using a command line utility. Use this utility only if you are unable to make the required changes to the Shared Services Registry using EPM System Configurator. For more information, see Updating the Shared Services Registry in Oracle Hyperion Enterprise Performance Management System Installation Installation and Configuration Guide.
5-8
Specifying Database Connection Information

The following table describes the fields that you must complete to configure the Shared Services and Registry database:
Configurator Field Connect to a previously configured Shared Services database Perform first-time configuration of Shared Services database Description When you first configure the Shared Services and Registry database, choose Perform first-time configuration of Shared Services database. This database includes the Shared Services Registry, which is used to store common information for all products. When you configure in a distributed environment, you must configure the Shared Services database on every machine. On the first machine, you are setting up the Shared Services Registry. For configurations on subsequent machines, choose Connect to a previously configured Shared Services database. In this case, you are letting the machine know the location of the Shared Services Registry. Database Type Server Select the database type. Specify the name of the database server where the Shared Services database should be created. For Oracle RAC, specify the VIP name or one of the node names as the server name. Port Select the default or specify a custom Shared Services server port number on which the database listens. Specify the name of the Shared Services database. If you are using an Oracle RAC database, specify the RAC service name. User Name Password Optional: Advanced Options Enter the name of the database user. Enter the password of the database user. Click or select to specify additional information. You can use this option to configure Oracle RAC.
Service Name or SID
5-9
Configuring EPM System Common Settings
Configuring EPM System Common Settings

Select to create windows services for configured components, use SSL for Web application server communications (requires manual configuration), and set up mail servers. EPM System Configurator displays the Common Settings page once on each machine that you configure. If you configure on another machine and change any of these options, your new selections apply for all products and machines that you have not configured. If you reconfigure on a machine, the new settings apply to any products that you reconfigure and to future configurations.
5-10
Lesson 5 Configuring Shared Services The following table describes options for common settings configuration:
Configurator Field Create Windows Services for configured components (Windows only) Run Windows Services as non-local system account Description Select to configure each service as a Windows service that starts automatically when you start Windows. Select to specify a non-local system account to configure Windows services, and then specify a user name and password. Note: Oracle recommends that you select this option. If you do not select this option, EPM System Configurator creates Windows services using the local system account. Before you start the services, change them to use the appropriate domain account. User Name Enter the user name for the user to launch the Windows services. If you leave this field blank, EPM System Configurator creates the services using the local system account. Password Use SSL for Web application server communications (requires manual configuration) Enter the password for the user used to launch Windows services. Depending on your SSL implementation, select to use SSL communication for all Web applications. If this option is selected, URLs are in the form https. Note: Selecting this option does not enable secure communication for the Web application server and does not create and load certificates into JREs and JDKs. See Oracle Hyperion Enterprise Performance Management System Security Administration Guide for more information. For products that integrate an email feature, which uses standard Simple Mail Transfer Protocol (SMTP) protocol, specify the outgoing mail (SMTP) server. To enable email alerts, you must specify the SMTP server name. Specify the mail server port number or accept the default value. If you are using SSL to communicate with the mail server, enter an SSL port. Specify the administrator's email address to use for notifications.
Mail Server Host
Port
Administrators Email Address
5-11
Configurator Field Use SSL to communicate with mail server Use authentication to send email
Description Select to use SSL communication for all email communication. Specify whether the mail server requires authentication, and then specify a user name and password. Specify the user name for the SMTP server. Specify the password for the SMTP server.
User Name Password
5-12
Deploying Shared Services to the Application Server

1
To configure the application server, you do the follow ing: 1. Specify WebLogic domain information. 2. Enter application server details.
Deploying Shared Services to the Application Server

EPM System Configurator deploys each application to the WebLogic Server domain you specified. For a new domain, the domain is created when the first application is deployed. Each application runs in a separate JVM, except for Shared Services, and EPM Workspace, which run together and are deployed to the same managed server.
5-13
Lesson 5 Configuring Shared Services The following table lists the options to define the WebLogic Server domain:
Field Deply Web applications to an existing domain Deploy Web applications to a new domain Domain Name Description Specify whether to deploy Web applications to an existing domain or to a new domain. If you create a new domain, the WebLogic Administration Server for this domain is created on this machine.
To define a new domain, enter a domain name. The default domain name is EPMSystem. To deploy to an existing domain, specify the domain to use for deployment.
Administration Server Host Administration Server Port Administrator User Adminstrator Password Confirm Administrator Password Domain Name
For an existing domain, specify the Administration Server Host. Accept or change the default port. To change the default, enter a port number that does not conflict with other applications installed on your machine. Enter the Administrator user name for the domain. By default, EPM System Configurator uses epm_admin. Enter the Administrator password or enter a new password for a new domain. Tip: Make a note of this password. If you are defining a new domain, confirm the Administrator password.
To define a new domain, enter a domain name. The default domain name is EPMSystem. To deploy to an existing domain, specify the domain to use for deployment.
The following table describes options for WebLogic application server deployment configuration.
Field Ear/War Managed Server Name Description Select the components to deploy. Displays the Weblogic Managed Server name.
5-14
Field Port
Description Accept or change the default port. To change the default, enter a port number that does not conflict with other applications installed on your machine. Accept the default port or specify the SSL port to use for deployment. Specifying this port sets up SSL using the Java application server's default certificates. See the Oracle Hyperion Enterprise Performance Management System Security Administration Guide for recommendations on updating the Java application server with a valid certificate. If you are using SSL, you must disable the non-SSL port (or redirect it to the SSL port) in your Java application server after configuration to ensure secure communication.
SSL Port
Advanced Setup
Click or select Set up to specify the logical address the products use to connect to the Web application server. Select this option when the Web applications do not communicate with the Web application server directly, as in the following scenarios: You have set up a cluster with a load balancer. You are using an SSL offloader.
Note the following application server deployment information: You deploy multiple products to a single domain. By default, EPM System Configurator deploys 32-bit binaries to 32-bit application servers on 32bit operating systems, and 64-bit binaries to 64-bit application servers on 64bit operating systems. EPM System Configurator deploys the applications to MIDDLEWARE_HOME/user_projects/domains/<domainName>. The EPM Workspace Web application and the Shared Services Web application are deployed when you select the Hyperion Foundation Deploy to Application Server task. If you are implementing a custom authentication module, you must include its Java archive (.jar) in the EPM Product classpath. See the Oracle Hyperion Enterprise Performance Management System Security Administration Guide for detailed procedures to implement a custom authentication module. Start and stop scripts are created in EPM_ORACLE_INSTANCE/bin/. For each application, in EPM_ORACLE_INSTANCE/bin/deploymentScripts there is a setCustomParamsProduct.bat file (.sh extension for UNIX), where you can change JAVA_OPTIONS when using start scripts.
5-15
Registering with Oracle Configuration Manager
Registering with Oracle Configuration Manager

Oracle Configuration Manager collects machine configuration information and installed Oracle software information on a regular basis and uploads it to My Oracle Support. EPM System Configurator displays this page on the first machine you configure and uses the values for each additional machine in the deployment. The following table describes options for registering for Oracle Configuration Manager.
Configurator Field Email View Details Description Enter the email address to use for notifications from MyOracle Support. Click or select View Details to see information about Oracle Support policies.
5-16
Configurator Field I wish to receive security updates via My Oracle Support My Oracle Support password
Description Specify whether you want to receive security updates. Enter your My Oracle Support password.
NOTE: EPM System Installer installs Oracle Configuration Manager for you in EPM_ORACLE_HOME/ccr. For more information about Oracle Configuration Manager, see http://download.oracle.com/docs/cd/E18041_01/doc.103/e18035.pdf.
5-17
Setting the Shared Services Admin User Password
Setting the Shared Services Admin User Password

EPM System Configurator creates a preprovisioned user called admin, which enables you to log on to Shared Services after configuration to create and provision users. EPM System Configurator requires you to specify a new admin password during configuration. After configuration, you can make subsequent changes to the admin user password in the Shared Services Console. See the Oracle Hyperion Enterprise Performance Management System Security Administration Guide. The following table describes options for resetting the Shared Services admin user password:
Configurator Field Password Re-Type Password Description Enter a new password for the Shared Services admin user. To confirm the new password, re-enter the password for the Shared Services admin user.
5-18
Configuring the Foundation Services Web Server
Configuring the Shared Services Web Server

You configure the Web server only on the machine on which you want to run it. If you already configured the Web server and you deploy any additional products, you must run EPM System Configurator again and select the Foundation Services Configure Web Server task. The following table describes the options for the Web server configuration:
Field Select Web Server HTTP Port Location of Oracle HTTP server Component Description Select the Web server. Specify the Web server port. If you use SSL, make sure the port number that you enter is a secure port. Specify or browse to the location of the Web server. Review the components for which the Web server is being configured.
5-19
Launching Shared Services Console
Launching Shared Services Console

After you successfully configure Shared Services, you can log on Shared Services Console to perform the following tasks: User directory configurations Single sign-on configuration Native Directory management Role-based access control management Audit configuration and report management Access to Oracle Hyperion Enterprise Performance Management System Lifecycle Management and product artifact exploration
5-20
Lesson 5 Configuring Shared Services To launch Shared Ser vices Console: 1. Ensure that pop-blockers are not enabled. 2. Open your browser and go to: http://web_server_name:port_number/interop In the URL, Web_server_name indicates the name of the computer where the Web server used by Foundation Services is running, and port_number indicates the Web server port; for example, http://myWebserver:19000/interop. If you are accessing Shared Services Console in secure environments, use https as the protocol and the secure Web Server port number. For example, use a URL such as: https://myserver:19043/interop. The Logon page is displayed in a pop-up window. 3. On the Logon page, enter your user name and password. Initially, the only user who can access Shared Services Console is admin. The password for admin is specified in Oracle's Hyperion Enterprise Performance Management System Configurator while deploying Foundation Services. 4. Click Log On. Shared Services Console comprises a View pane, also known as the Application Management pane, and task tabs. When you initially log in, Shared Services Console displays the View pane and a Browse tab. The View pane is a navigation frame where you can choose objects (such as user directories, users, groups, roles, application groups, and applications). Typically, details of your current selection in the View pane are displayed on the Browse tab. Additional task tabs open as needed, depending on the task that you perform; for example, a Report tab opens when you generate a report, and a Configure tab opens when you configure a user directory. Depending on the current configuration, Shared Services Console lists your existing objects in the View pane. You can expand these object listings to view details. For example, you may expand the User Directories node to view a list of configured user directories. You may also search configured user directories for users and groups. A shortcut menu, accessible by right-clicking an object, is associated with some objects in the View pane. Shortcut menus associated with objects in the View pane provide the quickest method to perform operations on the objects. Options in shortcut menus change dynamically, depending on what you select. The commands displayed in the shortcut menu also are available on a menu in the menu bar. Buttons representing enabled menu options are displayed on the toolbar.
5-21
Configuring Single Sign-On
Authentication director y
User Management console
EPM System products
Configuring Single Sign-On

Shared Services helps establish a secure environment for EPM System products. You can define and manage security for EPM System product deployments through Shared Services Console. NOTE: All EPM System products depend on Shared Services to define how users are authenticated and how they are authorized to use product resources. EPM System users must be authenticated before their provisioning data is checked to determine the EPM System applications that they can access. By default, users enter a user name and password into a product login page to gain Single Sign-On (SSO) access to all EPM System products.
5-22
Lesson 5 Configuring Shared Services SSO is a session and user-authentication process that enables EPM System product users to enter credentials only once, at the beginning of a session, to access multiple products. SSO eliminates the need to log in separately to each product to which the user has access. When you install and deploy Shared Services, Native Directory, the default user directory for EPM System products, is configured automatically. You can configure external user directories to support SSO and authorization for the products that you install. External authentication enables you to configure Shared Services to use a separate authentication directory; the directory contains corporate user information to authenticate EPM System product users. Each EPM System product enables external authentication by referencing the Shared Services configuration during the product configuration process. NOTE: Shared Services Console writes the configuration information to the CSS.xml file that is packaged with Shared Services. You can perform the following user directory management and configuration tasks in Shared Services Console: Configure user directories Test user directory connections Edit user directory settings Delete user directories Manage the user directory search order After configuring the directories, you must synchronize them with the Shared Services database.
Configuring Native Directory

Native Directory refers to the relational database that Shared Services uses to support provisioning and to store seed data such as default user accounts, and additional users and groups that you create. By default, Native Directory contains one user account, admin. You specify the password for the admin account the first time you run EPM System Configurator. With this user account, you can perform all Native Directory and Shared Services administration tasks: Maintain and manage the native user and group accounts
5-23
Lesson 5 Configuring Shared Services Generate EPM System provisioning information; Shared Services stores the relationships among users, groups, roles, and applications All EPM System users, whether defined in Native Directory or in an external user directory, belong to the WORLD group, the only default Native Directory group. WORLD is a logical group. All Shared Services users inherit any role assigned to this group. A user gets the sum of all permissions assigned directly to that user as well as those assigned to the user's groups (including the WORLD group). If Shared Services is deployed in delegated mode, the WORLD group contains groups as well as users. If the delegated list of a user contains the WORLD group, then the user can retrieve all users and groups during searches. To create Native Director y users: 1. In Shared Services Console, expand User Directories, and then Native Directory. 2. Under the Native Directory node in the View pane, right-click Users, and select New. 3. In the Create User dialog box, enter the following information: User Namea unique user identifier (maximum 256 characters) that follows the naming conventions of your organization. For example, first name initial followed by the last name, as in jyoung. User names can contain any number or combination of characters. You cannot create identical user names, including names that are differentiated only by number of spaces. For example, you cannot create user names user 1 (with one space between user and 1) and user 1 (with two spaces between user and 1). Passwordpasswords are case-sensitive and can contain any combination of characters. Confirm Passwordre-enter password. First Nameuser's first name (optional) Last Nameuser's last name (optional) Descriptionuser's description (optional) Email Addressuser's e-mail address (optional). The e-mail server domain extension; for example, .com, .org, and .gov, cannot contain more than four characters. 4. Optional: To add the user to one or more groups, click Next.
5-24
Lesson 5 Configuring Shared Services a. On the Group Membership page, in Search for Groups, enter the name of the group to assign to the user (type * to list all available groups). b. Click Go. c. From Available Groups, select groups. d. Click Add. e. Optional: From Assigned Groups, select the group and click Remove to unassign a group. Click Reset to undo all changes that you made to Assigned Groups. 5. Click Save. 6. Click Create Another to create another user or OK to close the Create User dialog box. For additional Native Directory task procedures, see Oracle Hyperion Enterprise Performance Management System User and Role Security Guide Release 11.1.2.1.
5-25
Configuring MSAD or LDAP User Directories
Configuring MSAD or LDAP User Directories

The following external directories are supported: Lightweight Directory Access Protocol (LDAP)-enabled user directories, such as Oracle Internet Directory (OID) Oracle Directory Server Enterprise Edition (ODSEE) 11gR1 (11.1.1.3+) (previously called Sun Java Directory Service 6.3) Novell eDirectory 8.8 IBM Tivoli Directory Server 6.2 SAP R/3 Enterprise 5.0SAP R/3 Enterprise 5.0 Computer Associates SiteMinder 6 Microsoft Active Directory (MSAD) 2003 and 2008
5-26
Lesson 5 Configuring Shared Services Relational databases (Oracle database 10.2.0.4 and later, IBM DB2 9.5 and 9.7, Microsoft SQL Server 2005, 2008, and 2008 R2) NOTE: You cannot manage external directory users and groups in Shared Services Console. You can configure Shared Services to work with the users and groups that you created in external user directories. In this class, you connect to an MSAD external directory. To configure OID, MSAD, or other LDAP-enabled user directories: 1. In Shared Services Console, select Administration, then Configure User Directories. The Defined User Directories page is displayed. This page lists all configured user directories, including Native Directory. 2. Click New. 3. For a directory type, select an option: Lightweight Directory Access Protocol (LDAP) Microsoft Active Directory (MSAD) SAP Relational Database (Oracle, DB2, SQL Server) 4. Click Next. The Connection Information page for the selected user directory type is displayed. 5. Enter the required parameters. The following table describes the parameters for your external authentication provider:
Field Directory Server Description Select a user directory. Select Other if you are using a user directory that is not listed. This property is automatically selected if you chose Active Directory. Name Enter a descriptive name for the user directory. This description is used to identify a specific user directory if multiple user directories are configured. Active Directory only: Select this option to enable DNS lookup.
DNS Lookup
5-27
Field Host Name (Option) Host Name
Description Active Directory only: Select this option to enable static host name lookup. Enter the DNS name or IP address of the user directory server. Use the fully qualified domain name if the user directory is to be used to support SSO from SiteMinder.
Port SSL Enabled Base DN
Enter the port number where the user directory is running. Select to enable secure communication with this user directory. The user directory must be configured for secure communication. Enter the distinguished name (DN) of the node where the search for users and groups should begin. You can also use the Fetch DNs button to list available base DNs and then select the appropriate base DN from the list. Oracle recommends that you select the lowest DN that contains all EPM System product users and groups.
ID Attribute
Enter a unique user attribute. The recommended value of this attribute is automatically set for OID orclguid, SunONE (nsuniqueid), IBM Directory Server (Ibm-entryUuid), Novell eDirectory (GUID), and Active Directory (ObjectGUID). You may change the default value to DN if necessary. Note: Oracle does not recommend the use of DN as the ID Attribute because it can cause users and groups to lose provisioning data if they move from the current organizational unit to another.
Maximum Size
Enter the maximum number of results that a search can return. If this value is greater than that supported by the user directory settings, the user directory value overrides this value. For user directories other than Active Directory, leave this field blank to retrieve all users and groups that meet the search criteria. For Active Directory, set this value to 0 to retrieve all users and groups that meet the search criteria.
Trusted
Select this check box to indicate that this provider is a trusted SSO source. SSO tokens from trusted sources do not contain the user's password. Select this check box to indicate that Shared Services can bind anonymously to the user directory to search for users and groups. Can be used only if the user directory allows anonymous binds. If this option is not selected, you must specify, in the User DN, an account with sufficient access permissions to search the directory where user information is stored. Oracle recommends that you do not use anonymous bind.
Anonymous Bind
5-28
Field User DN
Description Enter the distinguished name of the user that Shared Services should use to bind with the user directory. This distinguished name must have read privileges within the Base DN. Note: This box is disabled if you select Anonymous Bind. Select this check box to append the base DN to the User DN. If you are using Directory Manager account as the User DN, do not append Base DN. Note: This box is disabled if you select Anonymous Bind. Enter the User DN password. Note: This box is disabled if you select Anonymous Bind. Select this check box to display advanced options. For more information about advanced options, see the Oracle Hyperion Enterprise Performance Management System User and Role Security Guide.
Append Base DN
Password Show Advanced Options
6. Click Next. The User Configuration screen is displayed. NOTE: The steps to configure user directories are continued in the succeeding sections.
5-29
User Configuration
You can use the Auto Configure field to quickly retrieve User information.
User Configuration
Shared Services uses the User Configuration properties to create a URL to determine the node where searches for users begin. Using this URL speeds up the search. TIP: The user URL should not point to an alias. EPM System security requires that the user URL points to an actual user and not its alias.
To set user configuration properties: 1. Perform steps to configure OID, MSAD, or other LDAP-enabled user directories from the previous section. 2. Perform one of the following actions:
5-30
Lesson 5 Configuring Shared Services a. Enter a unique user identifier using the format attribute=identifier and click Auto Configure. NOTE: Oracle recommends that you use Auto Configure to retrieve the required information. If you are using OID, you cannot automatically configure user properties, because the root DSE of OID does not contain entries in the Naming Contexts attribute. b. Enter user information manually. The following table contains the field definitions:
Field User RDN Description Enter the Relative DN of the user. Each component of a DN is called an RDN and represents a branch in the directory tree.The RDN of a user is generally the equivalent of the uid or cn. Example: ou=people Login Attribute Enter the attribute that stores the login name of the user. Users use the value of this attribute as the User Name while logging on to EPM System products. Example: uid First Name Attribute Last Name Attribute Email Attribute Object Class Enter the attribute that stores the users first name. Example: givenName Enter the attribute that stores the users last name. Example: sn Enter the attribute that stores the users e-mail address. Example: mail Enter the object classes of the user (the mandatory and optional attributes that can be associated with the user). Shared Services uses the object classes listed in this screen in the search filter, and should find all users who should be provisioned. If needed, you can manually add object classes by entering the object class name in the Object Class box, and clicking Add. To delete object classes, select the object class and click Remove. Example: person, organizationalPerson, inetorgperson Show Advanced Options Select this check box to enable the use of a filter to retrieve users during search operations.
5-31
Field Filter to Limit Users
Description Enter an LDAP query that retrieves only the users that are to be provisioned with EPM System product roles. For example, the LDAP query (uid=Hyp*) retrieves only users whose names start with the prefix Hyp. The User Configuration screen validates the User RDN and recommends the use of a user filter, if required. After entering the user filter, click Execute Filter to validate the query by obtaining a count of the number of users that will be retrieved with the filter. With the user filter, you limit the number of users returned during a query. It is especially important if the node identified by the user RDN contains many users that need not be provisioned. User filters can be designed to exclude the users that are not to be provisioned, thereby improving performance.
Resolve Custom Primary Groups
Active Directory only: The checkbox that indicates whether to identify primary groups of users to determine effective roles. This checkbox is selected by default. Oracle recommends that you do not change this setting.
3. Click Next. The Group Configuration page is displayed. NOTE: The steps to configure user directories are continued in the succeeding section.
5-32
Group Configuration
You can use the Auto Configure field to quickly retrieve Group information.
Group Configuration
Shared Services uses the Group Configuration properties to create a URL to determine the node where searches for groups begin. The URL speeds up the search. TIP: The group URL should not point to an alias. EPM System security requires that the group URL points to an actual group and not its alias. Data entry in the Group Configuration screen is optional. If you do not enter the group URL settings, Shared Services searches within the Base DN to locate groups, which can negatively affect performance, especially if the user directory contains many groups. If you do not plan to provision groups, or if users are not categorized into groups on the user directory, you can clear the Support Groups check box to disable the fields on this screen.
5-33
Lesson 5 Configuring Shared Services To set group configuration properties: 1. Perform steps to configure OID, MSAD, or other LDAP-enabled user directories and set user configuration properties from the previous sections. 2. Deselect Support Groups if you do not plan to provision groups, or if users are not categorized into groups on the user directory, then skip to step 5. Clearing this option disables the fields on this page. 3. Perform one of the following actions: a. Enter a group identifier using the format attribute=identifier and click Auto Configure. NOTE: Oracle recommends that you use Auto Configure to retrieve the required information. If you are using OID, you cannot automatically configure group properties, because the root DSE of OID does not contain entries in the Naming Contexts attribute. If the group URL is not set for user directories that contain / (slash) or \ (backslash) in its node names, the search for users and groups fails. For example, any operation to list the user or group fails if the group URL is not specified for a user directory in which users and groups exist in a node, such as OU=child \ou,OU=parent/ou or OU=child/ou,OU=parent \ ou.
5-34
Lesson 5 Configuring Shared Services b. Enter group information manually. The following table contains the field definitions:
Field Group RDN Description Enter the Relative DN of the group. Each component of a DN is called an RDN and represents a branch in the directory tree. This value, which is relative to the Base DN, is used as the group URL. Specify a Group RDN that identifies the lowest user directory node in which all groups that you plan to provision are available. The Group RDN has a significant impact on login and search performance. Because it is the starting point for all group searches, you must identify the lowest possible node in which all groups for EPM System products are available. To ensure optimum performance, the number of groups present within the Group RDN should not exceed 10,000. If more groups are present, use a group filter to retrieve only the groups that you want to provision. Note: Shared Services displays a warning if the number of available groups within the Group URL exceeds 10,000. Example: ou=Groups Name Attribute Object Class Enter the attribute that stores the group name. Example: cn Enter the object classes of the group. Shared Services uses the object classes listed in this screen in the search filter, and should find all groups that are associated with the user. If needed, you can manually add object classes by entering the object class name in the Object Class box, and clicking Add. To delete object classes, select the object class and click Remove. Example: groupofuniquenames?uniquemember Show Advanced Options Filter to Limit Groups Select this check box to enable the use of a filter to retrieve groups during search operations. Enter an LDAP query that retrieves only the groups that are to be provisioned with EPM System product roles. For example, the LDAP query (|(cn=Hyp*)(cn=Admin*)) retrieves only groups whose names start with the prefix Hyp or Admin. After entering the group filter, click Execute Filter to validate the filter by obtaining a count of the number of groups that will be retrieved with the filter. With the group filter, you limit the number of groups returned during a query. It is especially important if the node identified by the group RDN contains many groups that need not be provisioned. Filters can be designed to exclude the groups that are not to be provisioned, thereby improving performance.
5-35
Lesson 5 Configuring Shared Services 4. Click Save. The Directory Configuration Result page is displayed. 5. Click OK. The Defined User Directories page is displayed. 6. Click Save. The Save Configuration Summary page is displayed. 7. Click OK. The Defined User Directories page is displayed. 8. Click Log Off. 9. If you are prompted to log off, click Yes. 10. Restart services.
Testing User Directory Connections

After configuring a user directory, test the connection to ensure that Shared Services can connect to the user directory with the current settings. To test user director y connections: 1. From Shared Service Console, select Administration, and then Configure User Directories. The Defined User Directories screen is displayed. 2. From the list of user directories, select an external user directory configuration to test. 3. Click Test. A status message indicating the test result is displayed. 4. Click OK.
Managing the User Directory Search Order

When you configure an external user directory, Shared Services automatically adds the user directory to the search order and assigns it the next available search sequence. The search order is used to cycle through configured user directories when EPM System searches for users and groups.
5-36
Lesson 5 Configuring Shared Services You can remove a user directory from the search order, in which case Shared Services automatically reassigns the search order of the remaining directories. User directories not included in the search order are not used to support authentication and provisioning. NOTE: Shared Services terminates the search for the user or group when it encounters the specified account. Oracle recommends that the corporate directory that contains most of the EPM System users be placed at the top of the search order. If a user has multiple accounts within a user directory, EPM System retrieves the account that the search first encounters. You can perform the following tasks to manage the search order: Add a User Directory to a search order Change the search order Remove a search order assignment
5-37
Provisioning Users and Groups

Auth entication EPM System p rod uct
CSS C SS
AC L R egistratio n
Provisio nin g Get p ro visioning informa tion Ex ternal user d irecto ry
Shared Services
Reg istration
EPM Co nfigu rator
Pro vision ing an d Reg istration
R elational database
Provisioning Users and Groups

Provisioning is the process of granting roles and object Access Control Lists (ACLs) belonging to EPM System applications to users and groups. EPM System security determines user access to applications using the concept of roles. Roles are permissions that determine user access to product functions. Each product provides several default roles tailored to suit various business needs. Predefined roles from each application registered with Shared Services are available from Shared Services Console and used for provisioning. You may also create additional roles that aggregate the default roles to suit specific requirements. Some EPM System products enforce object-level ACLs to further refine user access to their artifacts such as reports and dimension members. Provisioning is managed at the user or group levels by Provisioning Managers or Shared Services Administrators assigning one or more EPM System application roles to a user or group.
5-38
Provisioning Sequence
Shared Services communicates with the following repositories for provisioning: The Shared Services relational database contains product registration information. The OpenLDAP database contains role-provisioning information. The product repositories contain authentication privileges that are product-specific. The external authentication directory contains user credentials and group hierarchy information. The EPM System authorization process is as follows: 1. After the user logs on, the EPM system product checks whether the user has credentials in user directories. 2. The EPM System product retrieves the users provisioning data using group and user information in Shared Services. 3. The EPM System product uses group and user information to retrieve the user's provisioning data from Shared Services. The product uses this data to determine which resources a user can access. Product-specific provisioning tasks, such as setting product-specific access control, are completed for each product. This data is combined with provisioning data to determine the product access for users.
Available Roles
A role is a construct, similar to an access control list, that defines the access permissions granted to users and groups to perform functions on Hyperion resources. It is a combination of resource or resource types. Access to Hyperion application resources is restricted. Users can access application resources only after a role that provides access is assigned to the user or to the group to which the user belongs. Access restrictions based on roles enable administrators to control and manage application access.
5-39
Lesson 5 Configuring Shared Services Global Roles Global roles are Shared Services roles that enable users to perform certain tasks within the Shared Services Console. The following table describes some global rules:
Role Administrator Description The Administrator role provides control over all products that integrate with Shared Services. It enables more control over security than any other Hyperion product roles and should therefore be assigned sparingly. Administrators can perform all administrative tasks in Shared Services Console and can provision themselves. This role grants broad access to all applications registered with Shared Services. The Administrator role is, by default, assigned to the admin Native Directory user, which is the only user available after you deploy Shared Services. This user account is initially used to create accounts for other administrators. Directory Manager The Directory Manager role creates and manages users and groups within Native Directory. The recommended practice is to grant one user the Directory Manager role and another user the Provisioning Manager role. Otherwise, Directory Managers can provision themselves. For example, if a user is assigned both roles for a Financial Management application, this user can create a new user, assign the user any role within the application, and log on as the new user, thereby granting personal access to the Financial Management application. Project Manager LCM Manager The Project Manager role creates and manages projects within Shared Services. The LCM Manager role executes Artifact Life Cycle Management Utility to promote artifacts and data across product environments and operating systems.
Predefined Roles Predefined roles are built-in roles in EPM System products. You cannot delete these roles from the product. Predefined roles are registered with Shared Services during the application registration process.
5-40
Lesson 5 Configuring Shared Services Aggregated Roles Aggregated roles are custom roles that aggregate multiple product roles within a Hyperion product. An aggregated role consists of multiple roles, including other aggregated roles. For example, a Shared Services Administrator or Provisioning Manager can create a role for Planning that combines the Planner and View User roles into an aggregated role. Aggregating roles can simplify the administration of products that have a large number of granular roles. You cannot create an aggregated role that spans products, and you cannot include global Shared Services roles in aggregated roles. Aggregated roles are also known as custom roles. To provision users or groups: 1. In Shared Services Console, expand User Directories. 2. Select a user directory, and search for users or groups. 3. Right-click the user or group, and select Provision. The Provisioning tab is displayed. 4. Optional: Click Tree or List. Roles can be displayed in a hierarchy (tree) or a list. You must drill down the hierarchy to display available roles. The list view lists all available roles but does not show their hierarchy. 5. Select one or more roles, and click Add. The selected roles are displayed in Selected Roles. 6. Click Save. A dialog box, which indicates that the provisioning process is successful, is displayed. 7. Click OK.
Deprovisioning Users and Groups

When you deprovision users or groups, you remove the assigned roles from an application. Shared Services Administrators can deprovision roles from several applications. Provisioning managers of applications can deprovision roles from their applications.
5-41
Lesson 5 Configuring Shared Services For example, assume that the group Sales_West is provisioned with roles from Financial Management. If this group is deprovisioned by a Financial Management Provisioning Manager, only the roles from Financial Management are removed. To deprovision users or groups: 1. In Shared Services Console, expand User Directories. 2. Select a user directory, and search for users or groups. 3. Right-click the user or group, and select Deprovision. 4. On the Deprovisioning tab, perform one of the following actions, and click OK. Select one or more applications. Select Check All to choose all available applications. 5. Click OK. 6. Click Yes in the confirmation dialog box. 7. Click OK.
5-42
Generating Provisioning Reports
Generating Provisioning Reports

You can create reports on provisioning information in Shared Services Console. Provisioning reports enable administrators to review the access rights and permissions granted to users and groups across EPM System applications, which helps track user access for compliance reporting. The report can contain information on users assigned to roles from selected applications, roles from selected applications assigned to users, and inheritance information that shows the sequence of inheritance starting with the original group or role that was responsible for granting the provisioned role to the user. To generate provisioning reports: 1. In Shared Services Console, select Administration, and then View Provisioning Report. 2. Enter report generation parameters.
5-43
Lesson 5 Configuring Shared Services 3. Click Create Report. The report is displayed on the Provision Report tab. 4. Click Print Preview. The report is displayed in the View Report window. 5. Click Print. 6. Select a printer, and click Print. 7. Click Close.
5-44
Creating Application Groups

Application groups are containers for EPM System applications.
Creating Application Groups

An application group is a container for EPM System applications. For example, an application group may contain a Financial Management application and one or more Reporting and Analysis applications. If you create an application but you do not assign it to a group, the application is listed under the Default Application Group node in Shared Services Console. An application can belong only to one application group, but it may contain multiple applications. You can start the provisioning process even if the applications are not assigned to application groups. You can provision applications listed in the Default Application Group node, and then move them to a application group without losing provisioning information.
5-45
NOTE: You must be a Shared Services Administrator or Project Manager to create and manage application groups. Shared Services Administrators can work with all registered applications, whereas a Project Manager can work only with the application for which that person is the project manager.
To create application groups: 1. In Shared Services Console, right-click Application Groups in the Object Palette, and select New. The New Application Group page opens. 2. Enter a unique application group name and an optional description. 3. Perform the following actions to assign applications to this application group: a. From the List Applications in Application Group list, select DefaultApplicationGroup or an existing application group. b. Click Update List. The Available Applications list displays the applications that you can assign to the application group. c. From the Available Applications list, select the applications to assign to the project and click Add. The selected applications appear in the Assigned Applications list. 4. Click Finish. 5. Perform an action: Click Create Another to create another application group. Click OK to close the status page.
5-46
Summary
In this lesson, you should have learned to: Describe EPM System Configurator Configure Shared Services Configure external user directories Provision users and groups Generate provisioning reports Create application groups
5-47
5-48

L06 Configuring Shared Services

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

L06 Configuring Shared Services

Caricato da

Copyright:

Formati disponibili

L E S S O N

Configuring Shared Services

Lesson 5 Configuring Shared Services

Running EPM System Configurator for Shared Services

Running EPM System Configurator for Shared Services

Financial Management 11.1.2: Installation and Configuration

Configure Logical Addresses for Web Applications

Setup Connection to Oracle BI and Publisher

Import Data From Earlier Releases

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Configuring the EPM Oracle Instance

Configuring the EPM Oracle Instance

Financial Management 11.1.2: Installation and Configuration

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Setting Up the Shared Services and Registry Database Connection

Setting Up the Shared Services and Registry Database Connection

Financial Management 11.1.2: Installation and Configuration

Financial Management 11.1.2: Installation and Configuration

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Specifying Database Connection Information

Service Name or SID

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Configuring EPM System Common Settings

Configuring EPM System Common Settings

Financial Management 11.1.2: Installation and Configuration

Mail Server Host

Administrators Email Address

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

User Name Password

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Deploying Shared Services to the Application Server

Deploying Shared Services to the Application Server

Financial Management 11.1.2: Installation and Configuration

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Registering with Oracle Configuration Manager

Registering with Oracle Configuration Manager

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Setting the Shared Services Admin User Password

Setting the Shared Services Admin User Password

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Configuring the Foundation Services Web Server

Configuring the Shared Services Web Server

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Launching Shared Services Console

Launching Shared Services Console

Financial Management 11.1.2: Installation and Configuration

Financial Management 11.1.2: Installation and Configuration

Lesson 5 Configuring Shared Services

Configuring Single Sign-On

User Management console