When running Essbase in EPM System security mode, Essbase obtains user and group details (including user and group information and provisioning to Essbase applications) from Shared Services. Essbase no longer stores all users and groups in the Essbase security file (essbase.sec); therefore, an Essbase Administrator does not need to explicitly synchronize security between Essbase and Shared Services.
When a user logs on to Essbase, Essbase queries Shared Services for that user’s information. The privileges with which a user starts a session are preserved throughout the session, regardless of whether the user’s privileges are changed in Shared Services during the session.
A user or group is stored in the Essbase security file only under the following circumstances:
The user or group was not successfully migrated to Shared Services.
The user or group is assigned database calculation or filter access.
The user or group is specified in the query governor exclude list.
The user is the creator of an application or database.
The user has locked a database-related artifact.
The PERSISTUSERATLOGIN configuration setting is set to TRUE.
When a user logs on to Essbase, PERSISTUSERATLOGIN specifies whether to add the user to the essbase.sec file, if the user does not already exist in the file.
To remove users or groups from the Essbase security file without de-provisioning them from Shared Services, use the drop user or drop group MaxL statements with the from security_file grammar. Calculation and filter associations also are removed.
For display operations, Essbase queries Shared Services. See: