Essbase provides a system for managing access to applications, databases, and other artifacts within Essbase. Using the Essbase native security system provides protection and the security available through your local area network.
Essbase native security addresses a wide variety of database security needs with a multilayered approach to enable you to develop the best plan for your environment. Various levels of permission can be granted to users and groups or defined at the system, application, or database level. You can apply security in the following ways:
To grant permissions to individual users and groups of users. When higher, these permissions take precedence over minimum permissions defined for applications and databases. Ordinary users have no inherent permissions. Permissions can be granted to users and groups by editing the users and groups or by using the grant MaxL statement. See Granting Permissions to Users and Groups in Essbase Native Security Mode.
You can create users who log on using the parameters of an external authentication repository instead of the Essbase password. If you want users to use an outside authentication repository, such as LDAP, you must implement EPM System security and create the Essbase users with a reference to that security mode. See Using EPM System Security for External Authentication in Essbase Native Security Mode.
Application and database settings.
To set common permissions for all users of an application or database, you can set minimum permissions that all users can have at each application or database scope. Users and groups with lower permissions than the minimum gain access; users and groups with higher granted permissions are not affected. You can also temporarily disable different kinds of access using application settings. See Managing Global Security for Applications and Databases in Native Security Mode.
Create and manage login restrictions for the entire Essbase Server. View and terminate current sessions and requests running on the entire Essbase Server or only on particular applications and databases. See Managing User Activity on Essbase Server in Essbase Native Security Mode.
Define database permissions that users and groups can have for particular members, down to the individual data value (cell). See Controlling Access to Database Cells Using Security Filters.
Table 121 describes security permissions and the tasks that can be performed with those permissions.
Table 121. Essbase Permissions
No inherent access to any users, groups, or data values, unless access is granted globally or by a filter. No Access is the default when creating an ordinary user. Users with No Access permissions can change their passwords. | ||
Ability to read metadata (dimension and member names) and update data for the corresponding member specification. | ||
Ability to calculate, read, and update data values for the assigned scope, using the assigned calculation. Administrators, application managers for the application, and database managers for the database can run calculations without being granted execute access. | ||
Ability to modify outlines, create and assign filters, alter database settings, and remove locks/terminate sessions and requests on the database. A user with Database Manager permission in one database does not necessarily have that permission in another. | ||
Ability to create, delete, and modify databases within the assigned application. Ability to modify the application settings, including minimum permissions, remove locks on the application, terminate sessions and requests on the application, and modify any artifact within the application. You cannot create or delete an application unless you also have been granted the system-level Create/Delete Applications permission. A user with Application Manager permission in one application does not necessarily have that permission in another. | ||
Ability to access specific data and metadata according to the restrictions of a filter assigned to the user or group. The filter definition specifies, for subsets of a database, whether read, write, no access, or metaread is allowed for each subset. A user or group can be granted only one filter per database. Filters can be used in conjunction with other permissions. See Controlling Access to Database Cells Using Security Filters. | ||
Ability to create and delete applications and databases within those applications, and control permissions, locks, and resources for applications created. Includes designer permissions for the applications and databases created by this user. | ||
Ability to create, delete, edit, or rename all users and groups having equal or lesser permissions than their own. | ||