4 Understand Your Access Permissions in Essbase
How you work with Essbase depends on your user role and application-level permissions.
In Essbase, there are three user roles:
The majority of Essbase users have User role. Power User and Service Administrator roles are reserved for those who require permission to author and maintain applications. Users with User role are granted application-level permissions that distinguish their access to data and permissions in each application.
Access to Essbase is restricted by user and group security. User and group accounts are managed in an identity domain when Essbase is deployed on OCI via Marketplace. When Essbase is deployed independently, user and group accounts can be managed either in EPM Shared Services, or WebLogic Embedded LDAP authentication (with or without federation to an external identity provider).
See Manage Essbase User Roles and Application Permissions for independent deployments, or Manage Users and Roles for deployments on OCI via Marketplace.
| Security Provider | Add, remove, and manage users and groups | Provision and deprovision roles |
|---|---|---|
| EPM Shared Services security mode | In the Shared Services Console | In the Shared Services Console |
| External security configured in WebLogic | In the external provider | In the Essbase web interface or REST API |
| WebLogic Embedded LDAP | In the Essbase web interface or REST API | In the Essbase web interface or REST API |
Note:
WebLogic Embedded LDAP is not recommended for production environments.EPM Shared Services security mode
The following Essbase web interface items are disabled in EPM Shared Services security mode:
- The Security page (there is no Security option in the Essbase web interface)
Essbase users and groups are stored directly in EPM Shared Services and are not added or managed in the Essbase web interface.
- The Permissions tab
- In the Redwood Interface, the Permissions tab is in the application, under Customization.
- In the Classic Web Interface, the Permissions tab is in the application inspector.
- The Reset Password option on the Admin menu
External security configured in WebLogic
If you are using an external security provider configured in WebLogic, Essbase users and groups are stored directly in the external provider and are not added or managed in the Essbase web interface. However, you provision and deprovision roles in the Essbase web interface or through the REST API.
The following Essbase web interface items are enabled when using external security configured in WebLogic:
- The Security page (there is a Security option in the Essbase web interface)
- The Roles tab (users must have been added in order to be assigned roles)
- In the Redwood Interface, the Roles tab is in the application, under Customization, and then Permissions.
- In the Classic Web Interface, Roles are located on the Security page (the Users and Groups tab is disabled).
- The Permissions tab
- In the Redwood Interface, the Permissions tab is in the application, under Customization.
- In the Classic Web Interface the Permissions tab is in the application inspector.
- The Reset Password option on the Admin menu
Note:
If you need to clean up inactive users/groups from Essbase after they have been removed or renamed on the external provider, use the MaxL Drop User and Drop Group statements.WebLogic Embedded LDAP (an internal LDAP that is part of WebLogic, and is not recommended for production use):
Use the Security page (the Security option on the Applications page) in the Essbase web interface or use the REST API to manage users and groups and to provision and deprovision roles.