About Essbase Native Security Mode

Essbase provides a system for managing access to applications, databases, and other artifacts within Essbase. Using the Essbase native security system provides protection and the security available through your local area network.

Essbase native security addresses a wide variety of database security needs with a multilayered approach to enable you to develop the best plan for your environment. Various levels of permission can be granted to users and groups or defined at the system, application, or database level. You can apply security in the following ways:

Table 121 describes security permissions and the tasks that can be performed with those permissions.

Table 121. Essbase Permissions

Permission

Affected Scope

Description

No Access or None

Entire system, application, or database

No inherent access to any users, groups, or data values, unless access is granted globally or by a filter. No Access is the default when creating an ordinary user. Users with No Access permissions can change their passwords.

Read

Database

Ability to read data values.

Write

Database

Ability to read and update data values.

Metaread

Database

Ability to read metadata (dimension and member names) and update data for the corresponding member specification.

Execute (or Calculate)

Entire system, application, database, or single calculation

Ability to calculate, read, and update data values for the assigned scope, using the assigned calculation.

Administrators, application managers for the application, and database managers for the database can run calculations without being granted execute access.

Database Manager

Database

Ability to modify outlines, create and assign filters, alter database settings, and remove locks/terminate sessions and requests on the database.

A user with Database Manager permission in one database does not necessarily have that permission in another.

Application Manager

Application

Ability to create, delete, and modify databases within the assigned application. Ability to modify the application settings, including minimum permissions, remove locks on the application, terminate sessions and requests on the application, and modify any artifact within the application. You cannot create or delete an application unless you also have been granted the system-level Create/Delete Applications permission.

A user with Application Manager permission in one application does not necessarily have that permission in another.

Filter Access

Database

Ability to access specific data and metadata according to the restrictions of a filter assigned to the user or group. The filter definition specifies, for subsets of a database, whether read, write, no access, or metaread is allowed for each subset. A user or group can be granted only one filter per database. Filters can be used in conjunction with other permissions. See Controlling Access to Database Cells Using Security Filters.

Create/Delete Applications

Entire system

Ability to create and delete applications and databases within those applications, and control permissions, locks, and resources for applications created. Includes designer permissions for the applications and databases created by this user.

Create/Delete Users, Groups

Entire system

Ability to create, delete, edit, or rename all users and groups having equal or lesser permissions than their own.

Administrator

Entire system

Full access to the entire system and all users and groups.