Professional Documents
Culture Documents
User Provisioning:
User provisioning is the process of granting roles and access control to Hyperion product users. Only Shared Services Administrators and Provisioning Managers for an application can provision users. Based on roles assigned, users can perform specific tasks and access content in various applications. Provisioning is managed at the user or group level; that is, a Provisioning Manager selects users or groups and then provisions them with roles for applications, or for Shared Services global roles.
System Components:
The Shared Services User Management system consists of these components: Authentication Directories Projects and Applications
Users and Groups Roles In User Management Console, you operate on a component by selecting it in the object palette on the left side of the screen, and then right-click to view a context-sensitive menu for the object. The graphic below shows some of the objects contained in the object palette.
Authentication Directories:
You can configure Shared Services to use corporate authentication directories such as Lightweight Directory Access Protocol (LDAP), Windows NT LAN Manager (NTLM), and Microsoft Active Directory (MSAD). You can also use the native Shared Services OpenLDAP authentication directory (or a combination of both). The native OpenLDAP directory is installed and configured automatically with Shared Services. Any corporate authentication directories that are configured for Shared Services for external authentication are listed in User Management Console under the User Directories node. The native Shared Services directory, which is provided with the Shared Services server, is listed in User Management Console as the Native Directory. When performing user or group
management tasks, you select the authentication directory that contains the user or group you want to manage. When User Management Console is open, changes made to corporate directories are not reflected immediately in the console. For example, if you add a user to a corporate directory while the User Management Console is open, you must perform another user search in order to display the user in User Management Console. You cannot use User Management Console to perform certain operations on users and groups whose accounts exist in corporate directories. For example, you cannot rename or delete a user from a corporate directory in User Management Console; likewise, you cannot create users and groups in a corporate directory using User Management Console. You can, however, view and provision users whose accounts exist in corporate directories using User Management Console. For information about managing users and groups in corporate directories, see the respective directory server documentation.
The World group is the predefined group in the system. At the global level, the World group contains all users who are provisioned with at least one role in the system. At application levels, the World group can be used when an application administrator assigns access control to content within an application. In this context, the membership of the World group becomes applicationspecific in that it contains only the users provisioned for that application. Having a World group for each application enables administrators to assign access control for all users provisioned for the application at one time. You can provision users individually or you can combine users into groups and provision the groups. If appropriate for an application, users and groups can be provisioned with multiple roles for the application. For example, a Hyperion System 9 BI+ user might be provisioned with the Cube Navigator and Explorer roles for one application, and a Hyperion System 9 Financial Management user might be provisioned with the roles of Generate Recurring and Manage Templates. A native Shared Services group can contain users and groups from the native Shared Services directory as well as users and groups from corporate directories. A group can contain a combination of native and external users and groups. When a group contains other groups, the roles assigned to the parent group are inherited by the child groups.
Roles:
Roles determine the tasks that users can perform within an application or globally within User Management Console. You can grant users a role directly, through membership in a group, or by granting a role that contains another role. Some users may need a combination of roles to perform a comprehensive set of administrative tasks.