The following security issues must be addressed after migrating users to Shared Services or upgrading Essbase:
To log on to Essbase and access the Essbase agent, a user no longer must have the Server Access role on the global Essbase Server application. A user with any role (whether directly or indirectly provisioned) on an Essbase application can log on to Essbase and access the Essbase agent.
To prevent users who do not have a role on the global Essbase Server application from accessing the Essbase agent, you must manually modify users’ roles. Be sure to evaluate the roles that a user inherits from a group.
When a user logs on to Essbase, Essbase queries Shared Services for the user’s roles. The more roles that a user has, the longer it takes to complete the login process. To improve login performance, users should not be assigned unneeded roles.
Essbase no longer assigns the Application Manager role, which is unnecessary, to an Essbase Administrator when he creates an Essbase application. If, in your Essbase deployment, the Application Manager role is assigned to Essbase Administrators, you must manually remove the Application Manager role from the Essbase Administrators.
Also, an Essbase Administrator who has an Administrator role on the global Essbase Server application might be assigned application roles that are not needed. Essbase provides a migration utility that can remove the application roles for Essbase Administrators only.
The migration utility (which runs on 32-bit Windows only), identifies the users who are affected by both security issues. Additionally, if specified, the utility can correct the issue of Essbase Administrators having application roles.
To run the migration.bat file:
Unzip the migration.zip file, which creates a MigrationTools subdirectory.
In the MigrationTools subdirectory, edit the migration.properities file with the following information:
AdminUserName—Name of the Essbase Administrator who runs the migration utility
AdminUserPassword—The Essbase Administrator’s password
HSSServer—Hostname of the Shared Services Server
HSSPort—Port number of the Shared Services Server
EssbaseProjectName—The project name for the Essbase Server on which you want to run the migration utility
SavedToFile—When set to TRUE, specifies that the results of the migration script should be written to the following text files, which are located in the MigrationTools subdirectory:
EntitiesWithCubeRolesOnly.txt—Lists the users and groups that have application roles but do not have a role on the global Essbase Server application
EssbaseAdminsWithCubeRoles.txt—Lists the Essbase Administrators who have application roles
When set to FALSE (the default), the results are written to the screen.
Sample versions of these files are located in the MigrationTools subdirectory.
FixAdminUser—When set to TRUE, removes application roles from Essbase Administrators. When set to FALSE (the default), writes the names of Essbase Administrators, and the application roles assigned to them, to the screen.
For example:
AdminUserName = admin AdminUserPassword = password HSSServer = pant5 HSSPort = 58080 EssbaseProjectName = Analytic Servers:ALNG3:1 SavedToFile true FixAdminUser false
Note: | When running the utility for the first time against an Essbase Server, Oracle recommends setting SavedToFile to TRUE and FixAdminUser to FALSE so that you can view and verify the results. Then, you can set FixAdminUser to TRUE and run the utility again to remove application roles from Essbase Administrators. |