Managing Security at Global and User Levels

Hyperion Essbase provides a comprehensive, multi-layered system for managing access to applications, databases, and other objects. The Hyperion Essbase Security System provides protection in addition to the security available through your local area network security system. The next three sections explain how to create a security plan with the Hyperion Essbase Security System.

This chapter contains the following sections:

Multi-Layered Security and Privileges

The Hyperion Essbase Security System addresses a wide variety of database security needs with a multi-layered approach to let you develop the best plan for your environment. You can combine the following layers of security:

User and Group layer: Define privileges and access levels for individual users and groups of users. When higher, these privileges take precedence over global access settings (applied to the server, applications, and databases).
Global Access layer: Define privileges and access at the level of the server, application, or database. User and group access conforms to these global settings except where higher privileges are granted at the user and group layer.
Database Filter layer: Define specific database access levels that users and groups can have for particular database members, down to the individual data value (cell). To learn more about the Database Filter layer, see Controlling Access to Database Cells.

The ESSBASE.SEC Security File

All information about users, groups, passwords, privileges, filters, applications, databases, and their corresponding directories is stored in the ESSBASE.SEC file in your $ARBORPATH\Bin directory. Each time you successfully start the Agent, a backup copy of the security file is created as ESSBASE.BAK.

If you attempt to start the Agent and can't get a password prompt or your password is rejected, no.BAK file is created. You can restore from the last successful startup by copying ESSBASE.BAK to ESSBASE.SEC. Both files are in the BIN directory where you installed the Hyperion Essbase server.

Privileges Available at Global and User Levels

Various types of management privileges can be assigned at the global or user levels.

Ordinary users have no management privileges.
At the global level, you assign management privileges on an application or database basis.
At the user level, you assign management privileges to a specific user or group, and their privileges are constant for all applications and databases. When higher, privileges assigned at the user level override the global settings defined at the application or database level.

The following table lists several tasks users with various management privileges can perform.

*Table 17-1: Global and User Management Privileges*
	Create/ Delete Users Privilege (assigned at user level)	Create/ Delete Applications Privilege (assigned at user level)	Application Designer Privilege (assigned at global level)	Database Designer Privilege (assigned at global level)
Create Applications
Modify Applications		1	2
Delete Applications		1
Create Databases		1	2
Modify Databases		1	2	3
Delete Databases		1	2
Define Global User Access at the Application Level		1	2
Define Global User Access at the Database Level		1	2	3
Create Users
Delete Users
Log Out Users		1, 5	5
Reset User Passwords	4
Define Filter Objects		1	2	3
Assign Filter Objects to Users or Groups		1	2	3
Remove Data Locks		1	2	3
1 Users with Create/Delete Applications privilege can affect only applications they have created. 2 Application Designer privileges are assigned per application; a user with Application Designer privilege in one application doesn't necessarily have that privilege in another. 3 Database Designer privileges are assigned per database; a user with Database Designer privilege in one database doesn't necessarily have that privilege in another. 4 Users with Create/Delete Users, Groups privilege can reset passwords of other users only if the other users have equal or lower privileges. 5 You can log out only those users who are connected to an application for which you have Application Designer privilege. If you have Create/Delete Applications privilege, you automatically have Application Designer privilege for any application you create.

Managing Security at the User and Group Layer

The User and Group Access layer lets you define security settings for individual users and groups. Groups are collections of users that share the same minimum privileges. Users inherit all privileges of the group, and can additionally have access to privileges that exceed those of the group. Users and groups are managed on a server-by-server basis: users defined on a server exist for all applications and databases on the server.

User and Group Types

One major way to assign privileges to users and groups is to define user and group types when you create or edit (modify the privileges of) the users and groups. You define these types in the New or Edit User dialog boxes (see Figure 17-6 and Figure 17-8, respectively).

. In the Application Manager, users and groups can have one of four types of privileges. A description of these user types follows. To learn how to define a type, see Creating, Editing, and Copying Users and Groups.

A user with Supervisor privilege has:

Full access to all applications, databases, related files, and security mechanisms for a server.
Privileges to create, delete, edit, and rename all users, including other supervisors.

Privileges to create and delete applications.

Note:

The user who installs Hyperion Essbase on the server is designated the Hyperion Essbase System Supervisor for that server. Hyperion Essbase requires that at least one user on each server has Supervisor privilege. Therefore, you cannot delete or downgrade the access level of the last supervisor on the server.

Figure 17-1: Supervisor Privilege

A user with ordinary user privilege can:

Access only those objects to which he or she has been granted privileges.
Change his or her own password.
Figure 17-2: Ordinary User Privilege

A user with Create/Delete Users/Groups privilege can:

Create and edit users with equal or lower privileges only.
Delete or rename users regardless of their privileges.
Rename users regardless of their privileges.
Create, edit, delete, or rename groups with equal or lower privileges only.
Figure 17-3: Create/Delete Users/Groups Privilege

A user with Create/Delete Applications privilege can:

Create, modify, and delete applications and databases.
Assign user access privileges to applications and databases at the Global Access layer.
Define and assign filter objects.
Remove data locks.

Users with Create/Delete Applications privilege cannot create or delete users, but they can manage global access to those applications which they have created. For more information on global access privileges, see Managing Security at the Global Access Layer.

. Figure 17-4: Create/Delete Applications Privilege

Users and groups can also have Application Designer or Database Designer privilege on an application or database basis. For more information about those settings, see Application Designer Privilege or Database Designer Privilege.

Managing Users and Groups

To help you manage security between users and groups, the following user-management tasks are available at varying degrees to differently privileged users:

Create new users and groups
Edit (modify the privileges of) existing users and groups
Copy the security profiles of existing users and groups
Delete users and groups
Rename users and groups

To begin managing users and groups:

Connect to the server that houses the users or groups.
Choose Security > Users/Groups.
Hyperion Essbase displays the following dialog box:

Figure 17-5: User/Group Security Dialog Box

The Users list box fills with the names of all users currently defined on this server. Similarly, the Groups list box fills with the names of all groups defined on this server. The five buttons to the right of each list box, which are displayed, let you perform the functions of user and group management.

For more information on managing users and groups, see Creating, Editing, and Copying Users and Groups, Copying an Existing Security Profile, Deleting Users and Groups, or Renaming Users and Groups.

For information about lock management and password/user name management, see Managing User Activity at the Server Level.

You can also use display user and display group in MaxL, or the LISTUSERS and LISTGROUPS commands in ESSCMD, to view a list of users and groups on the server. See the online Technical Reference in the DOCS directory for information.

Creating, Editing, and Copying Users and Groups

When you create, edit, or copy a user or a group, you define a security profile. This is where you define the extent of the privileges users and groups have in dealing with each other and in accessing applications and databases. For even more specific data-level security, see Controlling Access to Database Cells.

Creating a New User

To create a user means to define the user's name, password, and privilege and access specifications. You can also specify group membership for the user, and you can specify that the user be required to change the password at the next login attempt, or that the user name be disabled for any reason.

To create a new user:

Choose Security > Users/Groups.
Click New User in the User/Group Security dialog box. Hyperion Essbase displays the following dialog box:
Figure 17-6: New User Dialog Box
Type the name of the new user in the Username text box.
Type the user's password in the Password text box. The password must be at least six characters long.
As you type, Hyperion Essbase masks your typing with asterisks.
Retype the user's password in the Confirm Password text box. You must type the password exactly as you did in the Password text box.

Note: Passwords are not case-sensitive.
To force the user to change his or her password at the next login attempt, check User Must Change Password at Next Login. (This option lets you assign a generic password to all new users, which will then change when they begin using the system.)
At the next login attempt, the user is prompted to change the password in the Change Password dialog box, shown in Figure 17-9.
To lock the user out from the system for any reason, check Username Disabled. Only a system administrator (a user with Supervisor privilege) can re-enable the user name.
Choose the type of user to create from the User Type group. If you aren't sure which type of user to create, see User and Group Types. If you don't have sufficient privileges to create a class of user, those options are disabled.
To assign the user to a group, click Groups.
Hyperion Essbase displays the following dialog box:

Figure 17-7: Group Membership Dialog Box

The Not member of list box contains the names of all groups on the server to which this user does not belong.
- Choose a group from the list and click <-Add to add the user to that group. Similarly, you can click Remove-> to remove a user from a group listed in the Member of list box.
- Click OK to finalize the addition or removal.
To assign application and database access to the user, click App Access from the New User dialog box. See Defining Global Application Access and Defining Global Database Access for more information.
Click OK to add the new user to the server. Hyperion Essbase updates the Users list box (in the User/Group Security dialog box) with the new user.

	You can also use create user in MaxL or the CREATEUSER command in ESSCMD. See the online Technical Reference in the `DOCS` directory for information.
	You can also use alter user in MaxL or the ADDUSER and REMOVEUSER commands in ESSCMD to add and remove users from groups. See the online Technical Reference in the `DOCS` directory for information.

Editing a User

To edit a user means to modify the security profile established when the user was created. Any privilege or limitation that you do not assign when creating a new user can be specified later, using the "Edit User" capability. The dialog boxes for editing a user and for creating a new one are exactly the same (except for their titles).

Select the user whose profile you want to edit and click Edit User in the User/Group Security dialog box.
Hyperion Essbase displays the Edit User dialog box:

Figure 17-8: Edit User Dialog Box
To change the user's password, enter the new password in the Password text box. Hyperion Essbase masks your typing with asterisks.
Retype the user's password in the Confirm Password text box. You must type the password exactly as you did in the Password text box.

Note: Passwords are not case-sensitive.
To force the user to change his or her password at the next login attempt, check User Must Change Password at Next Login.
When this user tries to log in using the old password, he or she will be prompted to first change the password in the Change Password dialog box:

Figure 17-9: Change Password Dialog Box
To lock the user out from the server for any reason, check Username Disabled
(in the Edit User dialog box). Only a system administrator (a user with Supervisor privilege) can re-enable the username.
To change the user's group membership, click Groups.
To change the user's application access, click App Access.
Click OK to save the user's new security profile on the server. Hyperion Essbase updates the server security file with your changes.

Note: You cannot change the names of users from the Edit User dialog box. Use the Rename User button, described in Renaming Users and Groups.

You can also use alter user in MaxL or the SETPASSWORD command in ESSCMD to change a user's password. See the online Technical Reference in the DOCS directory for information.

What are "Groups" and How Do You Create Them?

A group is a collection of users who share the same minimum access privileges. It is helpful to place users in groups because it saves you the time of assigning identical privileges to users again and again.

A member of a group may have privileges beyond those assigned to the group, if they are assigned individually to that user.

The process for creating, editing, or copying groups is the same as that for users, except that there are no group passwords. You define group names, privileges, and access specifications just as you would for users.

When you create a new user, you can assign the user to a group. Similarly, when you create a new group, you can assign users to the group. You must define a password for each user; there are no passwords for groups.

Creating or Editing a Group

To create a new group or edit an existing group:

Choose Security > Users/Groups.
Hyperion Essbase displays the User/Group Security dialog box (see Figure 17-5).
To create a new group, click New Group.
To edit an existing group, select the group you want to edit and click Edit Group. Then follow these instructions; they are the same as for creating a new group.

Note: You cannot rename a group from the Edit Group dialog box; use the Rename Group button, described in Renaming Users and Groups.

Hyperion Essbase displays the following dialog box:

Figure 17-10: New Group Dialog Box
Type the name of the group in the Group name text box.
Choose the type of group to create from the Group Type group. If you don't have sufficient privileges to assign a group to a certain type, those options are disabled.
To assign users to the group:
- Click Users. The Group Membership dialog box appears, with the names of all users on the server listed either as members or non-members.
- Choose which users should be in the group.
  
  Note: You cannot add users to a group having higher privileges than your own.
- For more information on using the Group Membership dialog box to assign users to groups, click Help or see the instructions accompanying Figure 17-7.
- Click OK to assign the users, or click Cancel to assign no users at this time.
To assign application and database access to the group, click App Access from the New Group dialog box. Click Help, or see Defining Global Application Access and Defining Global Database Access for more information.
Click OK to add the new group to the server. Hyperion Essbase updates the Groups list box (in the User/Group Security dialog box) with the new (or edited) group.

To simply view a list of users in a selected group, click Edit Group and then click Users. The Members list box of this dialog box contains a list of the group's users.

	You can also use display user in group in MaxL or the LISTGROUPUSERS command in ESSCMD to view a group's membership. See the online Technical Reference in the `DOCS` directory for information.
	You can also use create group in MaxL or the CREATEGROUP command in ESSCMD to create a group. See the online Technical Reference in the `DOCS` directory for information.

Copying an Existing Security Profile

An easy way to create a new user with the same privileges as another user is to copy the security profile of an existing user. The new user is assigned the same user type, group membership, and application/database access as the original user.

You can also create new groups by copying the security profile of an existing group. The new group is assigned the same group type, user membership, and application access as the original group.

Note:

Copy to New filters any security privileges the creator does not have from the copy. For example, a user with Create/Delete Users privilege cannot create a new supervisor by copying the profile of an existing supervisor.

Copying a User or Group Profile

To copy a user or group means to duplicate the security profile of an existing user or group, and to give it a new name. It is helpful to copy users and groups because it saves you the time of reassigning privileges in cases where you want them to be identical.

To create a new user by copying the security profile of an existing user:

Choose Security > Users/Groups.
Hyperion Essbase displays the User/Group Security dialog box (see Figure 17-5).
Select the name of the user whose profile you want to copy.
Click Copy to New.
Hyperion Essbase displays the following dialog box:

Figure 17-11: Copy User Dialog Box
Type the name of the new user in the Username text box.
Enter a password in the Password text box, different from the original user's password if desired. The password must be at least six characters long.
As you type, Hyperion Essbase masks your typing with asterisks.
Retype the user's password in the Confirm Password text box. You must type the password exactly as you did in the Password text box.

Note: Passwords are not case-sensitive.
To force the new user to change his or her password at the next login attempt, check User Must Change Password at Next Login.
To lock the new user out from the system for any reason, check Username Disabled. (This option and the preceding option are also available from the New User and Edit User dialog boxes.)
Only a user with Supervisor privilege can reactivate the user name.
To change the new user's security class, choose the new class from the User Type group. If you don't have sufficient privileges to assign certain classes to the user, those options are disabled.
To change the new user's group membership, click Groups.
To change the new user's application access, click App Access.
Click OK to save the new user's security profile on the server. Hyperion Essbase updates the server security file with your changes.

Copying a Group Profile

To create a new group by copying the security profile of an existing group:

Choose Security > Users/Groups.
Hyperion Essbase displays the User/Group Security dialog box (see Figure 17-5).
Select the name of the group you want to copy.
Click Copy to New.
Hyperion Essbase displays the following dialog box:

Figure 17-12: Copy Group Dialog Box
Type the name of the new group in the Group name text box.
To change the new group's security class, choose the new class from the Group Type group. If you don't have sufficient privileges to assign certain classes to the group, those options are disabled.
To change the new group's membership list, click Users.
The Group Membership dialog box appears.

For more information on using the Group Membership dialog box to assign users to groups, click Help, or see the instructions accompanying Figure 17-7.
To change the group's application access, click App Access.
Click OK to save the new group's security profile on the server. Hyperion Essbase updates the server security file with your changes.

Deleting Users and Groups

To delete a user:

Choose Security > Users/Groups.
Hyperion Essbase displays the User/Group Security dialog box (see Figure 17-5).
Select the name of the user you want to delete in the Users list box.
Click Delete User.
Hyperion Essbase displays the following confirmation box:

Figure 17-13: Delete User Confirmation Box
Click Yes to delete the user, or click No to cancel the delete operation.
If you choose to delete the user, Hyperion Essbase updates the Users list box and the server security file with your changes. Hyperion Essbase automatically deletes users from all groups to which they belong.

To delete a group:

Choose Security > Users/Groups.
Hyperion Essbase displays the User/Group Security dialog box (see Figure 17-5).
Select the name of the group you want to delete in the Groups list box.
Click Delete Group.
Members of the group are not affected by this operation, except that they will no longer be a member of the deleted group.

When you click Delete Group, Hyperion Essbase displays the following confirmation box:

Figure 17-14: Delete Group Confirmation Box
Click Yes to delete the group, or click No to cancel the delete operation.
If you choose to delete the group, Hyperion Essbase updates the Groups list box and the server security file with your changes.

You can also use drop group and drop user in MaxL or the DELETEUSER and DELETEGROUP commands in ESSCMD to perform these tasks. See the online Technical Reference in the DOCS directory for information.

Renaming Users and Groups

To rename a user:

Choose Security > Users/Groups.
Hyperion Essbase displays the User/Group Security dialog box (see Figure 17-5).
Select the name of the user in the Users list box.
Click Rename User.
Hyperion Essbase displays the following dialog box:

Figure 17-15: Rename User Dialog Box
Type the new name for the user in the New Name text box.
Click OK to rename the user.
Hyperion Essbase updates the Users list box and the server security file with your changes. User names are automatically updated in all groups to which the user belongs.

To rename a group:

Choose Security > Users/Groups.
Hyperion Essbase displays the User/Group Security dialog box (see Figure 17-5).
Select the name of the group in the Groups list box.
Click Rename Group.
Hyperion Essbase displays the following dialog box:

Figure 17-16: Rename Group Dialog Box
Type the new name for the group in the New Name text box.
Click OK to rename the group.
Hyperion Essbase updates the Groups list box and the server security file with your changes. Members of the group are not affected by this operation.

You can also use alter user in MaxL or the RENAMEUSER command in ESSCMD to rename a user. See the online Technical Reference in the DOCS directory for information.

Modifying User Application and Database Access Settings

By default, users and groups inherit the global application and database settings, which become their security privileges. A user can, however, have application and database privileges that go beyond the global defaults. These settings can be defined by a system administrator when creating a new user or editing an existing user. There is no need to define the settings for Supervisors--they are automatically granted Application Designer access (full privileges) to every application on the server.

To modify application or database access settings for a group, follow the instructions below pertaining to a user, substituting the word "group" where you see "user."

To modify application or database access settings for a user:

Choose Security > Users/Groups.
Select a user name, then click Edit User.
Click App Access in the Edit User dialog box. (This button is disabled if the user being edited is a Supervisor.)
Hyperion Essbase displays the following dialog box:

Figure 17-17: User/Group Application Access Dialog Box

The Applications list box shows all applications defined on the server to which you have access. When you select an application, the user's current access level for the selected application appears in the Access group. If you have not yet assigned privileges to this user, the default access setting is None.
Select the appropriate application and access option:
- Choose None to give the user no access to the selected application or any of its databases.
- Choose Access DBs to define specific database access within the selected application.
- Choose App Designer to give the user most of the privileges available to a Supervisor, but for the selected application only. The user with Application Designer privilege has full access to the application, plus Create/Delete privileges for databases within the application, as well as the ability to log users out from that application, define and assign filters, and remove data locks.
Click OK to save the settings, unless you need to define database-level access settings. If you want to define database access settings, see Assigning Database Access to a User.

Assigning Database Access to a User

There is no need to assign database access for Supervisors, or for those with Application Designer privilege for the application or Database Designer privilege for the database. These users already have full database access.

You need to assign database access to other users if:

The users have not been granted sufficient user privileges to access databases (see the privileges shown in Table 17-1).
The database in question does not allow users sufficient access through its global settings (see Minimum Database Access) .
The users have no access granted to them through filters (see Controlling Access to Database Cells).

If you need to assign access to databases within the selected application, proceed as follows:

Select Access DBs from the User/Group Application Access dialog box (available by clicking App Access in the Edit User dialog box--see Figure 17-17). The DB Access button then becomes available.

Note:

The DB Access button is disabled when the selected user is a Supervisor or Application Designer for the selected database, because these users are automatically given Database Designer access to every database within the application.

Click DB Access. Hyperion Essbase displays the User Database Access dialog box:

Figure 17-18: User Database Access Dialog Box

The Database list box shows all databases defined within the application to which you have access. When you select a database, the access the user has for the selected database appears in the Access group.

If the user is not a Supervisor, you can give the user one of the following access levels:


User Access Level	Privilege Description
None	Indicates no access to any object or data value in a database.
Filter Access	Indicates that data access is restricted to those filters assigned to the user. (For information about filters, see Controlling Access to Database Cells)
Read Only	Indicates read access to retrieve all data values. Report scripts can also be run.
Read / Write	Indicates that all data values can be retrieved and updated (but not calculated). The user can run, but cannot modify, Hyperion Essbase objects.
Calculate	Indicates that all data values can be retrieved, updated and calculated with the default outline or any calc script to which the user has access.
Database Designer	Indicates that all data values can be retrieved, updated, and calculated. In addition, all database-related files can be modified.
Filter	Associates a filter object with a user name. A user can have one filter per database. (For information about filters, see Controlling Access to Database Cells). Checking this option or any other option except None enables the selection of a filter object from the list box.

Select the appropriate database and the access privileges you want to apply.
If you choose the Calculate access level, the Calcs button lets you define calc script execution access. Users can run any server-based calc script (provided they have sufficient security privileges) from the Application Manager or an Hyperion Essbase Spreadsheet Add-in. When you click Calcs, Hyperion Essbase displays the following dialog box:

Figure 17-19: Execute Calc Scripts Dialog Box

The Allow All Calcs check box lets you give the user access to all calc scripts on the server. Any scripts defined afterward are automatically added to the user's calculate privileges. Individual calc script privileges can be added or removed by selecting the script and clicking <-Add or Remove->.

Note: By default, a Supervisor, Application Designer, or Database Designer can run all calc scripts.
Click OK to close the dialog box and save the settings.

Viewing and Modifying User Access Privileges

The security system lets you view all users and groups on the server from a list. You can easily make changes to their application and database access levels from this same list. This enables you to effectively maintain a security plan for a large number of users.

Viewing and Modifying User Application Access

From the Application Desktop window, select the application name.
Choose Security > Application.
Hyperion Essbase displays the following dialog box, showing all users and groups on the server:

Figure 17-20: Application Access Dialog Box
To view the current access settings for a user or group, select the user or group name from the Users/Groups list box.
The Access group shows the current access level for the selected user or group. Click Help for information on each setting.
To modify the current application access settings for the selected user or group, choose the appropriate level from the Access group.
To define access to databases within the application, choose DB Access from the Application Access dialog box, or see Viewing and Modifying User Database Access.
Click OK to save the settings.

Viewing and Modifying User Database Access

From the Application Desktop window, select the application and database name.
Choose Security > Database. Hyperion Essbase displays the Database Access dialog box:
Figure 17-21: Database Access Dialog Box

The Users/Groups list box shows all users and groups on the server. To view the current settings for the user or group, select a name from the list. Click Help for information on each setting.
To modify the current settings for a user or group, select the user or group name from the list box and select the access setting you want to apply.
Click OK to save the settings.

Note: If a user has insufficient privileges to access the data in a database, the value does not show up in the spreadsheet or shows up as #NOACCESS.

Managing Security at the Global Access Layer

The Global Access layer pertains directly to the security-access settings for applications and databases and their related files. Application and database security settings are based on the minimum database access privilege granted to all users. For example, if an application has Read privilege assigned as the minimum database access level, all users can read any database within that application, even if their individual privileges do not specify Read access. Similarly, if a database has the privilege None assigned, only users with higher access privileges (granted at the user, group, or database filter layer) can gain access to the database.

Users with Supervisor privilege, Application Designer privilege for the application, or Database Designer privilege for the database are not affected by these settings. Supervisors automatically have full access, and Application Designers and Database Designers have full access only for their applications or databases.

By default, users and groups inherit the global access settings, which become their security privileges. A user can, however, have application and database privileges that go beyond the global defaults. For more information on application and database privileges defined at the user level, see Modifying User Application and Database Access Settings.

The following access privileges are available in the Global Access layer. These privileges apply to applications and databases.


Access Level	Privilege Description
None	Specifies that no minimum permission has been defined for the application or database. This is the default global permission for newly created applications and databases.
Read	Specifies Read-Only access to any object or data value in the application or database. Users can view files, retrieve data values, and run report scripts. Read access does not permit data-value updates, calculations, or outline modifications.
Write	Specifies Update access to any data value in the application or database. Users can view Hyperion Essbase files, retrieve and update data values, and run report scripts. Write access does not permit calculations or outline modifications.
Calculate	Specifies Calculate and update access to any data value in the application or database. Users can view files, retrieve, update, and perform calculations based on data values, and run report and calc scripts. Calculate access does not permit outline modifications.
DB Designer	Specifies Calculate and update access to any data value in the application or database. In addition, DB Designer access lets users view and modify the outline and files, retrieve, update, and perform calculations based on data values, and run report and calc scripts.

Databases within applications inherit the privileges of the applications whenever the application's access settings are higher than those of the database.

Defining Global Application Access

You can define access settings and other settings that apply to applications on a global level. The settings you define for the application affect all users, unless they have higher privileges granted to them at the user level. The following application settings are available:

A brief description of the application
A time-out setting for locks
Options that control application loading, command processing, connections, updates, and security
Settings that define the minimum permissions to the application

Only users with Supervisor privilege (or Application Designer privilege for the application) can change Global Access settings for applications.

To define settings for an application:

Connect to the appropriate server and select the name of the application you want to secure.
Choose Application > Settings. (This command is unavailable to users with insufficient privileges to define application settings.)
Hyperion Essbase displays the following dialog box:

Figure 17-22: Application Settings Dialog Box
Define the settings that you want to apply to the application.
Click Help for information on each setting.

Minimum Database Access

The Global Access privileges are listed in the Minimum Database Access group. All databases within the application (as well as any databases created after the settings are defined) inherit the settings specified in the Application Settings dialog box (see Figure 17-22), unless they are changed at the database level.

Changes to the Minimum Database Access settings for applications affect only those databases that have lower access privileges. Assigning privileges at one level never takes away privileges that have been granted at another, except in the case of filters (for more information about filters, see Controlling Access to Database Cells).

For example, an application with a setting of Write contains two databases. The first database has had no higher access privileges granted, and so it inherits the application's Write setting. The second database has been assigned a minimum database access of Calculate. The application setting of Write does not affect the second database because Calculate is a higher privilege than Write.

If you were to change the application settings from Write to a minimum database access setting of Read, this would lower the first database's access level to Read. (The Write privilege is taken away only because the database was never assigned privileges at the database level--it has inherited the application's settings by default.) The second database, which has been defined with a higher privilege at the database level, would remain with the original setting of Calculate.

Application Security Options

In the Application Settings dialog box, all "Allow" settings (Allow Application to Start, Allow Commands, Allow Connects, and Allow Updates) override other security and access settings defined for users, with the exception of supervisors. When a supervisor clears any of the Allow check boxes, other supervisors are not affected by the change.

All Allow settings (Allow Commands, Allow Connects, and Allow Updates) are checked by default. If a supervisor unchecks a setting, it is not rechecked when the supervisor disconnects from an application or database.

When a supervisor clears Allow Commands, all other users (except supervisors) are immediately affected by the change. Changes to other application settings don't affect users currently connected to the application.

CAUTION: Never power down or reboot your client machine when you have cleared any of the Allow settings. (Always choose Server > Disconnect to log out from the server.) Improper shutdown can cause the application to become inaccessible, which requires a full application shutdown and restart.

If a power failure or system problem causes the Hyperion Essbase server to improperly disconnect from the Hyperion Essbase client, and your application is no longer accessible, you will need to shut down and restart the application. See Running Hyperion Essbase, Applications, and Databases for more information.

Defining Global Database Access

When you create a database, it inherits the Global Access settings defined for the application (see Minimum Database Access). In addition, any database within an application can be defined with its own higher Global Access settings, which override the application's Global Access settings.

To define settings for a database:

Connect to the appropriate server and select the name of the application that contains the database you want to secure.
Select the database name.
Choose Database > Settings. (This menu command is unavailable to users with insufficient privileges to define database settings.)
Hyperion Essbase displays the following dialog box:

Figure 17-23: Database Settings Dialog Box

In the General tab, define the settings that you want to apply to the database. Click Help for information on each setting.

The Global Access privileges are in the Database Access group.

Note:

Although any user with a minimum of Read access to a database can start the database, only a Supervisor, a user with Application Designer privilege for the application, or a user with Database Designer privilege for the database can stop the database.

Assigning Global Access Settings Per User

Users and groups can be assigned Application Designer or Database Designer privilege on an application or database basis. These settings are useful for assigning supervisor privileges to users who need to be in charge of particular applications or databases, but who only need ordinary user privileges for other projects.

Application Designer Privilege

If you have Application Designer privilege for an application, you have complete access to all objects in that application. (You cannot create or delete an application unless you also have been granted that privilege on the user level.) If you have Application Designer privilege, you can do the following:

Modify any object within the application
Create, modify, and delete databases within the application
Assign user access privileges at the application or database level for the application
Define and assign filter objects anywhere in the application
Remove data locks within the application
Disconnect users who are connected to the application or any application for which you have Application Designer privilege

Application Designer privilege applies only to the assigned application. Outside of the application, you revert to the privileges of an ordinary user.

Note:

If you are a user with Create/Delete Apps privilege, you are automatically given Application Designer privilege for any application you create. Therefore, you also have complete access to all objects in the application.

For a given database, users or groups can be assigned any one of the following privilege levels: None, Filter Access, Read Only, Read/Write, Calculate, and Database Designer.

Database Designer Privilege

If you have Database Designer privilege, you have complete access to all objects in the database. You cannot create or delete a database, but you can do the following:

Modify any object within the database
Restrict data access privileges at the database level for the database
Define and assign filter objects anywhere in the database
Remove data locks within the database

Database Designer privilege applies only to data access for the assigned database. Outside of the database, you revert to the privileges of an ordinary user.

Managing User Activity at the Server Level

This section explains how to manage the activities of users connected to the server. The security concepts explained in this section are lock management, connection management, and password/user name management. For information about managing security for partitioned databases, see Designing Partitioned Applications.

Managing Locks

Hyperion Essbase Spreadsheet Add-in users can interactively send data from a spreadsheet to the server. To maintain data integrity while providing multi-user concurrent access, Hyperion Essbase lets users lock data for the purpose of updating it. Users who want to update data must first lock the records to prevent other users from trying to change the same data.

The default maximum lock time is 3600 seconds, or 60 minutes. To prevent data from becoming inaccessible for long periods, Hyperion Essbase automatically unlocks data that remains locked beyond the allotted time. A user with Supervisor or Application Designer privilege can modify the maximum lock time setting.

Occasionally, you may need to force an unlock operation before the allotted time expires. For example, if you attempt to calculate a database that has active locks, the calculation must wait when it encounters a lock. By clearing the locks, you allow the calculation to resume.

The security system allows only Supervisors to view users holding locks and to remove the locks.

To view or remove locks, choose Security > Locks.
Hyperion Essbase displays the Database Locks dialog box:

Figure 17-24: Database Locks Dialog Box

The Database Locks dialog box displays a list of users who currently have at least one block locked. It also indicates the number of blocks that are locked, and the amount of time, in seconds, that the blocks have been locked.
To remove a lock, select the user name and click Remove Locks.

Note: Removing a lock does not disconnect the user from his or her session.

You can also use the REMOVELOCKS command in ESSCMD to perform this task. See the online Technical Reference in the DOCS directory for information.

Disconnecting Users

The security system lets you disconnect a user from the Hyperion Essbase server when you want to restructure an outline or load data.

A user with Supervisor or Application Designer privilege can disconnect a user connected to a particular application and database.

To disconnect a user:

Choose Security > Connections.
Hyperion Essbase displays the Connections dialog box:

Figure 17-25: Connections Dialog Box

If you have Supervisor privilege, this dialog box lists the following:
- All users connected to the same server you are connected to.
- The application and database each user is using. If no application and database name display next to a user name, then the user is logged in but not connected to a specific application.
- Your user name, which is preceded by two asterisks (**). You cannot disconnect yourself using this dialog box.
  If you have Application Designer privilege, this dialog box lists the following:
- All users, including yourself, who are connected to any application for which you have Application Designer privilege. Your user name is preceded by two asterisks (**). You cannot disconnect yourself using this dialog box.
- The application and database each user is using.
Select a user name from the list and click Logoff to disconnect the user.

Managing Passwords and User Names

You can place limitations on the number of login attempts users are allowed, on the number of days users may not use Hyperion Essbase before becoming disabled from the server, and on the number of days users are allowed to have the same passwords. Only system administrators (users with Supervisor privilege) can access these settings. The limitations apply to all users on the server, and are effective immediately upon clicking OK.

To place these settings, choose Server > Settings.
Hyperion Essbase displays the Server Settings dialog box.

Figure 17-26: Server Settings Dialog Box

The Password Management option group contains the settings for user management. A setting of 0 for any option means that that parameter is turned off; therefore, you must enter at least 1 to apply limitations.

To limit the number of unsuccessful login attempts you want to allow before the user becomes locked out from the server, enter the maximum number to allow in the first text box of the Password Management group.

Note:

If you return to the Server Settings dialog box later and change the number of unsuccessful login attempts allowed, Hyperion Essbase resets the count for all users. For example, if the setting was 15 and you changed it to 20, as soon as you clicked OK, all users would be allowed 20 new attempts. If you changed the setting to 2, a user who had already exceeded that number when the setting was 15 would not be locked out. The count returns to 0 for each change in settings.

To limit the number of inactive days allowed before the user becomes locked out from the server, enter the number in the second text box of the Password Management group.
The timer starts for all users as soon as you click OK, and it is reset for particular users each time they log in or are reactivated or edited by Supervisors.
To limit the number of days any user can log in with the same password, enter the number in the third text box.
The timer starts for all users as soon as you click OK, and it is reset for particular users each time they change their passwords or are reactivated or edited by Supervisors.

Viewing or Activating Disabled User Names

A user name becomes disabled when the user exceeds limitations specified in the Server Settings dialog box (see Managing Passwords and User Names), or because a system administrator has disabled the user name at the user level. To learn how to disable a user name, see Editing a User.

To view or activate currently disabled user names, choose Security > Disabled Usernames.
Hyperion Essbase displays the Disabled Usernames dialog box, which lists all disabled user names:

Figure 17-27: Disabled Usernames Dialog Box
To activate a user, select the user name from the list box and click Enable.
Hyperion Essbase displays a confirmation box.

Figure 17-28: Confirm Activate Confirmation Box
Click Yes to confirm that you want to activate the selected user name.

Note: Only a system administrator (a user with Supervisor privilege) can view or reactivate disabled user names.